Re: [PATCH] arch: x86: ia32: ia32_aout.c: Cleaning up missing null-terminate in conjunction with strncpy
From: Mark D Rustad
Date: Sun Jul 27 2014 - 17:59:09 EST
Rickard,
On Jul 26, 2014, at 2:50 PM, Rickard Strandqvist <rickard_strandqvist@xxxxxxxxxxxxxxxxxx> wrote:
> Replacing strncpy with strlcpy to avoid strings that lacks null terminate.
> And use the sizeof on the to string rather than the from string.
>
> Signed-off-by: Rickard Strandqvist <rickard_strandqvist@xxxxxxxxxxxxxxxxxx>
> ---
> arch/x86/ia32/ia32_aout.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/x86/ia32/ia32_aout.c b/arch/x86/ia32/ia32_aout.c
> index d21ff89..1a5eb43 100644
> --- a/arch/x86/ia32/ia32_aout.c
> +++ b/arch/x86/ia32/ia32_aout.c
> @@ -156,7 +156,7 @@ static int aout_core_dump(struct coredump_params *cprm)
> fs = get_fs();
> set_fs(KERNEL_DS);
> has_dumped = 1;
> - strncpy(dump.u_comm, current->comm, sizeof(current->comm));
> + strlcpy(dump.u_comm, current->comm, sizeof(dump.u_comm));
> dump.u_ar0 = offsetof(struct user32, regs);
> dump.signal = cprm->siginfo->si_signo;
> dump_thread32(cprm->regs, &dump);
This patch appears to introduce an information leakage as well. The dump structure is on the stack and not cleared, so changing to strlcpy leaves part of the u_comm field holding unintialized data which is then written into the dump. The sizeof in the 3rd argument of the original is really an incorrect reference, as you corrected. A question to consider in this case: is the string in that structure expected to always be null-terminated or not. It is not the case that all such character arrays are expected to be. I don't happen to know in this case.
--
Mark Rustad, MRustad@xxxxxxxxx
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail