Re: kernel BUG at lib/string.c:LINE! (6)

From: Florian Westphal
Date: Tue Dec 22 2020 - 17:08:42 EST

Next message: John Kacur: "[ANNOUNCE] rt-tests-1.10"
Previous message: Gabriel Somlo: "[PATCH v2] drivers/soc/litex: support 32-bit subregisters, 64-bit CPUs"
In reply to: Linus Torvalds: "Re: kernel BUG at lib/string.c:LINE! (6)"
Next in thread: Dmitry Vyukov: "Re: kernel BUG at lib/string.c:LINE! (6)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
> On Tue, Dec 22, 2020 at 6:44 AM syzbot
> <syzbot+e86f7c428c8c50db65b4@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> >
> > The issue was bisected to:
> >
> > commit 2f78788b55ba ("ilog2: improve ilog2 for constant arguments")
>
> That looks unlikely, although possibly some constant folding
> improvement might make the fortify code notice something with it.
>
> > detected buffer overflow in strlen
> > ------------[ cut here ]------------
> > kernel BUG at lib/string.c:1149!
> > Call Trace:
> > strlen include/linux/string.h:325 [inline]
> > strlcpy include/linux/string.h:348 [inline]
> > xt_rateest_tg_checkentry+0x2a5/0x6b0 net/netfilter/xt_RATEEST.c:143
>
> Honestly, this just looks like the traditional bug in "strlcpy()".

Yes, thats exactly what this is, no idea why the bisection points
at ilog2 changes.

> That BSD function is complete garbage, exactly because it doesn't
> limit the source length. People tend to _think_ it does ("what's that
> size_t argument for?") but strlcpy() only limits the *destination*
> size, and the source is always read fully.

Right, I'll send a patch shortly.

Next message: John Kacur: "[ANNOUNCE] rt-tests-1.10"
Previous message: Gabriel Somlo: "[PATCH v2] drivers/soc/litex: support 32-bit subregisters, 64-bit CPUs"
In reply to: Linus Torvalds: "Re: kernel BUG at lib/string.c:LINE! (6)"
Next in thread: Dmitry Vyukov: "Re: kernel BUG at lib/string.c:LINE! (6)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]