Re: [PATCH 10/17] delta: Fix buffer overrun in delta_ipc_open

From: Hugues FRUCHET
Date: Mon Apr 01 2019 - 09:40:10 EST


Hi Andi,

We have already discussed about that here:
https://lore.kernel.org/patchwork/patch/866406/

Now that strscpy is largely deployed within kernel, could you retest
with the change I suggested ?

Best regards,
Hugues.

On 3/21/19 11:00 PM, Andi Kleen wrote:
> From: Andi Kleen <ak@xxxxxxxxxxxxxxx>
>
> delta_ipc_open is always called with a single constant string
> as name, but it uses a longer memcpy to copy the string to
> a different structure. The memcpy would read outside the bounds
> of the string, potentially accessing unmapped memory.
>
> Just use strcpy instead after clearing the area.
>
> This fixes a build error with LTO, which can detect this.
>
> Cc: hugues.fruchet@xxxxxx
> Cc: mchehab@xxxxxxxxxxxxxxxx
> Fixes: 91c83f395fbe [media] st-delta: rpmsg ipc support
> Signed-off-by: Andi Kleen <ak@xxxxxxxxxxxxxxx>
> ---
> drivers/media/platform/sti/delta/delta-ipc.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/media/platform/sti/delta/delta-ipc.c b/drivers/media/platform/sti/delta/delta-ipc.c
> index a4603d573c34..bd1bbbeedec3 100644
> --- a/drivers/media/platform/sti/delta/delta-ipc.c
> +++ b/drivers/media/platform/sti/delta/delta-ipc.c
> @@ -175,8 +175,8 @@ int delta_ipc_open(struct delta_ctx *pctx, const char *name,
> msg.ipc_buf_size = ipc_buf_size;
> msg.ipc_buf_paddr = ctx->ipc_buf->paddr;
>
> - memcpy(msg.name, name, sizeof(msg.name));
> - msg.name[sizeof(msg.name) - 1] = 0;
> + memset(msg.name, 0, sizeof(msg.name));
> + strcpy(msg.name, name);
>
> msg.param_size = param->size;
> memcpy(ctx->ipc_buf->vaddr, param->data, msg.param_size);
>