Message ID | 20190219110957.5935-1-leon@kernel.org (mailing list archive) |
---|---|
State | Mainlined |
Commit | 1882ab867863531ab9caab81fd6ac5fee6d1a314 |
Delegated to: | Jason Gunthorpe |
Headers | show |
Series | [rdma-next] RDMA/iwcm: fix string truncation error | expand |
On Tue, Feb 19, 2019 at 01:09:57PM +0200, Leon Romanovsky wrote: > From: Leon Romanovsky <leonro@mellanox.com> > > The strlen() check at the beginning of iw_cm_map() ensures that devname > and ifname strings are less than destinations to which they are supposed > to be copied. Change strncpy() call to be strcpy(), because we are > protected from overflow. > > This fix the compilation warning below: > > In file included from ./include/linux/dma-mapping.h:6, > from drivers/infiniband/core/iwcm.c:38: > In function _strncpy_, > inlined from _iw_cm_map_ at drivers/infiniband/core/iwcm.c:519:2: > ./include/linux/string.h:253:9: warning: ___builtin_strncpy_ specified > bound 32 equals destination size [-Wstringop-truncation] > return __builtin_strncpy(p, q, size); > ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Fixes: d53ec8af56d5 ("RDMA/iwcm: Don't copy past the end of dev_name() string") > Signed-off-by: Leon Romanovsky <leonro@mellanox.com> > drivers/infiniband/core/iwcm.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c > index 350ea2bab78a..732637c913d9 100644 > +++ b/drivers/infiniband/core/iwcm.c > @@ -505,7 +505,7 @@ static int iw_cm_map(struct iw_cm_id *cm_id, bool active) > { > const char *devname = dev_name(&cm_id->device->dev); > const char *ifname = cm_id->device->iwcm->ifname; > - struct iwpm_dev_data pm_reg_msg; > + struct iwpm_dev_data pm_reg_msg = {}; Huh. This looks like a kernel stack data leak fix? The arrays in that struct are passed to ibl_put_attr at least. Lets remark about that in the commit message. Applied to for-next Jason
On Tue, Feb 19, 2019 at 03:18:37PM -0700, Jason Gunthorpe wrote: > On Tue, Feb 19, 2019 at 01:09:57PM +0200, Leon Romanovsky wrote: > > From: Leon Romanovsky <leonro@mellanox.com> > > > > The strlen() check at the beginning of iw_cm_map() ensures that devname > > and ifname strings are less than destinations to which they are supposed > > to be copied. Change strncpy() call to be strcpy(), because we are > > protected from overflow. > > > > This fix the compilation warning below: > > > > In file included from ./include/linux/dma-mapping.h:6, > > from drivers/infiniband/core/iwcm.c:38: > > In function _strncpy_, > > inlined from _iw_cm_map_ at drivers/infiniband/core/iwcm.c:519:2: > > ./include/linux/string.h:253:9: warning: ___builtin_strncpy_ specified > > bound 32 equals destination size [-Wstringop-truncation] > > return __builtin_strncpy(p, q, size); > > ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > > Fixes: d53ec8af56d5 ("RDMA/iwcm: Don't copy past the end of dev_name() string") > > Signed-off-by: Leon Romanovsky <leonro@mellanox.com> > > drivers/infiniband/core/iwcm.c | 6 +++--- > > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c > > index 350ea2bab78a..732637c913d9 100644 > > +++ b/drivers/infiniband/core/iwcm.c > > @@ -505,7 +505,7 @@ static int iw_cm_map(struct iw_cm_id *cm_id, bool active) > > { > > const char *devname = dev_name(&cm_id->device->dev); > > const char *ifname = cm_id->device->iwcm->ifname; > > - struct iwpm_dev_data pm_reg_msg; > > + struct iwpm_dev_data pm_reg_msg = {}; > > Huh. This looks like a kernel stack data leak fix? The arrays in that > struct are passed to ibl_put_attr at least. I'm not sure about that, because those arrays are NULL-terminated, but I didn't invest time to look it more closely. > > Lets remark about that in the commit message. > > Applied to for-next > > Jason
diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c index 350ea2bab78a..732637c913d9 100644 --- a/drivers/infiniband/core/iwcm.c +++ b/drivers/infiniband/core/iwcm.c @@ -505,7 +505,7 @@ static int iw_cm_map(struct iw_cm_id *cm_id, bool active) { const char *devname = dev_name(&cm_id->device->dev); const char *ifname = cm_id->device->iwcm->ifname; - struct iwpm_dev_data pm_reg_msg; + struct iwpm_dev_data pm_reg_msg = {}; struct iwpm_sa_data pm_msg; int status; @@ -516,8 +516,8 @@ static int iw_cm_map(struct iw_cm_id *cm_id, bool active) cm_id->m_local_addr = cm_id->local_addr; cm_id->m_remote_addr = cm_id->remote_addr; - strncpy(pm_reg_msg.dev_name, devname, sizeof(pm_reg_msg.dev_name)); - strncpy(pm_reg_msg.if_name, ifname, sizeof(pm_reg_msg.if_name)); + strcpy(pm_reg_msg.dev_name, devname); + strcpy(pm_reg_msg.if_name, ifname); if (iwpm_register_pid(&pm_reg_msg, RDMA_NL_IWCM) || !iwpm_valid_pid())