Re: [PATCH] lib/string: avoid reading beyond src buffer in strscpy

From: Linus Torvalds
Date: Tue Dec 12 2017 - 17:42:59 EST

Next message: Alex Williamson: "[PATCH] iommu/vt-d: Fix shift overflow in qi_flush_dev_iotlb"
Previous message: Philippe Ombredanne: "Re: [PATCH V3 net-next 3/8] net: hns3: Add HNS3 VF HCL(Hardware Compatibility Layer) Support"
In reply to: Andrey Ryabinin: "Re: [PATCH] lib/string: avoid reading beyond src buffer in strscpy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Dec 12, 2017 at 8:06 AM, Andrey Ryabinin
<aryabinin@xxxxxxxxxxxxx> wrote:
>
> See for yourself, strscpy() is the only sting function doing this.

No, strnlen_user() definitely does too.

It's just that KASAN doesn't track user pointers.

And the important strlen() in the kernel is the pathname hashing code,
which *definitely* accesses outside the source, but since it can
actually traverse to another page we have that one annotated too (with
load_unaligned_zeropad()).

So no, strscpy() isn't the only one doing it, it is just the only one
that KASAN catches.

Linus

Next message: Alex Williamson: "[PATCH] iommu/vt-d: Fix shift overflow in qi_flush_dev_iotlb"
Previous message: Philippe Ombredanne: "Re: [PATCH V3 net-next 3/8] net: hns3: Add HNS3 VF HCL(Hardware Compatibility Layer) Support"
In reply to: Andrey Ryabinin: "Re: [PATCH] lib/string: avoid reading beyond src buffer in strscpy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]