From patchwork Fri Aug 26 14:31:43 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 74795 Delivered-To: patch@linaro.org Received: by 10.140.29.52 with SMTP id a49csp380709qga; Fri, 26 Aug 2016 07:32:00 -0700 (PDT) X-Received: by 10.98.55.1 with SMTP id e1mr6645542pfa.58.1472221920483; Fri, 26 Aug 2016 07:32:00 -0700 (PDT) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id ut14si21514943pab.53.2016.08.26.07.31.59; Fri, 26 Aug 2016 07:32:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753346AbcHZOb4 (ORCPT + 27 others); Fri, 26 Aug 2016 10:31:56 -0400 Received: from foss.arm.com ([217.140.101.70]:39903 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751742AbcHZOby (ORCPT ); Fri, 26 Aug 2016 10:31:54 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 7D1EA28; Fri, 26 Aug 2016 07:33:33 -0700 (PDT) Received: from remoulade.event.rightround.com (usa-sjc-mx-foss1.foss.arm.com [217.140.101.70]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id AD0CF3F220; Fri, 26 Aug 2016 07:31:51 -0700 (PDT) From: Mark Rutland To: linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com Cc: Mark Rutland , Andrew Morton , Kees Cook Subject: [PATCH] lib: harden strncpy_from_user Date: Fri, 26 Aug 2016 15:31:43 +0100 Message-Id: <1472221903-31181-1-git-send-email-mark.rutland@arm.com> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The strncpy_from_user() accessor is effectively a copy_from_user() specialised to copy strings, terminating early at a NUL byte if possible. In other respects it is identical, and can be used to copy an arbitrarily large buffer from userspace into the kernel. Conceptually, it exposes a similar attack surface. As with copy_from_user(), we check the destination range when the kernel is built with KASAN, but unlike copy_from_user() we do not check the destination buffer when using HARDENED_USERCOPY. As strncpy_from_user() calls get_user() in a loop, we must call check_object_size() explicitly. This patch adds this instrumentation to strncpy_from_user(), per the same rationale as with the regular copy_from_user(). In the absence of hardened usercopy this will have no impact as the instrumentation expands to an empty static inline function. Signed-off-by: Mark Rutland Cc: Andrew Morton Cc: Kees Cook --- lib/strncpy_from_user.c | 2 ++ 1 file changed, 2 insertions(+) -- 2.7.4 diff --git a/lib/strncpy_from_user.c b/lib/strncpy_from_user.c index 9c5fe81..7e35fc4 100644 --- a/lib/strncpy_from_user.c +++ b/lib/strncpy_from_user.c @@ -1,6 +1,7 @@ #include #include #include +#include #include #include #include @@ -111,6 +112,7 @@ long strncpy_from_user(char *dst, const char __user *src, long count) long retval; kasan_check_write(dst, count); + check_object_size(dst, count, false); user_access_begin(); retval = do_strncpy_from_user(dst, src, count, max); user_access_end();