strscpy() tries to copy sizeof(unsigned long) bytes a time from src
to dest when possible, and stops the loop when 'max' is less than
sizeof(unsigned long). But it doesn't check if (src+res) goes beyond
src buffer and does out-of-bound access to the underlying memory.
KASAN reported global-out-of-bound bug when reading seccomp
actions_logged file in procfs:
cat /proc/sys/kernel/seccomp/actions_logged
Because seccomp_names_from_actions_logged() is copying short strings
(less than sizeof(unsigned long)) to buffer 'names'. e.g.
ret = strscpy(names, " ", size);
Fixed by capping the 'max' value according to the src buffer size,
to make sure we won't go beyond src buffer.
Cc: Andrew Morton <a...@linux-foundation.org>
Cc: Chris Metcalf <cmetc...@ezchip.com>
Cc: Kees Cook <keesc...@chromium.org>
Signed-off-by: Eryu Guan <eg...@redhat.com>
---
lib/string.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/lib/string.c b/lib/string.c
index 64a9e33f1daa..13a0147eea00 100644
--- a/lib/string.c
+++ b/lib/string.c
@@ -179,6 +179,7 @@ ssize_t strscpy(char *dest, const char *src, size_t count)
{
const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
size_t max = count;
+ size_t src_sz = strlen(src) + 1;
long res = 0;
if (count == 0)
@@ -200,6 +201,10 @@ ssize_t strscpy(char *dest, const char *src, size_t count)
max = 0;
#endif
+ /* avoid reading beyond src buffer */
+ if (max > src_sz)
+ max = src_sz;
+
while (max >= sizeof(unsigned long)) {
unsigned long c, data;
--
2.14.3
