| Message ID | 20231018180709.work.293-kees@kernel.org (mailing list archive) |
|---|---|
| State | Mainlined |
| Commit | 0e108725f6cc5b3be9e607f89c9fbcbb236367b7 |
| Headers | show |
| Series | string: Adjust strtomem_pad() logic to allow for smaller sources | expand |
On Wed, Oct 18, 2023, at 20:07, Kees Cook wrote: > Arnd noticed we have a case where a shorter source string is being copied > into a destination byte array, but this results in a strnlen() call that > exceeds the size of the source. This is seen with -Wstringop-overread: > > In file included from ../include/linux/uuid.h:11, > from ../include/linux/mod_devicetable.h:14, > from ../include/linux/cpufeature.h:12, > from ../arch/x86/coco/tdx/tdx.c:7: > ../arch/x86/coco/tdx/tdx.c: In function 'tdx_panic.constprop': > ../include/linux/string.h:284:9: error: 'strnlen' specified bound 64 > exceeds source size 60 [-Werror=stringop-overread] > 284 | memcpy_and_pad(dest, _dest_len, src, strnlen(src, > _dest_len), pad); \ > | > ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > ../arch/x86/coco/tdx/tdx.c:124:9: note: in expansion of macro > 'strtomem_pad' > 124 | strtomem_pad(message.str, msg, '\0'); > | ^~~~~~~~~~~~ > > Use the smaller of the two buffer sizes when calling strnlen(). When > src length is unknown (SIZE_MAX), it will use dest length, which is what > the original code did. > > Reported-by: Arnd Bergmann <arnd@arndb.de> > Fixes: dfbafa70bde2 ("string: Introduce strtomem() and strtomem_pad()") > Cc: Andy Shevchenko <andy@kernel.org> > Cc: linux-hardening@vger.kernel.org > Signed-off-by: Kees Cook <keescook@chromium.org> Thanks for addressing this, looks good Tested-by: Arnd Bergmann <arnd@arndb.de>
diff --git a/include/linux/string.h b/include/linux/string.h index dbfc66400050..9e3cb6923b0e 100644 --- a/include/linux/string.h +++ b/include/linux/string.h @@ -277,10 +277,12 @@ void memcpy_and_pad(void *dest, size_t dest_len, const void *src, size_t count, */ #define strtomem_pad(dest, src, pad) do { \ const size_t _dest_len = __builtin_object_size(dest, 1); \ + const size_t _src_len = __builtin_object_size(src, 1); \ \ BUILD_BUG_ON(!__builtin_constant_p(_dest_len) || \ _dest_len == (size_t)-1); \ - memcpy_and_pad(dest, _dest_len, src, strnlen(src, _dest_len), pad); \ + memcpy_and_pad(dest, _dest_len, src, \ + strnlen(src, min(_src_len, _dest_len)), pad); \ } while (0) /** @@ -298,10 +300,11 @@ void memcpy_and_pad(void *dest, size_t dest_len, const void *src, size_t count, */ #define strtomem(dest, src) do { \ const size_t _dest_len = __builtin_object_size(dest, 1); \ + const size_t _src_len = __builtin_object_size(src, 1); \ \ BUILD_BUG_ON(!__builtin_constant_p(_dest_len) || \ _dest_len == (size_t)-1); \ - memcpy(dest, src, min(_dest_len, strnlen(src, _dest_len))); \ + memcpy(dest, src, strnlen(src, min(_src_len, _dest_len))); \ } while (0) /**
Arnd noticed we have a case where a shorter source string is being copied into a destination byte array, but this results in a strnlen() call that exceeds the size of the source. This is seen with -Wstringop-overread: In file included from ../include/linux/uuid.h:11, from ../include/linux/mod_devicetable.h:14, from ../include/linux/cpufeature.h:12, from ../arch/x86/coco/tdx/tdx.c:7: ../arch/x86/coco/tdx/tdx.c: In function 'tdx_panic.constprop': ../include/linux/string.h:284:9: error: 'strnlen' specified bound 64 exceeds source size 60 [-Werror=stringop-overread] 284 | memcpy_and_pad(dest, _dest_len, src, strnlen(src, _dest_len), pad); \ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ../arch/x86/coco/tdx/tdx.c:124:9: note: in expansion of macro 'strtomem_pad' 124 | strtomem_pad(message.str, msg, '\0'); | ^~~~~~~~~~~~ Use the smaller of the two buffer sizes when calling strnlen(). When src length is unknown (SIZE_MAX), it will use dest length, which is what the original code did. Reported-by: Arnd Bergmann <arnd@arndb.de> Fixes: dfbafa70bde2 ("string: Introduce strtomem() and strtomem_pad()") Cc: Andy Shevchenko <andy@kernel.org> Cc: linux-hardening@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> --- include/linux/string.h | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)