Re: [PATCH] kernel: module: strncpy issue, using strlcpy instead of strncpy
From: Geert Uytterhoeven
Date: Sun Apr 07 2013 - 10:28:10 EST
On Sun, Apr 7, 2013 at 1:38 PM, Chen Gang <gang.chen@xxxxxxxxxxx> wrote:
> ownername and namebuf are all NUL terminated string.
>
> need always let them ended by '\0'.
>
> Signed-off-by: Chen Gang <gang.chen@xxxxxxxxxxx>
> ---
> kernel/module.c | 4 ++--
> 1 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/module.c b/kernel/module.c
> index 3c2c72d..597efd8 100644
> --- a/kernel/module.c
> +++ b/kernel/module.c
> @@ -3464,7 +3464,7 @@ const char *module_address_lookup(unsigned long addr,
> }
> /* Make a copy in here where it's safe */
> if (ret) {
> - strncpy(namebuf, ret, KSYM_NAME_LEN - 1);
> + strlcpy(namebuf, ret, KSYM_NAME_LEN);
> ret = namebuf;
> }
> preempt_enable();
Is this buffer ever copied to userspace?
If yes, it may leak innocent kernel stack to userspace, as strlcpy()
doesn't fill
the remaining of the buffer with zeroes, while strncpy() does.
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@xxxxxxxxxxxxxx
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/