[PATCH] string: Fix strscpy() uninitialized data copy bug

From: Ingo Molnar
Date: Mon Oct 05 2015 - 12:36:50 EST



* Ingo Molnar <mingo@xxxxxxxxxx> wrote:

> A slightly more paranoid version would be:
>
> c = *(unsigned long *)(src+res);
>
> if (has_zero(c, &data, &constants)) {
> unsigned int zero_pos;
>
> data = prep_zero_mask(c, data, &constants); data =
> create_zero_mask(data);
>
> zero_pos = find_zero(data);
>
> /* Clear out undefined data within the final word after
> the NUL: */
> memset((void *)&c + zero_pos, 0, sizeof(long)-zero_pos);
>
> *(unsigned long *)(dest+res) = c;
>
> return res+zero_pos;
> }
> *(unsigned long *)(dest+res) = c;
>
> This would solve any theoretical races in the _target_ buffer: if the target
> buffer may be copied to user-space in a racy fashion and we don't ever want it
> to have undefined data, then this variant does the tail-zeroing of the final
> word in the temporary copy, not in the target buffer.
>
> Still untested.

So the patch below got tested a bit more seriously, with the strscpy() based
strlcpy() patch I sent earlier: at least a typical Fedora bootup with a few
thousand strlcpy() uses does not crash in any obvious way.

Still needs review to make sure I have not missed anything ...

Thanks,

Ingo

===================>