| Message ID | 20230830215426.4181755-3-azeemshaikh38@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ocfs2: Replace strlcpy with strscpy | expand |
On Wed, Aug 30, 2023 at 09:54:26PM +0000, Azeem Shaikh wrote: > strlcpy() reads the entire source buffer first. > This read may exceed the destination size limit. > This is both inefficient and can lead to linear read > overflows if a source string is not NUL-terminated [1]. > In an effort to remove strlcpy() completely [2], replace > strlcpy() here with strscpy(). > > Direct replacement is assumed to be safe here since > it's ok for `kernel_param_ops.get()` to return -errno [3]. > This changes the behavior such that instead of silently ignoring the > case when sizeof(@buffer) < DLMFS_CAPABILITIES, we now return error. Not super familiar with the semantics of `kernel_param_ops.get()` but do note that strscpy can only return -E2BIG and not -ERRNO specifically. Is this still OK? > > [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy > [2] https://github.com/KSPP/linux/issues/89 > [3] https://elixir.bootlin.com/linux/v6.5/source/include/linux/moduleparam.h#L52 > > Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com> > --- > fs/ocfs2/dlmfs/dlmfs.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/ocfs2/dlmfs/dlmfs.c b/fs/ocfs2/dlmfs/dlmfs.c > index 33e529de93b2..b001eccdd2f3 100644 > --- a/fs/ocfs2/dlmfs/dlmfs.c > +++ b/fs/ocfs2/dlmfs/dlmfs.c > @@ -80,7 +80,7 @@ static int param_set_dlmfs_capabilities(const char *val, > static int param_get_dlmfs_capabilities(char *buffer, > const struct kernel_param *kp) > { > - return strlcpy(buffer, DLMFS_CAPABILITIES, > + return strscpy(buffer, DLMFS_CAPABILITIES, > strlen(DLMFS_CAPABILITIES) + 1); > } > static const struct kernel_param_ops dlmfs_capabilities_ops = { > -- > 2.42.0.283.g2d96d420d3-goog >
On Wed, Aug 30, 2023 at 09:54:26PM +0000, Azeem Shaikh wrote: > strlcpy() reads the entire source buffer first. > This read may exceed the destination size limit. > This is both inefficient and can lead to linear read > overflows if a source string is not NUL-terminated [1]. > In an effort to remove strlcpy() completely [2], replace > strlcpy() here with strscpy(). > > Direct replacement is assumed to be safe here since > it's ok for `kernel_param_ops.get()` to return -errno [3]. > This changes the behavior such that instead of silently ignoring the > case when sizeof(@buffer) < DLMFS_CAPABILITIES, we now return error. > > [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy > [2] https://github.com/KSPP/linux/issues/89 > [3] https://elixir.bootlin.com/linux/v6.5/source/include/linux/moduleparam.h#L52 > > Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com> > --- > fs/ocfs2/dlmfs/dlmfs.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/ocfs2/dlmfs/dlmfs.c b/fs/ocfs2/dlmfs/dlmfs.c > index 33e529de93b2..b001eccdd2f3 100644 > --- a/fs/ocfs2/dlmfs/dlmfs.c > +++ b/fs/ocfs2/dlmfs/dlmfs.c > @@ -80,7 +80,7 @@ static int param_set_dlmfs_capabilities(const char *val, > static int param_get_dlmfs_capabilities(char *buffer, > const struct kernel_param *kp) > { > - return strlcpy(buffer, DLMFS_CAPABILITIES, > + return strscpy(buffer, DLMFS_CAPABILITIES, > strlen(DLMFS_CAPABILITIES) + 1); > } This is another case of "accidentally correct". param->get() is hooked here, in the sysfs "show" callback: static ssize_t param_attr_show(struct module_attribute *mattr, struct module_kobject *mk, char *buf) { int count; struct param_attribute *attribute = to_param_attr(mattr); if (!attribute->param->ops->get) return -EPERM; kernel_param_lock(mk->mod); count = attribute->param->ops->get(buf, attribute->param); kernel_param_unlock(mk->mod); return count; } Meaning ultimately this will show up here, if I'm reading names right: /sys/module/ocfs/parameters/dlmfs_capabilities Anyway, the "count" being returned would be quite bad if DLMFS_CAPABILITIES were dynamic and larger than PAGE_SIZE (the size of the sysfs buffer). For this case, I would say replace strlcpy with sysfs_emit: return sysfs_emit(buffer, DLMFS_CAPABILITIES); (Also, ew, existing code doesn't include a trailing "\n". Oh well.) -Kees
On Wed, Aug 30, 2023 at 7:06 PM Kees Cook <keescook@chromium.org> wrote: > > On Wed, Aug 30, 2023 at 09:54:26PM +0000, Azeem Shaikh wrote: > > strlcpy() reads the entire source buffer first. > > This read may exceed the destination size limit. > > This is both inefficient and can lead to linear read > > overflows if a source string is not NUL-terminated [1]. > > In an effort to remove strlcpy() completely [2], replace > > strlcpy() here with strscpy(). > > > > Direct replacement is assumed to be safe here since > > it's ok for `kernel_param_ops.get()` to return -errno [3]. > > This changes the behavior such that instead of silently ignoring the > > case when sizeof(@buffer) < DLMFS_CAPABILITIES, we now return error. > > > > [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy > > [2] https://github.com/KSPP/linux/issues/89 > > [3] https://elixir.bootlin.com/linux/v6.5/source/include/linux/moduleparam.h#L52 > > > > Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com> > > --- > > fs/ocfs2/dlmfs/dlmfs.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/fs/ocfs2/dlmfs/dlmfs.c b/fs/ocfs2/dlmfs/dlmfs.c > > index 33e529de93b2..b001eccdd2f3 100644 > > --- a/fs/ocfs2/dlmfs/dlmfs.c > > +++ b/fs/ocfs2/dlmfs/dlmfs.c > > @@ -80,7 +80,7 @@ static int param_set_dlmfs_capabilities(const char *val, > > static int param_get_dlmfs_capabilities(char *buffer, > > const struct kernel_param *kp) > > { > > - return strlcpy(buffer, DLMFS_CAPABILITIES, > > + return strscpy(buffer, DLMFS_CAPABILITIES, > > strlen(DLMFS_CAPABILITIES) + 1); > > } > > This is another case of "accidentally correct". > > > param->get() is hooked here, in the sysfs "show" callback: > > static ssize_t param_attr_show(struct module_attribute *mattr, > struct module_kobject *mk, char *buf) > { > int count; > struct param_attribute *attribute = to_param_attr(mattr); > > if (!attribute->param->ops->get) > return -EPERM; > > kernel_param_lock(mk->mod); > count = attribute->param->ops->get(buf, attribute->param); > kernel_param_unlock(mk->mod); > return count; > } > > Meaning ultimately this will show up here, if I'm reading names right: > /sys/module/ocfs/parameters/dlmfs_capabilities > > Anyway, the "count" being returned would be quite bad if > DLMFS_CAPABILITIES were dynamic and larger than PAGE_SIZE (the size of > the sysfs buffer). > > For this case, I would say replace strlcpy with sysfs_emit: > > return sysfs_emit(buffer, DLMFS_CAPABILITIES); > Thanks, sending out a v2 for this. Out of curiosity - why sysfs_emit? Is it because DLMFS_CAPABILITIES is a hard-coded string?
On Thu, Aug 31, 2023 at 03:28:32PM -0400, Azeem Shaikh wrote: > On Wed, Aug 30, 2023 at 7:06 PM Kees Cook <keescook@chromium.org> wrote: > > > > On Wed, Aug 30, 2023 at 09:54:26PM +0000, Azeem Shaikh wrote: > > > strlcpy() reads the entire source buffer first. > > > This read may exceed the destination size limit. > > > This is both inefficient and can lead to linear read > > > overflows if a source string is not NUL-terminated [1]. > > > In an effort to remove strlcpy() completely [2], replace > > > strlcpy() here with strscpy(). > > > > > > Direct replacement is assumed to be safe here since > > > it's ok for `kernel_param_ops.get()` to return -errno [3]. > > > This changes the behavior such that instead of silently ignoring the > > > case when sizeof(@buffer) < DLMFS_CAPABILITIES, we now return error. > > > > > > [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy > > > [2] https://github.com/KSPP/linux/issues/89 > > > [3] https://elixir.bootlin.com/linux/v6.5/source/include/linux/moduleparam.h#L52 > > > > > > Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com> > > > --- > > > fs/ocfs2/dlmfs/dlmfs.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/fs/ocfs2/dlmfs/dlmfs.c b/fs/ocfs2/dlmfs/dlmfs.c > > > index 33e529de93b2..b001eccdd2f3 100644 > > > --- a/fs/ocfs2/dlmfs/dlmfs.c > > > +++ b/fs/ocfs2/dlmfs/dlmfs.c > > > @@ -80,7 +80,7 @@ static int param_set_dlmfs_capabilities(const char *val, > > > static int param_get_dlmfs_capabilities(char *buffer, > > > const struct kernel_param *kp) > > > { > > > - return strlcpy(buffer, DLMFS_CAPABILITIES, > > > + return strscpy(buffer, DLMFS_CAPABILITIES, > > > strlen(DLMFS_CAPABILITIES) + 1); > > > } > > > > This is another case of "accidentally correct". > > > > > > param->get() is hooked here, in the sysfs "show" callback: > > > > static ssize_t param_attr_show(struct module_attribute *mattr, > > struct module_kobject *mk, char *buf) > > { > > int count; > > struct param_attribute *attribute = to_param_attr(mattr); > > > > if (!attribute->param->ops->get) > > return -EPERM; > > > > kernel_param_lock(mk->mod); > > count = attribute->param->ops->get(buf, attribute->param); > > kernel_param_unlock(mk->mod); > > return count; > > } > > > > Meaning ultimately this will show up here, if I'm reading names right: > > /sys/module/ocfs/parameters/dlmfs_capabilities > > > > Anyway, the "count" being returned would be quite bad if > > DLMFS_CAPABILITIES were dynamic and larger than PAGE_SIZE (the size of > > the sysfs buffer). > > > > For this case, I would say replace strlcpy with sysfs_emit: > > > > return sysfs_emit(buffer, DLMFS_CAPABILITIES); > > > > Thanks, sending out a v2 for this. Out of curiosity - why sysfs_emit? > Is it because DLMFS_CAPABILITIES is a hard-coded string? It's basically that sysfs_emit() Does The Right Thing for these callbacks: it tracks the offset of the buffer and checks for buffer overflow. (All the sysfs callback work on a page-aligned page-sized buffer, and the API lacks any length info -- it's "understood" to be page-sized.) So, since this is doing a string copy into what is ultimately a sysfs buffer, it's best to use sysfs_emit().
diff --git a/fs/ocfs2/dlmfs/dlmfs.c b/fs/ocfs2/dlmfs/dlmfs.c index 33e529de93b2..b001eccdd2f3 100644 --- a/fs/ocfs2/dlmfs/dlmfs.c +++ b/fs/ocfs2/dlmfs/dlmfs.c @@ -80,7 +80,7 @@ static int param_set_dlmfs_capabilities(const char *val, static int param_get_dlmfs_capabilities(char *buffer, const struct kernel_param *kp) { - return strlcpy(buffer, DLMFS_CAPABILITIES, + return strscpy(buffer, DLMFS_CAPABILITIES, strlen(DLMFS_CAPABILITIES) + 1); } static const struct kernel_param_ops dlmfs_capabilities_ops = {
strlcpy() reads the entire source buffer first. This read may exceed the destination size limit. This is both inefficient and can lead to linear read overflows if a source string is not NUL-terminated [1]. In an effort to remove strlcpy() completely [2], replace strlcpy() here with strscpy(). Direct replacement is assumed to be safe here since it's ok for `kernel_param_ops.get()` to return -errno [3]. This changes the behavior such that instead of silently ignoring the case when sizeof(@buffer) < DLMFS_CAPABILITIES, we now return error. [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy [2] https://github.com/KSPP/linux/issues/89 [3] https://elixir.bootlin.com/linux/v6.5/source/include/linux/moduleparam.h#L52 Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com> --- fs/ocfs2/dlmfs/dlmfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.42.0.283.g2d96d420d3-goog