Re: [PATCH] vt: Fix potential read overflow of kernel memory

From: Greg Kroah-Hartman
Date: Wed Aug 30 2023 - 14:47:29 EST


On Wed, Aug 30, 2023 at 04:04:10PM +0000, Azeem Shaikh wrote:
> strlcpy() reads the entire source buffer first.
> This read may exceed the destination size limit if
> a source string is not NUL-terminated [1].

But that's not the case here, right? So your "potential read overflow"
isn't relevant here.

> The copy_to_user() call uses @len returned from strlcpy() directly
> without checking its value. This could potentially lead to read
> overflow.

But can it? How?

Those are all hard-coded strings, in the kernel source, there is no
potential overflow here.

And you know the buffer size is correct as well.

So why even check?

> In an effort to remove strlcpy() completely [2], replace
> strlcpy() here with strscpy().
>
> [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy
> [2] https://github.com/KSPP/linux/issues/89
>
> Signed-off-by: Azeem Shaikh <azeemshaikh38@xxxxxxxxx>
> ---
> drivers/tty/vt/keyboard.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c
> index 358f216c6cd6..15359c328a23 100644
> --- a/drivers/tty/vt/keyboard.c
> +++ b/drivers/tty/vt/keyboard.c
> @@ -2079,12 +2079,15 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
> return -ENOMEM;
>
> spin_lock_irqsave(&func_buf_lock, flags);
> - len = strlcpy(kbs, func_table[kb_func] ? : "", len);
> + len = strscpy(kbs, func_table[kb_func] ? : "", len);
> spin_unlock_irqrestore(&func_buf_lock, flags);
>
> + if (len < 0) {
> + ret = -EFAULT;
> + break;
> + }

Don't check for impossible things please.

thanks,

greg k-h