[PATCH] string: Fix strscpy() uninitialized data copy bug

From: Ingo Molnar
Date: Mon Oct 05 2015 - 12:30:37 EST


Alexey Dobriyan noticed that our new strscpy() implementation will copy
potentially out of range or uninitialized data from post the end of the
source string.

Fix this by zeroing out the tail of the final word of the copy.

Reported-by: Alexey Dobriyan <adobriyan@xxxxxxxxx>
Signed-off-by: Ingo Molnar <mingo@xxxxxxxxxx>
---
lib/string.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/lib/string.c b/lib/string.c
index 6b89c035df74..548f52b7a145 100644
--- a/lib/string.c
+++ b/lib/string.c
@@ -177,12 +177,24 @@ ssize_t strscpy(char *dest, const char *src, size_t count)
unsigned long c, data;

c = *(unsigned long *)(src+res);
- *(unsigned long *)(dest+res) = c;
+
if (has_zero(c, &data, &constants)) {
+ unsigned int zero_pos;
+
data = prep_zero_mask(c, data, &constants);
data = create_zero_mask(data);
+
+ zero_pos = find_zero(data);
+
+ /* Clear out undefined data within the final word after the NUL (if any): */
+ memset((void *)&c + zero_pos, 0, sizeof(long)-zero_pos);
+
+ *(unsigned long *)(dest+res) = c;
+
return res + find_zero(data);
}
+ *(unsigned long *)(dest+res) = c;
+
res += sizeof(unsigned long);
count -= sizeof(unsigned long);
max -= sizeof(unsigned long);
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/