| Message ID | 20220215171017.1247291-1-keescook@chromium.org (mailing list archive) |
|---|---|
| State | Mainlined |
| Commit | 3bc93c7bded0cf361e58af160e9b23996c10a1a1 |
| Headers | show |
| Series | comedi: drivers: ni_routes: Use strcmp() instead of memcmp() | expand |
On 15/02/2022 17:10, Kees Cook wrote: > The family and device comparisons were using memcmp(), but this could > lead to Out-of-bounds reads when the length was larger than the > buffers being compared. Since these appear to always be NUL-terminated > strings, just use strcmp() instead. > > This was found with Clang under LTO: > > [ 92.405851][ T1] kernel BUG at lib/string_helpers.c:980! > ... > [ 92.409141][ T1] RIP: 0010:fortify_panic (fbdev.c:?) > ... > [ 92.410056][ T1] ni_assign_device_routes (fbdev.c:?) > [ 92.410056][ T1] ? unittest_enter (fbdev.c:?) > [ 92.410056][ T1] ni_routes_unittest (ni_routes_test.c:?) > [ 92.410056][ T1] ? unittest_enter (fbdev.c:?) > [ 92.410056][ T1] __initstub__kmod_ni_routes_test__505_604_ni_routes_unittest6 (fbdev.c:?) > [ 92.410056][ T1] do_one_initcall (fbdev.c:?) > > Cc: Ian Abbott <abbotti@mev.co.uk> > Cc: H Hartley Sweeten <hsweeten@visionengravers.com> > Cc: Spencer E. Olson <olsonse@umich.edu> > Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > Cc: Masahiro Yamada <masahiroy@kernel.org> > Cc: Lee Jones <lee.jones@linaro.org> > Reported-by: kernel test robot <oliver.sang@intel.com> > Link: https://lore.kernel.org/lkml/20220210072821.GD4074@xsang-OptiPlex-9020 > Fixes: 4bb90c87abbe ("staging: comedi: add interface to ni routing table information") > Signed-off-by: Kees Cook <keescook@chromium.org> > --- > drivers/comedi/drivers/ni_routes.c | 6 ++---- > 1 file changed, 2 insertions(+), 4 deletions(-) > > diff --git a/drivers/comedi/drivers/ni_routes.c b/drivers/comedi/drivers/ni_routes.c > index f24eeb464eba..295a3a9ee0c9 100644 > --- a/drivers/comedi/drivers/ni_routes.c > +++ b/drivers/comedi/drivers/ni_routes.c > @@ -56,8 +56,7 @@ static const u8 *ni_find_route_values(const char *device_family) > int i; > > for (i = 0; ni_all_route_values[i]; ++i) { > - if (memcmp(ni_all_route_values[i]->family, device_family, > - strnlen(device_family, 30)) == 0) { > + if (!strcmp(ni_all_route_values[i]->family, device_family)) { > rv = &ni_all_route_values[i]->register_values[0][0]; > break; > } > @@ -75,8 +74,7 @@ ni_find_valid_routes(const char *board_name) > int i; > > for (i = 0; ni_device_routes_list[i]; ++i) { > - if (memcmp(ni_device_routes_list[i]->device, board_name, > - strnlen(board_name, 30)) == 0) { > + if (!strcmp(ni_device_routes_list[i]->device, board_name)) { > dr = ni_device_routes_list[i]; > break; > } Looks good, thanks! I'm not sure why the tests used memcmp() like that. Indeed, all the strings are statically allocated and null-terminated. Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
On Wed, Feb 16, 2022 at 8:03 AM Ian Abbott <abbotti@mev.co.uk> wrote: > > On 15/02/2022 17:10, Kees Cook wrote: > > The family and device comparisons were using memcmp(), but this could > > lead to Out-of-bounds reads when the length was larger than the > > buffers being compared. Since these appear to always be NUL-terminated > > strings, just use strcmp() instead. > > > > This was found with Clang under LTO: > > > > [ 92.405851][ T1] kernel BUG at lib/string_helpers.c:980! > > ... > > [ 92.409141][ T1] RIP: 0010:fortify_panic (fbdev.c:?) > > ... > > [ 92.410056][ T1] ni_assign_device_routes (fbdev.c:?) > > [ 92.410056][ T1] ? unittest_enter (fbdev.c:?) > > [ 92.410056][ T1] ni_routes_unittest (ni_routes_test.c:?) > > [ 92.410056][ T1] ? unittest_enter (fbdev.c:?) > > [ 92.410056][ T1] __initstub__kmod_ni_routes_test__505_604_ni_routes_unittest6 (fbdev.c:?) > > [ 92.410056][ T1] do_one_initcall (fbdev.c:?) > > > > Cc: Ian Abbott <abbotti@mev.co.uk> > > Cc: H Hartley Sweeten <hsweeten@visionengravers.com> > > Cc: Spencer E. Olson <olsonse@umich.edu> > > Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > > Cc: Masahiro Yamada <masahiroy@kernel.org> > > Cc: Lee Jones <lee.jones@linaro.org> > > Reported-by: kernel test robot <oliver.sang@intel.com> > > Link: https://lore.kernel.org/lkml/20220210072821.GD4074@xsang-OptiPlex-9020 > > Fixes: 4bb90c87abbe ("staging: comedi: add interface to ni routing table information") > > Signed-off-by: Kees Cook <keescook@chromium.org> > > --- > > drivers/comedi/drivers/ni_routes.c | 6 ++---- > > 1 file changed, 2 insertions(+), 4 deletions(-) > > > > diff --git a/drivers/comedi/drivers/ni_routes.c b/drivers/comedi/drivers/ni_routes.c > > index f24eeb464eba..295a3a9ee0c9 100644 > > --- a/drivers/comedi/drivers/ni_routes.c > > +++ b/drivers/comedi/drivers/ni_routes.c > > @@ -56,8 +56,7 @@ static const u8 *ni_find_route_values(const char *device_family) > > int i; > > > > for (i = 0; ni_all_route_values[i]; ++i) { > > - if (memcmp(ni_all_route_values[i]->family, device_family, > > - strnlen(device_family, 30)) == 0) { > > + if (!strcmp(ni_all_route_values[i]->family, device_family)) { > > rv = &ni_all_route_values[i]->register_values[0][0]; > > break; > > } > > @@ -75,8 +74,7 @@ ni_find_valid_routes(const char *board_name) > > int i; > > > > for (i = 0; ni_device_routes_list[i]; ++i) { > > - if (memcmp(ni_device_routes_list[i]->device, board_name, > > - strnlen(board_name, 30)) == 0) { > > + if (!strcmp(ni_device_routes_list[i]->device, board_name)) { > > dr = ni_device_routes_list[i]; > > break; > > } > > Looks good, thanks! I'm not sure why the tests used memcmp() like that. > Indeed, all the strings are statically allocated and null-terminated. > > Reviewed-by: Ian Abbott <abbotti@mev.co.uk> > > -- > -=( Ian Abbott <abbotti@mev.co.uk> || MEV Ltd. is a company )=- > -=( registered in England & Wales. Regd. number: 02862268. )=- > -=( Regd. addr.: S11 & 12 Building 67, Europa Business Park, )=- > -=( Bird Hall Lane, STOCKPORT, SK3 0XA, UK. || www.mev.co.uk )=- I was probably just being paranoid when I wrote that. Spencer
diff --git a/drivers/comedi/drivers/ni_routes.c b/drivers/comedi/drivers/ni_routes.c index f24eeb464eba..295a3a9ee0c9 100644 --- a/drivers/comedi/drivers/ni_routes.c +++ b/drivers/comedi/drivers/ni_routes.c @@ -56,8 +56,7 @@ static const u8 *ni_find_route_values(const char *device_family) int i; for (i = 0; ni_all_route_values[i]; ++i) { - if (memcmp(ni_all_route_values[i]->family, device_family, - strnlen(device_family, 30)) == 0) { + if (!strcmp(ni_all_route_values[i]->family, device_family)) { rv = &ni_all_route_values[i]->register_values[0][0]; break; } @@ -75,8 +74,7 @@ ni_find_valid_routes(const char *board_name) int i; for (i = 0; ni_device_routes_list[i]; ++i) { - if (memcmp(ni_device_routes_list[i]->device, board_name, - strnlen(board_name, 30)) == 0) { + if (!strcmp(ni_device_routes_list[i]->device, board_name)) { dr = ni_device_routes_list[i]; break; }
The family and device comparisons were using memcmp(), but this could lead to Out-of-bounds reads when the length was larger than the buffers being compared. Since these appear to always be NUL-terminated strings, just use strcmp() instead. This was found with Clang under LTO: [ 92.405851][ T1] kernel BUG at lib/string_helpers.c:980! ... [ 92.409141][ T1] RIP: 0010:fortify_panic (fbdev.c:?) ... [ 92.410056][ T1] ni_assign_device_routes (fbdev.c:?) [ 92.410056][ T1] ? unittest_enter (fbdev.c:?) [ 92.410056][ T1] ni_routes_unittest (ni_routes_test.c:?) [ 92.410056][ T1] ? unittest_enter (fbdev.c:?) [ 92.410056][ T1] __initstub__kmod_ni_routes_test__505_604_ni_routes_unittest6 (fbdev.c:?) [ 92.410056][ T1] do_one_initcall (fbdev.c:?) Cc: Ian Abbott <abbotti@mev.co.uk> Cc: H Hartley Sweeten <hsweeten@visionengravers.com> Cc: Spencer E. Olson <olsonse@umich.edu> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Masahiro Yamada <masahiroy@kernel.org> Cc: Lee Jones <lee.jones@linaro.org> Reported-by: kernel test robot <oliver.sang@intel.com> Link: https://lore.kernel.org/lkml/20220210072821.GD4074@xsang-OptiPlex-9020 Fixes: 4bb90c87abbe ("staging: comedi: add interface to ni routing table information") Signed-off-by: Kees Cook <keescook@chromium.org> --- drivers/comedi/drivers/ni_routes.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-)