Skip to content

Commit 077d2ba

Browse files
thestingertorvalds
thestinger
authored and
torvalds
committed
replace incorrect strscpy use in FORTIFY_SOURCE
Using strscpy was wrong because FORTIFY_SOURCE is passing the maximum possible size of the outermost object, but strscpy defines the count parameter as the exact buffer size, so this could copy past the end of the source. This would still be wrong with the planned usage of __builtin_object_size(p, 1) for intra-object overflow checks since it's the maximum possible size of the specified object with no guarantee of it being that large. Reuse of the fortified functions like this currently makes the runtime error reporting less precise but that can be improved later on. Noticed by Dave Jones and KASAN. Signed-off-by: Daniel Micay <danielmicay@gmail.com> Acked-by: Kees Cook <keescook@chromium.org> Reported-by: Dave Jones <davej@codemonkey.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 parent 01ea917 commit 077d2ba

File tree

1 file changed

+12
-11
lines changed

1 file changed

+12
-11
lines changed

include/linux/string.h

Lines changed: 12 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -202,17 +202,6 @@ void __read_overflow2(void) __compiletime_error("detected read beyond size of ob
202202
void __write_overflow(void) __compiletime_error("detected write beyond size of object passed as 1st parameter");
203203

204204
#if !defined(__NO_FORTIFY) && defined(__OPTIMIZE__) && defined(CONFIG_FORTIFY_SOURCE)
205-
__FORTIFY_INLINE char *strcpy(char *p, const char *q)
206-
{
207-
size_t p_size = __builtin_object_size(p, 0);
208-
size_t q_size = __builtin_object_size(q, 0);
209-
if (p_size == (size_t)-1 && q_size == (size_t)-1)
210-
return __builtin_strcpy(p, q);
211-
if (strscpy(p, q, p_size < q_size ? p_size : q_size) < 0)
212-
fortify_panic(__func__);
213-
return p;
214-
}
215-
216205
__FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size)
217206
{
218207
size_t p_size = __builtin_object_size(p, 0);
@@ -391,6 +380,18 @@ __FORTIFY_INLINE void *kmemdup(const void *p, size_t size, gfp_t gfp)
391380
fortify_panic(__func__);
392381
return __real_kmemdup(p, size, gfp);
393382
}
383+
384+
/* defined after fortified strlen and memcpy to reuse them */
385+
__FORTIFY_INLINE char *strcpy(char *p, const char *q)
386+
{
387+
size_t p_size = __builtin_object_size(p, 0);
388+
size_t q_size = __builtin_object_size(q, 0);
389+
if (p_size == (size_t)-1 && q_size == (size_t)-1)
390+
return __builtin_strcpy(p, q);
391+
memcpy(p, q, strlen(q) + 1);
392+
return p;
393+
}
394+
394395
#endif
395396

396397
#endif /* _LINUX_STRING_H_ */

0 commit comments

Comments
 (0)