[PATCHv2] Fix range checks in kernfs_get_target_path

From: Bernd Edlinger
Date: Sat Jul 07 2018 - 05:46:25 EST


The strncpy causes a warning [-Wstringop-truncation] here,
which indicates that it never appends a NUL byte to the path.
The NUL byte is only there because the buffer is allocated
with kzalloc(PAGE_SIZE, GFP_KERNEL), but since the range-check
is also off-by-one, and PAGE_SIZE==PATH_MAX the returned string
will not be zero-terminated if it is exactly PATH_MAX characters.
Furthermore also the initial loop may theoretically exceed PATH_MAX
and cause a fault.

Signed-off-by: Bernd Edlinger <bernd.edlinger@xxxxxxxxxx>
---
fs/kernfs/symlink.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/fs/kernfs/symlink.c b/fs/kernfs/symlink.c
index 08ccabd..c8b7d44a 100644
--- a/fs/kernfs/symlink.c
+++ b/fs/kernfs/symlink.c
@@ -63,7 +63,10 @@ static int kernfs_get_target_path(struct kernfs_node
if (base == kn)
break;

- strcpy(s, "../");
+ if ((s - path) + 3 >= PATH_MAX)
+ return -ENAMETOOLONG;
+
+ memcpy(s, "../", 3);
s += 3;
base = base->parent;
}
@@ -79,16 +82,17 @@ static int kernfs_get_target_path(struct kernfs_node
if (len < 2)
return -EINVAL;
len--;
- if ((s - path) + len > PATH_MAX)
+ if ((s - path) + len >= PATH_MAX)
return -ENAMETOOLONG;

/* reverse fillup of target string from target to base */
kn = target;
+ s[len] = '\0';
while (kn->parent && kn != base) {
int slen = strlen(kn->name);

len -= slen;
- strncpy(s + len, kn->name, slen);
+ memcpy(s + len, kn->name, slen);
if (len)
s[--len] = '/';

--
1.9.1