On Thu, Dec 7, 2017 at 3:33 AM, Eryu Guan <eg...@redhat.com> wrote: > strscpy() tries to copy sizeof(unsigned long) bytes a time from src > to dest when possible, and stops the loop when 'max' is less than > sizeof(unsigned long). But it doesn't check if (src+res) goes beyond > src buffer and does out-of-bound access to the underlying memory. > > KASAN reported global-out-of-bound bug when reading seccomp > actions_logged file in procfs: > > cat /proc/sys/kernel/seccomp/actions_logged > > Because seccomp_names_from_actions_logged() is copying short strings > (less than sizeof(unsigned long)) to buffer 'names'. e.g. > > ret = strscpy(names, " ", size);
This is a false positive: https://marc.info/?l=linux-kernel&m=150768944030805&w=2 Given that we keep getting these reports (this is the third), I wonder if can adjust the seccomp code to work around the bug in KASAN... > Fixed by capping the 'max' value according to the src buffer size, > to make sure we won't go beyond src buffer. > > Cc: Andrew Morton <a...@linux-foundation.org> > Cc: Chris Metcalf <cmetc...@ezchip.com> > Cc: Kees Cook <keesc...@chromium.org> > Signed-off-by: Eryu Guan <eg...@redhat.com> > --- > lib/string.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/lib/string.c b/lib/string.c > index 64a9e33f1daa..13a0147eea00 100644 > --- a/lib/string.c > +++ b/lib/string.c > @@ -179,6 +179,7 @@ ssize_t strscpy(char *dest, const char *src, size_t count) > { > const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS; > size_t max = count; > + size_t src_sz = strlen(src) + 1; NAK. The whole point of strscpy is to avoid over-reading the source (see the comments above the function): * Preferred to strlcpy() since the API doesn't require reading memory * from the src string beyond the specified "count" bytes, and since * the return value is easier to error-check than strlcpy()'s. -Kees -- Kees Cook Pixel Security
