| Message ID | 20230808-net-netfilter-v1-1-efbbe4ec60af@google.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | netfilter: refactor deprecated strncpy | expand |
Justin Stitt <justinstitt@google.com> wrote: > Fixes several buffer overread bugs present in `ip_set_core.c` by using > `strscpy` over `strncpy`. > > Link: https://github.com/KSPP/linux/issues/90 > Cc: linux-hardening@vger.kernel.org > Signed-off-by: Justin Stitt <justinstitt@google.com> > > --- > There exists several potential buffer overread bugs here. These bugs > exist due to the fact that the destination and source strings may have > the same length which is equal to the max length `IPSET_MAXNAMELEN`. There is no truncation. Inputs are checked via nla_policy: [IPSET_ATTR_SETNAME2] = { .type = NLA_NUL_STRING, .len = IPSET_MAXNAMELEN - 1 },
On Wed, Aug 09, 2023 at 01:38:55AM +0200, Florian Westphal wrote: > Justin Stitt <justinstitt@google.com> wrote: > > Fixes several buffer overread bugs present in `ip_set_core.c` by using > > `strscpy` over `strncpy`. > > > > Link: https://github.com/KSPP/linux/issues/90 > > Cc: linux-hardening@vger.kernel.org > > Signed-off-by: Justin Stitt <justinstitt@google.com> > > > > --- > > There exists several potential buffer overread bugs here. These bugs > > exist due to the fact that the destination and source strings may have > > the same length which is equal to the max length `IPSET_MAXNAMELEN`. > > There is no truncation. Inputs are checked via nla_policy: > > [IPSET_ATTR_SETNAME2] = { .type = NLA_NUL_STRING, .len = IPSET_MAXNAMELEN - 1 }, Ah, perfect. Yeah, so if it needs to zero-padding, but it is always NUL-terminated, strscpy_pad() is the right replacement. Thanks!
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c index 0b68e2e2824e..fc77080d41a2 100644 --- a/net/netfilter/ipset/ip_set_core.c +++ b/net/netfilter/ipset/ip_set_core.c @@ -872,7 +872,7 @@ ip_set_name_byindex(struct net *net, ip_set_id_t index, char *name) BUG_ON(!set); read_lock_bh(&ip_set_ref_lock); - strncpy(name, set->name, IPSET_MAXNAMELEN); + strscpy(name, set->name, IPSET_MAXNAMELEN); read_unlock_bh(&ip_set_ref_lock); } EXPORT_SYMBOL_GPL(ip_set_name_byindex); @@ -1326,7 +1326,7 @@ static int ip_set_rename(struct sk_buff *skb, const struct nfnl_info *info, goto out; } } - strncpy(set->name, name2, IPSET_MAXNAMELEN); + strscpy(set->name, name2, IPSET_MAXNAMELEN); out: write_unlock_bh(&ip_set_ref_lock); @@ -1380,9 +1380,9 @@ static int ip_set_swap(struct sk_buff *skb, const struct nfnl_info *info, return -EBUSY; } - strncpy(from_name, from->name, IPSET_MAXNAMELEN); - strncpy(from->name, to->name, IPSET_MAXNAMELEN); - strncpy(to->name, from_name, IPSET_MAXNAMELEN); + strscpy(from_name, from->name, IPSET_MAXNAMELEN); + strscpy(from->name, to->name, IPSET_MAXNAMELEN); + strscpy(to->name, from_name, IPSET_MAXNAMELEN); swap(from->ref, to->ref); ip_set(inst, from_id) = to;
Fixes several buffer overread bugs present in `ip_set_core.c` by using `strscpy` over `strncpy`. Link: https://github.com/KSPP/linux/issues/90 Cc: linux-hardening@vger.kernel.org Signed-off-by: Justin Stitt <justinstitt@google.com> --- There exists several potential buffer overread bugs here. These bugs exist due to the fact that the destination and source strings may have the same length which is equal to the max length `IPSET_MAXNAMELEN`. Here's an example: | #define MAXLEN 5 | char dest[MAXLEN]; | const char *src = "hello"; | strncpy(dest, src, MAXLEN); // -> should use strscpy() | // dest is now not NUL-terminated Note: This patch means that truncation now happens silently (which is better than a silent bug) but perhaps we should have some assertions that fail when a truncation is imminent. Thoughts? --- net/netfilter/ipset/ip_set_core.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-)