| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 17 Apr 2024 10:35:47 -0700 From: Kees Cook <keescook@...omium.org> To: "Martin K . Petersen" <martin.petersen@...cle.com> Cc: Charles Bertsch <cbertsch@....net>, Justin Stitt <justinstitt@...gle.com>, Bart Van Assche <bvanassche@....org>, Andy Shevchenko <andy@...nel.org>, Sathya Prakash <sathya.prakash@...adcom.com>, Sreekanth Reddy <sreekanth.reddy@...adcom.com>, Suganath Prabu Subramani <suganath-prabu.subramani@...adcom.com>, "James E.J. Bottomley" <jejb@...ux.ibm.com>, Kashyap Desai <kashyap.desai@...adcom.com>, Sumit Saxena <sumit.saxena@...adcom.com>, Nilesh Javali <njavali@...vell.com>, Andrew Morton <akpm@...ux-foundation.org>, Himanshu Madhani <himanshu.madhani@...cle.com>, linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org, MPT-FusionLinux.pdl@...adcom.com, linux-scsi@...r.kernel.org, mpi3mr-linuxdrv.pdl@...adcom.com, GR-QLogic-Storage-Upstream@...vell.com Subject: Re: [PATCH 0/5] scsi: Avoid possible run-time warning with long manufacturer strings On Tue, Apr 09, 2024 at 07:31:49PM -0700, Kees Cook wrote: > Hi, > > Another code pattern using the gloriously ambiguous strncpy() function was > turning maybe not-NUL-terminated character arrays into NUL-terminated > strings. In these cases, when strncpy() is replaced with strscpy() > it creates a situation where if the non-terminated string takes up the > entire character array (i.e. it is not terminated) run-time warnings > from CONFIG_FORTIFY_SOURCE will trip, since strscpy() was expecting to > find a NUL-terminated source but checking for the NUL would walk off > the end of the source buffer. > > In doing an instrumented build of the kernel to find these cases, it > seems it was almost entirely a code pattern used in the SCSI subsystem, > so the creation of the new helper, memtostr(), can land via the SCSI > tree. And, as it turns out, inappropriate conversions have been happening > for several years now, some of which even moved through strlcpy() first > (and were never noticed either). > > This series fixes all 4 of the instances I could find in the SCSI > subsystem. Friendly ping. Can the SCSI tree pick this up, or should I take it through the hardening tree? Thanks! -Kees > > Thanks, > > -Kees > > Kees Cook (5): > string.h: Introduce memtostr() and memtostr_pad() > scsi: mptfusion: Avoid possible run-time warning with long > manufacturer strings > scsi: mpt3sas: Avoid possible run-time warning with long manufacturer > strings > scsi: mpi3mr: Avoid possible run-time warning with long manufacturer > strings > scsi: qla2xxx: Avoid possible run-time warning with long model_num > > drivers/message/fusion/mptsas.c | 14 +++---- > drivers/scsi/mpi3mr/mpi3mr_transport.c | 14 +++---- > drivers/scsi/mpt3sas/mpt3sas_base.c | 2 +- > drivers/scsi/mpt3sas/mpt3sas_transport.c | 14 +++---- > drivers/scsi/qla2xxx/qla_mr.c | 6 +-- > include/linux/string.h | 49 ++++++++++++++++++++++++ > lib/strscpy_kunit.c | 26 +++++++++++++ > 7 files changed, 93 insertions(+), 32 deletions(-) > > -- > 2.34.1 > -- Kees Cook
Powered by blists - more mailing lists