RE: [PATCH] bfa: avoid buffer overrun for 12-byte model name

From: Vijay Mohan Guvva
Date: Mon Dec 24 2012 - 03:15:55 EST

Next message: Zheng Liu: "Re: [PATCH v2 2/3] mm: Update file times when inodes are writtenafter mmaped writes"
Previous message: Andrey Vagin: "[PATCH 2/4] signal: add a helper for dequeuing signals from a specified queue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Jim,
Due to BFA_FCS_PORT_SYMBNAME_MODEL_SZ macro value of 12, we are missing some part of the model name in port/node symbolic name and seeing issues related to null termination. Mismatch between the actual model size and number of bytes copied to symbolic name is a bug. Can you please fix this by changing BFA_FCS_PORT_SYMBNAME_MODEL_SZ to 16 and reduce os_name macro (BFA_FCS_PORT_SYMBNAME_OSINFO_SZ) to 44, so that both the issues i.e symbolic name and null termination will be fixed.

Thanks,
Vijay

-----Original Message-----
From: linux-scsi-owner@xxxxxxxxxxxxxxx [mailto:linux-scsi-owner@xxxxxxxxxxxxxxx] On Behalf Of Jim Meyering
Sent: Sunday, October 14, 2012 1:51 PM
To: Krishna Gudipati
Cc: Andi Kleen; linux-kernel@xxxxxxxxxxxxxxx; James E.J. Bottomley; linux-scsi@xxxxxxxxxxxxxxx
Subject: Re: [PATCH] bfa: avoid buffer overrun for 12-byte model name

Jim Meyering wrote:
> Jim Meyering wrote:
>> Krishna Gudipati wrote:
>>>> -----Original Message-----
>>>> From: Jim Meyering [mailto:jim@xxxxxxxxxxxx]
>>>> Sent: Monday, August 20, 2012 9:55 AM
>>>> To: linux-kernel@xxxxxxxxxxxxxxx
>>>> Cc: Jim Meyering; Jing Huang; Krishna Gudipati; James E.J.
>>>> Bottomley; linux- scsi@xxxxxxxxxxxxxxx
>>>> Subject: [PATCH] bfa: avoid buffer overrun for 12-byte model name
>>>>
>>>> From: Jim Meyering <meyering@xxxxxxxxxx>
>>>>
>>>> we use strncpy to copy a model name of length up to 15 (16, if you
>>>> count the NUL), into a buffer of size 12 (BFA_FCS_PORT_SYMBNAME_MODEL_SZ).
>>>> However, strncpy does not always NUL-terminate, so whenever the
>>>> original model string has strlen >= 12, the following strncat reads
>>>> beyond end of the -
>>>> >sym_name buffer as it attempts to find end of string.
>>>>
>>>> bfa_fcs_fabric_psymb_init(struct bfa_fcs_fabric_s *fabric) {
>>>> bfa_ioc_get_adapter_model(&fabric->fcs->bfa->ioc, model);
>>>> ...
>>>> strncpy((char *)&port_cfg->sym_name, model,
>>>> BFA_FCS_PORT_SYMBNAME_MODEL_SZ);
>>>> strncat((char *)&port_cfg->sym_name,
>>>> BFA_FCS_PORT_SYMBNAME_SEPARATOR,
>>>> sizeof(BFA_FCS_PORT_SYMBNAME_SEPARATOR));
>>>> ...
>>>>
>>>> bfa_ioc_get_adapter_model(struct bfa_ioc_s *ioc, char *model) {
>>>> struct bfi_ioc_attr_s *ioc_attr;
>>>>
>>>> WARN_ON(!model);
>>>> memset((void *)model, 0, BFA_ADAPTER_MODEL_NAME_LEN);
>>>>
>>>> BFA_ADAPTER_MODEL_NAME_LEN = 16
>>>>
>>>> Signed-off-by: Jim Meyering <meyering@xxxxxxxxxx>
>>>> ---
>>>> drivers/scsi/bfa/bfa_fcs.c | 1 +
>>>> 1 file changed, 1 insertion(+)
>>>>
>>>> diff --git a/drivers/scsi/bfa/bfa_fcs.c
>>>> b/drivers/scsi/bfa/bfa_fcs.c index
>>>> eaac57e..3329493 100644
>>>> --- a/drivers/scsi/bfa/bfa_fcs.c
>>>> +++ b/drivers/scsi/bfa/bfa_fcs.c
>>>> @@ -713,6 +713,7 @@ bfa_fcs_fabric_psymb_init(struct
>>>> bfa_fcs_fabric_s
>>>> *fabric)
>>>> /* Model name/number */
>>>> strncpy((char *)&port_cfg->sym_name, model,
>>>> BFA_FCS_PORT_SYMBNAME_MODEL_SZ);
>>>> + port_cfg->sym_name[BFA_FCS_PORT_SYMBNAME_MODEL_SZ - 1]
>>>> = 0;
>>>> strncat((char *)&port_cfg->sym_name,
>>>> BFA_FCS_PORT_SYMBNAME_SEPARATOR,
>>>> sizeof(BFA_FCS_PORT_SYMBNAME_SEPARATOR));
>>>
>>> Nacked-by: Krishna Gudipati <kgudipat@xxxxxxxxxxx>
>>>
>>> Hi Jim,
>>>
>>> This model number is of length 12 bytes and the logic added here
>>> will reset the model last byte.
>>> In addition strncat does not need the src to be null terminated, the
>>> change does not compile even.
>>> NACK to this change.
>>
>> Hi Krishna,
>>
>> Thanks for the quick feedback and sorry the patch wasn't quite right.
>> However, the log is accurate: there is at least a theoretical problem
>> when the string in "model" (a buffer of size 16 bytes) has strlen >= 12.
>> While strncat does not require that its second argument be
>> NUL-terminated, the first one (the destination) must be. Otherwise,
>> it has no way to determine the end of the string to which it must append the source bytes.
>
> Ping?
> In case it wasn't clear, there *is* a risk of buffer overflow, which
> happens when strncpy makes it so strncat's destination is not NUL
> terminated.
>
> If you require support for 12-byte model numbers, then you'll have to
> increase the length of that buffer
> (BFA_FCS_PORT_SYMBNAME_MODEL_SZ) to at least 13.
>
> I've just rebased, and thus confirmed that the patches still apply.
>
>> Here is a v2 patch to which I've added the requisite (char*) cast.
>> However, this whole function is rather unreadable due to the
>> repetition (12 times!) of "(char *)&port_cfg->sym_name".
>> In case someone prefers to factor out that repetition, I've appended
>> a larger, v3 patch to do that.

Taking Andi's advice, I've made the offending code use strlcpy in place of strncpy. More importantly, I've fixed the same bug also in the following, nearly identical function.

-- >8 --

Two functions have this problem:
bfa_fcs_fabric_psymb_init
bfa_fcs_fabric_nsymb_init
They use strncpy to copy a model name of length up to 15 (16, if you count the NUL), into a buffer of size 12 (BFA_FCS_PORT_SYMBNAME_MODEL_SZ).
However, strncpy does not always NUL-terminate, so whenever the original model string has strlen >= 12, the following strncat reads beyond end of the ->sym_name buffer as it attempts to find end of string.
Instead, use strlcpy, which does guarantee NUL-termination.

bfa_fcs_fabric_psymb_init(struct bfa_fcs_fabric_s *fabric) {
bfa_ioc_get_adapter_model(&fabric->fcs->bfa->ioc, model);
...
strncpy((char *)&port_cfg->sym_name, model,
BFA_FCS_PORT_SYMBNAME_MODEL_SZ);
strncat((char *)&port_cfg->sym_name, BFA_FCS_PORT_SYMBNAME_SEPARATOR,
sizeof(BFA_FCS_PORT_SYMBNAME_SEPARATOR));
...

bfa_ioc_get_adapter_model(struct bfa_ioc_s *ioc, char *model) {
struct bfi_ioc_attr_s *ioc_attr;

WARN_ON(!model);
memset((void *)model, 0, BFA_ADAPTER_MODEL_NAME_LEN);

BFA_ADAPTER_MODEL_NAME_LEN = 16

Signed-off-by: Jim Meyering <jim@xxxxxxxxxxxx>
---
drivers/scsi/bfa/bfa_fcs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/bfa/bfa_fcs.c b/drivers/scsi/bfa/bfa_fcs.c index d428808..c7f476c 100644
--- a/drivers/scsi/bfa/bfa_fcs.c
+++ b/drivers/scsi/bfa/bfa_fcs.c
@@ -837,7 +837,7 @@ bfa_fcs_fabric_psymb_init(struct bfa_fcs_fabric_s *fabric)
bfa_ioc_get_adapter_model(&fabric->fcs->bfa->ioc, model);

/* Model name/number */
- strncpy((char *)&port_cfg->sym_name, model,
+ strlcpy((char *)&port_cfg->sym_name, model,
BFA_FCS_PORT_SYMBNAME_MODEL_SZ);
strncat((char *)&port_cfg->sym_name, BFA_FCS_PORT_SYMBNAME_SEPARATOR,
sizeof(BFA_FCS_PORT_SYMBNAME_SEPARATOR));
@@ -898,7 +898,7 @@ bfa_fcs_fabric_nsymb_init(struct bfa_fcs_fabric_s *fabric)
bfa_ioc_get_adapter_model(&fabric->fcs->bfa->ioc, model);

/* Model name/number */
- strncpy((char *)&port_cfg->node_sym_name, model,
+ strlcpy((char *)&port_cfg->node_sym_name, model,
BFA_FCS_PORT_SYMBNAME_MODEL_SZ);
strncat((char *)&port_cfg->node_sym_name,
BFA_FCS_PORT_SYMBNAME_SEPARATOR,
--
1.8.0.rc2
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Zheng Liu: "Re: [PATCH v2 2/3] mm: Update file times when inodes are writtenafter mmaped writes"
Previous message: Andrey Vagin: "[PATCH 2/4] signal: add a helper for dequeuing signals from a specified queue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]