Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp1838265pxb; Thu, 16 Sep 2021 17:26:57 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxJtMBvJMUxiJhNpeHYHIw4kVqxIZfKvSSDXNCCOhjIN5q3FrLF3za6QZ1WBGgORD7o1+Kv X-Received: by 2002:a05:6602:20ce:: with SMTP id 14mr6227401ioz.204.1631838417420; Thu, 16 Sep 2021 17:26:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631838417; cv=none; d=google.com; s=arc-20160816; b=lUHO7YQcForLG9zAcTuiGNvnu4ApSvL+SzbUKS8C0eVVrMjNRsAIPbdFxpSA5jCzFu 0A/zXk0e148kOuk8cay7sWO4CLlTVjPmgbfwS3PhuMawAewGh6gL2sf9gQgCxjXD2JPg zRkDe4zxqu2vCa0aHo2s8m4+vv8LWCOvEMWlaTZp+OvBeTlENlslB/AqMO6kf8Iu3rji tmd9Bls6C0HqEbqlBMu1OZDEy98KqffVeomDL3UFNhaoZ5dWhUqm6y15EBtHw9YOxdM6 MmvsSEua7LL/jM1WWa/49WAx3ck3Xr/iXV+x/4+2xyAw18yEfYXYGnjwxFxrmKq0CyYc FUJw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature:dkim-signature; bh=7uWc/isEx7YjByDmQyGGHCRMkAHZN5mipQsQaZZJ1tQ=; b=DAVqAcavM+Ypab6Tt3aTB+jaLs7ORwvTGoSPh7YzEM5tdfG3OnE2qnxit1/+wDc9mR muOwFvSiiU6OMtB8IYYwHGiFRUg9a38mX2CD1242CdLbpn5T9Q/HIBRcLLR1de2m1Cm8 U7tAs3P6HqSZ9U4uBhHaJMMkcG2cOmzUFB3ewFcbC6hMz199eRfnGwvIlOej7vDvm6r+ X1lI0IfkhZdmxNJ5hI8hQu/2yTB5+0IEhzirTde0YWetcaeRxmKYrrOh7kwRjhS/xYpD FqQBQuEnxqgqIz9V8qacxSvoAasRhlDyRW70Kp5fsF20l8rRocwb7Gj4PXeOlODDKhom emRw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=dZt27ppR; dkim=neutral (no key) header.i=@suse.cz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z9si4395228ile.8.2021.09.16.17.26.30; Thu, 16 Sep 2021 17:26:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=dZt27ppR; dkim=neutral (no key) header.i=@suse.cz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348827AbhIPRDP (ORCPT + 99 others); Thu, 16 Sep 2021 13:03:15 -0400 Received: from smtp-out1.suse.de ([195.135.220.28]:45030 "EHLO smtp-out1.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346786AbhIPQ4J (ORCPT ); Thu, 16 Sep 2021 12:56:09 -0400 Received: from relay2.suse.de (relay2.suse.de [149.44.160.134]) by smtp-out1.suse.de (Postfix) with ESMTP id F11B3223DE; Thu, 16 Sep 2021 16:54:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1631811286; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=7uWc/isEx7YjByDmQyGGHCRMkAHZN5mipQsQaZZJ1tQ=; b=dZt27ppRz5+oStbVdVf+IvLwTY4Ij8fKzYkeLEeIICxIOyIDaYOVbjrI4DRyDNTkjMZpSl MqKyWlrLNBpwko2YrCxMmdYRl75d6OYH2r9ib42izcddip67jy31ZnvsgtYuOAr7T53AY9 82hAn6gkSuvkix8AQGjQPK4eTe0A+Sc= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1631811286; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=7uWc/isEx7YjByDmQyGGHCRMkAHZN5mipQsQaZZJ1tQ=; b=stBOAsR9XxN8BkXcdjRqq9UmN1RAth4b18G90tDbCy3uzoRflJP4HuI5s2gtKqOyrPJaQs Gqn4pJ9yFR596gCw== Received: from quack2.suse.cz (unknown [10.100.224.230]) by relay2.suse.de (Postfix) with ESMTP id C731DA42EE; Thu, 16 Sep 2021 16:54:46 +0000 (UTC) Received: by quack2.suse.cz (Postfix, from userid 1000) id A1B031E0C06; Thu, 16 Sep 2021 18:54:46 +0200 (CEST) Date: Thu, 16 Sep 2021 18:54:46 +0200 From: Jan Kara To: Vivek Goyal Cc: Jan Kara , viro@zeniv.linux.org.uk, Linux fsdevel mailing list , linux kernel mailing list , xu.xin16@zte.com.cn, Christoph Hellwig , zhang.yunkai@zte.com.cn Subject: Re: [PATCH] init/do_mounts.c: Harden split_fs_names() against buffer overflow Message-ID: <20210916165446.GK10610@quack2.suse.cz> References: <20210916110016.GG10610@quack2.suse.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu 16-09-21 11:41:53, Vivek Goyal wrote: > On Thu, Sep 16, 2021 at 01:00:16PM +0200, Jan Kara wrote: > > On Wed 15-09-21 11:22:04, Vivek Goyal wrote: > > > split_fs_names() currently takes comma separated list of filesystems > > > and converts it into individual filesystem strings. Pleaces these > > > strings in the input buffer passed by caller and returns number of > > > strings. > > > > > > If caller manages to pass input string bigger than buffer, then we > > > can write beyond the buffer. Or if string just fits buffer, we will > > > still write beyond the buffer as we append a '\0' byte at the end. > > > > > > Will be nice to pass size of input buffer to split_fs_names() and > > > put enough checks in place so such buffer overrun possibilities > > > do not occur. > > > > > > Hence this patch adds "size" parameter to split_fs_names() and makes > > > sure we do not access memory beyond size. If input string "names" > > > is larger than passed in buffer, input string will be truncated to > > > fit in buffer. > > > > > > Reported-by: xu xin > > > Signed-off-by: Vivek Goyal > > > > The patch looks correct but IMO is more complicated than it needs to be... > > See below. > > > > > Index: redhat-linux/init/do_mounts.c > > > =================================================================== > > > --- redhat-linux.orig/init/do_mounts.c 2021-09-15 08:46:33.801689806 -0400 > > > +++ redhat-linux/init/do_mounts.c 2021-09-15 09:52:09.884449718 -0400 > > > @@ -338,19 +338,20 @@ __setup("rootflags=", root_data_setup); > > > __setup("rootfstype=", fs_names_setup); > > > __setup("rootdelay=", root_delay_setup); > > > > > > -static int __init split_fs_names(char *page, char *names) > > > +static int __init split_fs_names(char *page, size_t size, char *names) > > > { > > > int count = 0; > > > - char *p = page; > > > + char *p = page, *end = page + size - 1; > > > + > > > + strncpy(p, root_fs_names, size); > > > > Why not strlcpy()? That way you don't have to explicitely terminate the > > string... > > Sure, will use strlcpy(). > > > > > > + *end = '\0'; > > > > > > - strcpy(p, root_fs_names); > > > while (*p++) { > > > if (p[-1] == ',') > > > p[-1] = '\0'; > > > } > > > - *p = '\0'; > > > > > > - for (p = page; *p; p += strlen(p)+1) > > > + for (p = page; p < end && *p; p += strlen(p)+1) > > > count++; > > > > And I kind of fail to see why you have a separate loop for counting number > > of elements when you could count them directly when changing ',' to '\0'. > > There's this small subtlety that e.g. string 'foo,,bar' will report to have > > only 1 element with the above code while direct computation would return 3 > > but that's hardly problem IMHO. > > Ok, will make this change. One side affect of this change will be that now > split_fs_names() can return zero sized strings and caller will have > to check for those and skip to next string. Or we can just abort the loop early and don't bother with converting further ',' if 0-length strings are indeed any problem. Honza -- Jan Kara SUSE Labs, CR