On Tue, Dec 12, 2017 at 8:06 AM, Andrey Ryabinin
wrote:
>
> See for yourself, strscpy() is the only sting function doing this.
No, strnlen_user() definitely does too.
It's just that KASAN doesn't track user pointers.
And the important strlen() in the kernel is the pathname hashing code,
which *
On 12/12/2017 01:19 PM, David Laight wrote:
> From: Andrey Ryabinin
>> Sent: 11 December 2017 16:44
> ...
>> I suppose that depends on which one strscpy() caller you'd want to test.
>> Briefly looking at all current users, it doesn't look like they process huge
>> amounts
>> of data through strscp
From: Andrey Ryabinin
> Sent: 11 December 2017 16:44
...
> I suppose that depends on which one strscpy() caller you'd want to test.
> Briefly looking at all current users, it doesn't look like they process huge
> amounts
> of data through strscpy(), thus we shouldn't suffer from a slight
> perform
On 12/08/2017 11:54 PM, Kees Cook wrote:
> On Fri, Dec 8, 2017 at 7:29 AM, Dmitry Vyukov wrote:
>> On Fri, Dec 8, 2017 at 4:29 PM, Andrey Ryabinin
>> wrote:
>>>
>>> So, possible solutions are:
>>>
>>> 1) Simply disable word-at-a-time optimization in strscpy(). I seriously
>>> doubt
>>> that thi
On Fri, Dec 8, 2017 at 7:29 AM, Dmitry Vyukov wrote:
> On Fri, Dec 8, 2017 at 4:29 PM, Andrey Ryabinin
> wrote:
>> On 12/07/2017 09:26 PM, Kees Cook wrote:
>>> On Thu, Dec 7, 2017 at 3:33 AM, Eryu Guan wrote:
strscpy() tries to copy sizeof(unsigned long) bytes a time from src
to dest
On Fri, Dec 8, 2017 at 4:29 PM, Andrey Ryabinin wrote:
> On 12/07/2017 09:26 PM, Kees Cook wrote:
>> On Thu, Dec 7, 2017 at 3:33 AM, Eryu Guan wrote:
>>> strscpy() tries to copy sizeof(unsigned long) bytes a time from src
>>> to dest when possible, and stops the loop when 'max' is less than
>>> s
On 12/07/2017 09:26 PM, Kees Cook wrote:
> On Thu, Dec 7, 2017 at 3:33 AM, Eryu Guan wrote:
>> strscpy() tries to copy sizeof(unsigned long) bytes a time from src
>> to dest when possible, and stops the loop when 'max' is less than
>> sizeof(unsigned long). But it doesn't check if (src+res) goes b
On Thu, Dec 7, 2017 at 3:33 AM, Eryu Guan wrote:
> strscpy() tries to copy sizeof(unsigned long) bytes a time from src
> to dest when possible, and stops the loop when 'max' is less than
> sizeof(unsigned long). But it doesn't check if (src+res) goes beyond
> src buffer and does out-of-bound acces
8 matches
Mail list logo
