ip: fix UB in strncpy (e.g. truncated ip route output)

Message ID	20230213032631.143810-1-sam@gentoo.org (mailing list archive)
State	Accepted
Commit	890c599ec2e8905e7b8a433be3646d5d34901810
Delegated to:	Stephen Hemminger
Headers	show Return-Path: <netdev-owner@vger.kernel.org> From: Sam James <sam@gentoo.org> To: sam@gentoo.org Cc: dwfreed@mtu.edu, freswa@archlinux.org, netdev@vger.kernel.org, stephen@networkplumber.org, toolchain@gentoo.org Subject: [PATCH] ip: fix UB in strncpy (e.g. truncated ip route output) Date: Mon, 13 Feb 2023 03:26:31 +0000 Message-Id: <20230213032631.143810-1-sam@gentoo.org> In-Reply-To: <0011AC38-4823-4D0A-8580-B108D08959C2@gentoo.org> References: <0011AC38-4823-4D0A-8580-B108D08959C2@gentoo.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	ip: fix UB in strncpy (e.g. truncated ip route output) \| expand ip: fix UB in strncpy (e.g. truncated ip route output)

Message ID

20230213032631.143810-1-sam@gentoo.org (mailing list archive)

State

Accepted

Commit

890c599ec2e8905e7b8a433be3646d5d34901810

Delegated to:

Stephen Hemminger

Headers

show

Return-Path: <netdev-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6FE3BC05027
	for <netdev@archiver.kernel.org>; Mon, 13 Feb 2023 03:26:53 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229649AbjBMD0w (ORCPT <rfc822;netdev@archiver.kernel.org>);
        Sun, 12 Feb 2023 22:26:52 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42324 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229457AbjBMD0v (ORCPT
        <rfc822;netdev@vger.kernel.org>); Sun, 12 Feb 2023 22:26:51 -0500
Received: from smtp.gentoo.org (smtp.gentoo.org
 [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 98B08EF82
        for <netdev@vger.kernel.org>; Sun, 12 Feb 2023 19:26:50 -0800 (PST)
From: Sam James <sam@gentoo.org>
To: sam@gentoo.org
Cc: dwfreed@mtu.edu, freswa@archlinux.org, netdev@vger.kernel.org,
        stephen@networkplumber.org, toolchain@gentoo.org
Subject: [PATCH] ip: fix UB in strncpy (e.g. truncated ip route output)
Date: Mon, 13 Feb 2023 03:26:31 +0000
Message-Id: <20230213032631.143810-1-sam@gentoo.org>
X-Mailer: git-send-email 2.39.1
In-Reply-To: <0011AC38-4823-4D0A-8580-B108D08959C2@gentoo.org>
References: <0011AC38-4823-4D0A-8580-B108D08959C2@gentoo.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Series

ip: fix UB in strncpy (e.g. truncated ip route output) | expand

Context	Check	Description
netdev/tree_selection	success	Not a local patch

Context

Check

Description

netdev/tree_selection

success

Not a local patch

Commit Message

Sam James Feb. 13, 2023, 3:26 a.m. UTC

Fix overlapping buffers passed to strncpy which is UB. format_host_rta_r writes
to the buffer passed to it, so hostname (derived from b1) & b1 partly overlap.

This gets worse with sys-libs/glibc-2.37 where the ip route output can be truncated,
but it was UB anyway and you can see it occurring w/ glibc-2.36.

Bug: https://lore.kernel.org/netdev/0011AC38-4823-4D0A-8580-B108D08959C2@gentoo.org/T/#u
Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30112
Thanks-to: Doug Freed <dwfreed@mtu.edu>
Signed-off-by: Sam James <sam@gentoo.org>
---
 ip/iproute.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Comments

patchwork-bot+netdevbpf@kernel.org Feb. 18, 2023, 1:50 a.m. UTC | #1

Hello:

This patch was applied to iproute2/iproute2.git (main)
by Stephen Hemminger <stephen@networkplumber.org>:

On Mon, 13 Feb 2023 03:26:31 +0000 you wrote:
> Fix overlapping buffers passed to strncpy which is UB. format_host_rta_r writes
> to the buffer passed to it, so hostname (derived from b1) & b1 partly overlap.
> 
> This gets worse with sys-libs/glibc-2.37 where the ip route output can be truncated,
> but it was UB anyway and you can see it occurring w/ glibc-2.36.
> 
> Bug: https://lore.kernel.org/netdev/0011AC38-4823-4D0A-8580-B108D08959C2@gentoo.org/T/#u
> Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30112
> Thanks-to: Doug Freed <dwfreed@mtu.edu>
> Signed-off-by: Sam James <sam@gentoo.org>
> 
> [...]

Here is the summary with links:
  - ip: fix UB in strncpy (e.g. truncated ip route output)
    https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=890c599ec2e8

You are awesome, thank you!

diff --git a/ip/iproute.c b/ip/iproute.c
index 0bab0fdf..a7cd9543 100644
--- a/ip/iproute.c
+++ b/ip/iproute.c
@@ -748,6 +748,7 @@  int print_route(struct nlmsghdr *n, void *arg)
 	int ret;
 
 	SPRINT_BUF(b1);
+	SPRINT_BUF(b2);
 
 	if (n->nlmsg_type != RTM_NEWROUTE && n->nlmsg_type != RTM_DELROUTE) {
 		fprintf(stderr, "Not a route: %08x %08x %08x\n",
@@ -809,7 +810,7 @@  int print_route(struct nlmsghdr *n, void *arg)
 				 r->rtm_dst_len);
 		} else {
 			const char *hostname = format_host_rta_r(family, tb[RTA_DST],
-					  b1, sizeof(b1));
+					  b2, sizeof(b2));
 			if (hostname)
 				strncpy(b1, hostname, sizeof(b1) - 1);
 		}
@@ -832,7 +833,7 @@  int print_route(struct nlmsghdr *n, void *arg)
 				 r->rtm_src_len);
 		} else {
 			const char *hostname = format_host_rta_r(family, tb[RTA_SRC],
-					  b1, sizeof(b1));
+					  b2, sizeof(b2));
 			if (hostname)
 				strncpy(b1, hostname, sizeof(b1) - 1);
 		}

ip: fix UB in strncpy (e.g. truncated ip route output)

Checks

Commit Message

Comments

Patch