Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp1885604pxb; Thu, 16 Sep 2021 19:02:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw0Dnp9k27YyQkXt54D/I0/cszgryDej20HAV3Y7J4n5dHgRh6SXDjFkfu0q+dp33UaE86H X-Received: by 2002:a5d:851a:: with SMTP id q26mr6561733ion.163.1631844179111; Thu, 16 Sep 2021 19:02:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631844179; cv=none; d=google.com; s=arc-20160816; b=r5lpq6tUnWkli1A0gT7e0sEa34iB6SQBEOXecrttQV0bPZeIQEd6OXP6uM9KwOpm5L 8cWdjew2tAB+wouPB/bdM6ass0lMLNtOC0TSKOovqvImV9dox02XBTeWCahDBWSL3Iu4 QRKznBc1pPS+0wo99ubTOYWqCA5ALtSx2s4qtnlulhCaHTxYeEi/nghNv0G+ZcyfYV85 x/rZf7ifKiGYfcMlNAH0AsgOFygkF+mdfQnzqAVZD8XkKLC9NBrl05C5rT45xp+krbjg eXx/lvJ4JaniAYO0ziSUdQ0h6ep/Wx9fxsOlgc2NqxgchQ9RxRO4xThoGbeVizsGD7/Z kDAA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=ncR7qlB9WJNJLCC0iHy98tsLwSZxSL3zZGdZSp7Zg5E=; b=mglJG0U3CRya5nF76GJ9KGVClOiwuCsuyYlhkKFWc/q2E011XROWk/CrivzA3PyMPn 5xfkFns1hFVyAyuEMAO1OE4yfodhV+GSxaViHGwlgeXD9ZpzEFoCJzhoQjA7tm3n0830 NRBW+ft9uRoB1EqwQoYNNaLk5sEKaIZmevd5zL0O6l9/BEf1n2RApzQr0HGbLbj4fz+o TPM6Uuf3ZqZ3/QUpce0PgeDdNPUAe5FcBLuas7bxnJ/pN8xddDARqj5vN8qMD6XEzThq FII4jzturAmjy/iKPAUu6n0qGKqrL7CCyVSEjFWoW+9rQi+ydXJJN1CoZQCMzHNpTOKS uh2Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="UImBS/Bi"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l4si4002934jaf.96.2021.09.16.19.02.46; Thu, 16 Sep 2021 19:02:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="UImBS/Bi"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1351570AbhIPRSZ (ORCPT + 99 others); Thu, 16 Sep 2021 13:18:25 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:32856 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345044AbhIPRK0 (ORCPT ); Thu, 16 Sep 2021 13:10:26 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1631812145; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=ncR7qlB9WJNJLCC0iHy98tsLwSZxSL3zZGdZSp7Zg5E=; b=UImBS/BiOEO+1u1mlihxdsAwO/lSMT1xeWifS8FOqrw4nLdnGnXEc1nbK7A0IC38t8xsHb 0daibn03lbr671ghPRNuucN7cyDqP/k//HCIQNJryMTxeBadq0BzpVxNBLmWiA3uKiiXqy ujgqaAWDFkJ9aArRQONqaSBh7PGsOaE= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-345-mwYW3G7mMAauI7xkXyI7FQ-1; Thu, 16 Sep 2021 13:09:02 -0400 X-MC-Unique: mwYW3G7mMAauI7xkXyI7FQ-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 8B17D18D6A25; Thu, 16 Sep 2021 17:09:00 +0000 (UTC) Received: from horse.redhat.com (unknown [10.22.32.174]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2087219C79; Thu, 16 Sep 2021 17:09:00 +0000 (UTC) Received: by horse.redhat.com (Postfix, from userid 10451) id AB24D220C99; Thu, 16 Sep 2021 13:08:59 -0400 (EDT) Date: Thu, 16 Sep 2021 13:08:59 -0400 From: Vivek Goyal To: Jan Kara Cc: viro@zeniv.linux.org.uk, Linux fsdevel mailing list , linux kernel mailing list , xu.xin16@zte.com.cn, Christoph Hellwig , zhang.yunkai@zte.com.cn Subject: Re: [PATCH] init/do_mounts.c: Harden split_fs_names() against buffer overflow Message-ID: References: <20210916110016.GG10610@quack2.suse.cz> <20210916165446.GK10610@quack2.suse.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210916165446.GK10610@quack2.suse.cz> X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Sep 16, 2021 at 06:54:46PM +0200, Jan Kara wrote: > On Thu 16-09-21 11:41:53, Vivek Goyal wrote: > > On Thu, Sep 16, 2021 at 01:00:16PM +0200, Jan Kara wrote: > > > On Wed 15-09-21 11:22:04, Vivek Goyal wrote: > > > > split_fs_names() currently takes comma separated list of filesystems > > > > and converts it into individual filesystem strings. Pleaces these > > > > strings in the input buffer passed by caller and returns number of > > > > strings. > > > > > > > > If caller manages to pass input string bigger than buffer, then we > > > > can write beyond the buffer. Or if string just fits buffer, we will > > > > still write beyond the buffer as we append a '\0' byte at the end. > > > > > > > > Will be nice to pass size of input buffer to split_fs_names() and > > > > put enough checks in place so such buffer overrun possibilities > > > > do not occur. > > > > > > > > Hence this patch adds "size" parameter to split_fs_names() and makes > > > > sure we do not access memory beyond size. If input string "names" > > > > is larger than passed in buffer, input string will be truncated to > > > > fit in buffer. > > > > > > > > Reported-by: xu xin > > > > Signed-off-by: Vivek Goyal > > > > > > The patch looks correct but IMO is more complicated than it needs to be... > > > See below. > > > > > > > Index: redhat-linux/init/do_mounts.c > > > > =================================================================== > > > > --- redhat-linux.orig/init/do_mounts.c 2021-09-15 08:46:33.801689806 -0400 > > > > +++ redhat-linux/init/do_mounts.c 2021-09-15 09:52:09.884449718 -0400 > > > > @@ -338,19 +338,20 @@ __setup("rootflags=", root_data_setup); > > > > __setup("rootfstype=", fs_names_setup); > > > > __setup("rootdelay=", root_delay_setup); > > > > > > > > -static int __init split_fs_names(char *page, char *names) > > > > +static int __init split_fs_names(char *page, size_t size, char *names) > > > > { > > > > int count = 0; > > > > - char *p = page; > > > > + char *p = page, *end = page + size - 1; > > > > + > > > > + strncpy(p, root_fs_names, size); > > > > > > Why not strlcpy()? That way you don't have to explicitely terminate the > > > string... > > > > Sure, will use strlcpy(). > > > > > > > > > + *end = '\0'; > > > > > > > > - strcpy(p, root_fs_names); > > > > while (*p++) { > > > > if (p[-1] == ',') > > > > p[-1] = '\0'; > > > > } > > > > - *p = '\0'; > > > > > > > > - for (p = page; *p; p += strlen(p)+1) > > > > + for (p = page; p < end && *p; p += strlen(p)+1) > > > > count++; > > > > > > And I kind of fail to see why you have a separate loop for counting number > > > of elements when you could count them directly when changing ',' to '\0'. > > > There's this small subtlety that e.g. string 'foo,,bar' will report to have > > > only 1 element with the above code while direct computation would return 3 > > > but that's hardly problem IMHO. > > > > Ok, will make this change. One side affect of this change will be that now > > split_fs_names() can return zero sized strings and caller will have > > to check for those and skip to next string. > > Or we can just abort the loop early and don't bother with converting > further ',' if 0-length strings are indeed any problem. There are only two callers of split_fs_names(). So changing them for zero sized strings was trivial (patch v2). So I peronally don't mind supporting "rootfstype=xfs,,ext4" if there is an accidental extra ',' in there. Vivek