Received: by 2002:ab2:6203:0:b0:1f5:f2ab:c469 with SMTP id o3csp2401366lqt; Mon, 22 Apr 2024 09:38:57 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCX0kzSaHH26hQczdF4QiGh1FxLNZF6cDapwKCLw8kmEXZGxRtRG1top4Y1KHdyR81hTh/AUytJ5TC/YrG3Kx9wpzgMDefaXInMTo2RUJQ== X-Google-Smtp-Source: AGHT+IFzmeHd2a55UME6XXMm7GjNwxy2LXmaEJh45TzCvXpF3jtMgEFQYwISDCy/vu86FoqgMjyn X-Received: by 2002:a05:6a00:10cb:b0:6ec:ea4b:f07a with SMTP id d11-20020a056a0010cb00b006ecea4bf07amr11016215pfu.34.1713803937174; Mon, 22 Apr 2024 09:38:57 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713803937; cv=pass; d=google.com; s=arc-20160816; b=HQA/Ot7htTbjy7xCmk0yBys7YUcw1/h4eYQcnov9MYOLeM517ktr6Uka8ZRD/yv1nO hfXs1STY1lE4vt/avIPQik67hiBCK6cVA7KtYzU4vbHCI8CFspHVNUYVFxBiIKSH9w7q CBjnisJ1PtyPg60HeNFm+vl7QhedfLz2pIj2lUCqv/Y3wDMADeZrfWOnLlqPZ8Uys2pe VhVhxDRqBEdvW6N6vofC8XTH9R80V/tte+GK9aaMdansyzJg4DzHR5asaG7zfq6WpjYC pA7+MIfpVTAttthV1CDCLsx591lPe9G+2ST2MlLAki80swUEpup7uK+RDxvEcD+QhX94 FQ+A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :subject:date:from:dkim-signature; bh=uLlQJvdv0mXKQuHEFrLRmmeJdLfjSnZqxQsmnOGp71k=; fh=1MnGH1175blr+yMAr2ZmA3OfsBPXVHhibMwaFkFkhdw=; b=l2D8E5QpCk35Nm2Yy5mplNCH+HLgliwl04tZvJbs93RnSJOcwEu4nTkA6/G0bfMA1j B6t504uoCwGCoFikDjPv8qtP28/cjTuz1mitYLt+AxQLQdgTxCTtztUf3VVEIYrbLl2I bYFJ9ByPxQO7WnGC0l/hUVbtksvvJ035ngRRTDg3v59X+kHHbi8py7wmb8QaDapl+kog tzi0TJ28kaHCEXT8EpOk2yKkJBi9Xni0RsKl170N/t8XQ/0y4rekbptSpg3q+wMHe4wi ZyHd5TeutV6fxWfNGRaxJECjagxok45mnn/hq5ZPvVZR/7bMujT2xe81ag/ZlAxh3CNK 7E7g==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=eYqAWoOE; arc=pass (i=1 spf=pass spfdomain=linaro.org dkim=pass dkdomain=linaro.org dmarc=pass fromdomain=linaro.org); spf=pass (google.com: domain of linux-kernel+bounces-153713-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-153713-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id x25-20020a63b219000000b005f7ff353750si5746627pge.207.2024.04.22.09.38.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Apr 2024 09:38:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-153713-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=eYqAWoOE; arc=pass (i=1 spf=pass spfdomain=linaro.org dkim=pass dkdomain=linaro.org dmarc=pass fromdomain=linaro.org); spf=pass (google.com: domain of linux-kernel+bounces-153713-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-153713-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 7699B284910 for ; Mon, 22 Apr 2024 16:38:08 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 28856153BC1; Mon, 22 Apr 2024 16:37:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="eYqAWoOE" Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 810A11514E3 for ; Mon, 22 Apr 2024 16:37:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.43 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713803875; cv=none; b=VATtNr4+Snut2FPvQG4ZJUfWfzE3IxHCFPCJcAEPRtoS2LspRzmcREqWVzdLWu/AUkum9f5esEQneNZVH6pn7SpMmMk8aEKDBMrTrYkIfQKY217oR0+vCj954epwtFpWred0pWT/m/7Ql3Bo/TblzqiJuTrUABH39yCAHeR/vTE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713803875; c=relaxed/simple; bh=RD1vVQLp64mLJfhlSPCd/oxiYJDCACPe4enawcw/m+0=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=DhwLMpZy/vJ0KwWbdN2p7s9rAbUk2IfaLnz7gWnW4NciX2TFW3egSGW4pEbT3OcijT57rvzHZyWRlXbzjwhgaN5x2Ke5htOH8TE7i+1x94cAFu96EJNN8n7zWgvN0/1gRr0SRl8SPaRp0jWBQibV0LlXY0lYfSzmhvW10OqqMt8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org; spf=pass smtp.mailfrom=linaro.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b=eYqAWoOE; arc=none smtp.client-ip=209.85.128.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linaro.org Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-4187c47405aso31127415e9.3 for ; Mon, 22 Apr 2024 09:37:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1713803872; x=1714408672; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=uLlQJvdv0mXKQuHEFrLRmmeJdLfjSnZqxQsmnOGp71k=; b=eYqAWoOEEUe29EzqieoAMj8GOfdign1nkyU19vbXhHkdPX7XbqFf4pnvZyTpiqZuiL YAf0icfT74qxobJLA+sqzizR/rv5DoD7RU/v0/CCgOeFWkR2+KIOwuDhUEbs/pxlwtgv 5pRhS4hHmcY3gV400Dj3588FnsLp5xLvjl8+p75o9GIrlzZWSP8eOvkCJZ5bmP0/5eaT 063ErSVOj+sLjjMQLkvQavxcQ4HLQlVuA+A7Quxw+WhZ2JyUzbILwJo0ttD2Z6I8mQb7 8x+bXMdrKTle8Ymf8JEmxvbVitmrx/HhRWAgjuqrLQRKq38tbYYYAuDFN/M9Oe6X9q5R 6KiA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713803872; x=1714408672; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=uLlQJvdv0mXKQuHEFrLRmmeJdLfjSnZqxQsmnOGp71k=; b=sk5fNGvkx7gUVB89+C+xEV4UHsS0v5+svBjM68Qa161IKuAhUSsoNfWGZDeaAhGuUl a5HkTIMVkQvunRi0qWl1bX9w/PrrNMiQc9qDTf36J3hfLdsBrWd8CQCP0Nd2Q3Mvszok dY/ERJm/Vmawghq0Frb/fHtd1JGK2qellFxZlPcaRUiR2TaaMCLO1SlZAG/4ZrPHuMyO Vm6B4x5nTs6twPVMMAYICV1DV2Auun/9VcJ3xRJUdRcMDon7h2LtJBtZJmtB2upqdHyj mc7yeo+UD6eT5Xg61IziQqkTjECziyFc636HQpyWSo5l5riubGk4n6n7WpzBfJLBmY9s F6ag== X-Forwarded-Encrypted: i=1; AJvYcCVBPe+eZuzEEWxYHxfD81DmkJb2dSZt4Jy6zPiPlGA6g1NVf70aohghqfot+abYl0BxHXa9TESCWqA/tzN9Sn+AAuGJBDwhsSEVIYMr X-Gm-Message-State: AOJu0YxkNzgtvzirT/eCkUokgT0d/SEalf0XOiZAXOoW/Jce1rdiCNUB r9M1ET0Yv27hAf4siHQ55LwtZh1op8uaKSN9REP9OoQ1PGSbe74WcB3MA2h7aWYf4nbQFtLcVY1 0FZA= X-Received: by 2002:a05:600c:a01:b0:41a:2fd9:fc9f with SMTP id z1-20020a05600c0a0100b0041a2fd9fc9fmr3843899wmp.41.1713803871796; Mon, 22 Apr 2024 09:37:51 -0700 (PDT) Received: from aspen.lan (aztw-34-b2-v4wan-166919-cust780.vm26.cable.virginm.net. [82.37.195.13]) by smtp.gmail.com with ESMTPSA id jp13-20020a05600c558d00b0041a9a6a2bebsm433343wmb.1.2024.04.22.09.37.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Apr 2024 09:37:50 -0700 (PDT) From: Daniel Thompson Date: Mon, 22 Apr 2024 17:35:54 +0100 Subject: [PATCH v2 1/7] kdb: Fix buffer overflow during tab-complete Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <20240422-kgdb_read_refactor-v2-1-ed51f7d145fe@linaro.org> References: <20240422-kgdb_read_refactor-v2-0-ed51f7d145fe@linaro.org> In-Reply-To: <20240422-kgdb_read_refactor-v2-0-ed51f7d145fe@linaro.org> To: Jason Wessel , Douglas Anderson Cc: kgdb-bugreport@lists.sourceforge.net, linux-kernel@vger.kernel.org, Daniel Thompson , Justin Stitt , stable@vger.kernel.org X-Mailer: b4 0.13.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2106; i=daniel.thompson@linaro.org; h=from:subject:message-id; bh=RD1vVQLp64mLJfhlSPCd/oxiYJDCACPe4enawcw/m+0=; b=owEBbQKS/ZANAwAKAXzjJV0594ihAcsmYgBmJpH6kqjNS17dkmKBXEHPrV0RK4mr41OpljOyn f1xQLXv9tuJAjMEAAEKAB0WIQQvNUFTUPeVarpwrPB84yVdOfeIoQUCZiaR+gAKCRB84yVdOfeI oU4pD/9KY2d7fqfBxeIVIKTM7DBkMfKKzyOvuLFcAAvoyUCVc7nzcmUXMIvxo5Lhr5cWaUVIEf1 aw65pCUM0sJzZaXSuhIU//iHoootW9Rk51sVMg2GMtcCazJ1mCl3itLI6bDT3hnhG+ifrnfxCV9 c7LK+Fvii3VzhAJ4B+aStvFDm4PNtKOCA450awbfG95y8AuBL474ZcUbaM+XE7y/JJHFt1OzOsm JfNcRL3bMJ7z4/UM4h5NJRcwGfEHucDLHB+zfJdRG27gxNQCZfcsH8jWdmDvAWfeLPGdGS0hBRJ lyqYqLi1C/jUVzV83DVD8LmPH+YZgdcZFXiSrzi6v5ur2Lxe8OOgq5Xl8hHiY8oXsKwbXuXigsh Zx3KNGS0uxGj65O4Q929ffAVoi4caDLBntCdah0q+rarBuonRLt+NjRZFYmGpf0NO5ely06Hn2t P1BiA6ffo9tfrRO8c5iDs/dcmoeWpEDIZ/Sr0q42Lcs6F0vbOSy8+/4Jhx7vrpbv7DPaPZ6wTZ9 qE3lUqD2tRgS3Y8fjH9bWHvl849maqDqPSbkQHPRQ4eYtoBWGFuNzU0FFN2i/24c25BAmlbnaqZ T+r2VWFvbLClrFTHtYVqFeGMl2NvE3y7Apg/BvBVsGcjUr5FXaHRbmIXOTck7X6FJ+APD6hO8G+ YDpTFf1NnTNpucQ== X-Developer-Key: i=daniel.thompson@linaro.org; a=openpgp; fpr=E38BE19861669213F6E2661AA8A4E3BC5B7B28BE Currently, when the user attempts symbol completion with the Tab key, kdb will use strncpy() to insert the completed symbol into the command buffer. Unfortunately it passes the size of the source buffer rather than the destination to strncpy() with predictably horrible results. Most obviously if the command buffer is already full but cp, the cursor position, is in the middle of the buffer, then we will write past the end of the supplied buffer. Fix this by replacing the dubious strncpy() calls with memmove()/memcpy() calls plus explicit boundary checks to make sure we have enough space before we start moving characters around. Reported-by: Justin Stitt Closes: https://lore.kernel.org/all/CAFhGd8qESuuifuHsNjFPR-Va3P80bxrw+LqvC8deA8GziUJLpw@mail.gmail.com/ Cc: stable@vger.kernel.org Signed-off-by: Daniel Thompson --- kernel/debug/kdb/kdb_io.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c index 9443bc63c5a24..06dfbccb10336 100644 --- a/kernel/debug/kdb/kdb_io.c +++ b/kernel/debug/kdb/kdb_io.c @@ -367,14 +367,19 @@ static char *kdb_read(char *buffer, size_t bufsize) kdb_printf(kdb_prompt_str); kdb_printf("%s", buffer); } else if (tab != 2 && count > 0) { - len_tmp = strlen(p_tmp); - strncpy(p_tmp+len_tmp, cp, lastchar-cp+1); - len_tmp = strlen(p_tmp); - strncpy(cp, p_tmp+len, len_tmp-len + 1); - len = len_tmp - len; - kdb_printf("%s", cp); - cp += len; - lastchar += len; + /* How many new characters do we want from tmpbuffer? */ + len_tmp = strlen(p_tmp) - len; + if (lastchar + len_tmp >= bufend) + len_tmp = bufend - lastchar; + + if (len_tmp) { + /* + 1 ensures the '\0' is memmove'd */ + memmove(cp+len_tmp, cp, (lastchar-cp) + 1); + memcpy(cp, p_tmp+len, len_tmp); + kdb_printf("%s", cp); + cp += len_tmp; + lastchar += len_tmp; + } } kdb_nextline = 1; /* reset output line number */ break; -- 2.43.0