Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp1501848pxb; Thu, 16 Sep 2021 08:46:51 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyQxi/TQSwalJDn2aV2TAi+P67pvLU/n+5A9hLg7Uiu48urObd1SjGzeX6r3ouXwtjHI4dl X-Received: by 2002:a17:906:a382:: with SMTP id k2mr7110971ejz.454.1631807211319; Thu, 16 Sep 2021 08:46:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631807211; cv=none; d=google.com; s=arc-20160816; b=ZlCBbNSu0GNb4Am3jFqAiDz8JEPqtwmAep12JpT3kUtQ1RJBvNUMM1wQUOtg8ZCDU+ oT+v5vYi6z9AGT4IsJyEWvLahkm5RUOANLp0o9MV2lekspfi0LOxll1Aaak+BtLzBMFV AyEdrbQanyEGoTXxERED4pjgvxl9Rkfc+rFSSkSXjy/fcwbZNaGIBP2PTkok7yKsopKJ v0c3lWgoCS0Le+PZTFnwqefXdbt4h6tZKpAjphLVGoIgJm6kTNGUykoXCU5I5IZ0+9iB kGEEqK7+cCeRV5hYnEdXP6z1Urldg8Ma4voHW7tgoMVk/3iP73BdLapN95l4PRZtk8TS KmlA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=FVdU8EmOh/2b0GizTX/ZQQuKdsu7q9/FJbV1mrZGOtw=; b=Z4UERFYpgDRLlWI2kGHN8uXBiLC6V9nLxqYPkF71+AjdgDmGFWCdzfXIjHUI806YYn ktCutZoAmEuEvv7fbSPskkrvichZ3WKIpZ5MKQ+lF5i4oGNapl3IpJVk8eaXNLmSvU0k spSJzHlsglGdgcLjVRa6jVhnvTuNfzuh+yreeF2RVl6HgKCFK3M37GDKFolhYkOlkia4 mR9gg5ZJZyJ6Nx6obQwyOQ9loDjeuebMjG1IkZgLNN6THeiPEQcvdHP8lNWUgW0Hcy+/ i+Fi1m6AGBzGdJa9jV9cr1SUX3e43iw5GkPs5b2Jm5uHA6VaEGDfcjRHyMjFVJx1Ry1Q O5vw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=hBliwgn3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p90si4187587edb.343.2021.09.16.08.46.27; Thu, 16 Sep 2021 08:46:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=hBliwgn3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239169AbhIPPnj (ORCPT + 99 others); Thu, 16 Sep 2021 11:43:39 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:41328 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239178AbhIPPne (ORCPT ); Thu, 16 Sep 2021 11:43:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1631806933; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=FVdU8EmOh/2b0GizTX/ZQQuKdsu7q9/FJbV1mrZGOtw=; b=hBliwgn39rTreMj1oCF3tc8BHqlPgjFJowj4Z/UCJupWRYxlBvWRVQannRBVhZhAU2Urpc yMLDz0Gj4htMlORYVoUqT2BGIh99grNSMSDEhu/6qz3BpgIGaAeD5ypKyr+3mlIA9UKMOf fNTp0eZuvrm0VLxnEIS4mliQm1XrCDc= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-92-UzdWZfhJOi6BbvqF1OKNCg-1; Thu, 16 Sep 2021 11:42:07 -0400 X-MC-Unique: UzdWZfhJOi6BbvqF1OKNCg-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id A88561081B81; Thu, 16 Sep 2021 15:41:54 +0000 (UTC) Received: from horse.redhat.com (unknown [10.22.32.174]) by smtp.corp.redhat.com (Postfix) with ESMTP id 51201100164C; Thu, 16 Sep 2021 15:41:54 +0000 (UTC) Received: by horse.redhat.com (Postfix, from userid 10451) id E7EF4220C99; Thu, 16 Sep 2021 11:41:53 -0400 (EDT) Date: Thu, 16 Sep 2021 11:41:53 -0400 From: Vivek Goyal To: Jan Kara Cc: viro@zeniv.linux.org.uk, Linux fsdevel mailing list , linux kernel mailing list , xu.xin16@zte.com.cn, Christoph Hellwig , zhang.yunkai@zte.com.cn Subject: Re: [PATCH] init/do_mounts.c: Harden split_fs_names() against buffer overflow Message-ID: References: <20210916110016.GG10610@quack2.suse.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210916110016.GG10610@quack2.suse.cz> X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Sep 16, 2021 at 01:00:16PM +0200, Jan Kara wrote: > On Wed 15-09-21 11:22:04, Vivek Goyal wrote: > > split_fs_names() currently takes comma separated list of filesystems > > and converts it into individual filesystem strings. Pleaces these > > strings in the input buffer passed by caller and returns number of > > strings. > > > > If caller manages to pass input string bigger than buffer, then we > > can write beyond the buffer. Or if string just fits buffer, we will > > still write beyond the buffer as we append a '\0' byte at the end. > > > > Will be nice to pass size of input buffer to split_fs_names() and > > put enough checks in place so such buffer overrun possibilities > > do not occur. > > > > Hence this patch adds "size" parameter to split_fs_names() and makes > > sure we do not access memory beyond size. If input string "names" > > is larger than passed in buffer, input string will be truncated to > > fit in buffer. > > > > Reported-by: xu xin > > Signed-off-by: Vivek Goyal > > The patch looks correct but IMO is more complicated than it needs to be... > See below. > > > Index: redhat-linux/init/do_mounts.c > > =================================================================== > > --- redhat-linux.orig/init/do_mounts.c 2021-09-15 08:46:33.801689806 -0400 > > +++ redhat-linux/init/do_mounts.c 2021-09-15 09:52:09.884449718 -0400 > > @@ -338,19 +338,20 @@ __setup("rootflags=", root_data_setup); > > __setup("rootfstype=", fs_names_setup); > > __setup("rootdelay=", root_delay_setup); > > > > -static int __init split_fs_names(char *page, char *names) > > +static int __init split_fs_names(char *page, size_t size, char *names) > > { > > int count = 0; > > - char *p = page; > > + char *p = page, *end = page + size - 1; > > + > > + strncpy(p, root_fs_names, size); > > Why not strlcpy()? That way you don't have to explicitely terminate the > string... Sure, will use strlcpy(). > > > + *end = '\0'; > > > > - strcpy(p, root_fs_names); > > while (*p++) { > > if (p[-1] == ',') > > p[-1] = '\0'; > > } > > - *p = '\0'; > > > > - for (p = page; *p; p += strlen(p)+1) > > + for (p = page; p < end && *p; p += strlen(p)+1) > > count++; > > And I kind of fail to see why you have a separate loop for counting number > of elements when you could count them directly when changing ',' to '\0'. > There's this small subtlety that e.g. string 'foo,,bar' will report to have > only 1 element with the above code while direct computation would return 3 > but that's hardly problem IMHO. Ok, will make this change. One side affect of this change will be that now split_fs_names() can return zero sized strings and caller will have to check for those and skip to next string. Vivek