diff options
| author | Kees Cook <[email protected]> | 2023-10-18 17:53:58 +0000 |
|---|---|---|
| committer | Kees Cook <[email protected]> | 2023-10-19 00:56:32 +0000 |
| commit | 0e108725f6cc5b3be9e607f89c9fbcbb236367b7 (patch) | |
| tree | 149102c39237fe844793971015c83202d0c9f699 /scripts/gcc-plugins | |
| parent | hardening: x86: drop reference to removed config AMD_IOMMU_V2 (diff) | |
| download | kernel-0e108725f6cc5b3be9e607f89c9fbcbb236367b7.tar.gz kernel-0e108725f6cc5b3be9e607f89c9fbcbb236367b7.zip | |
string: Adjust strtomem() logic to allow for smaller sources
Arnd noticed we have a case where a shorter source string is being copied
into a destination byte array, but this results in a strnlen() call that
exceeds the size of the source. This is seen with -Wstringop-overread:
In file included from ../include/linux/uuid.h:11,
from ../include/linux/mod_devicetable.h:14,
from ../include/linux/cpufeature.h:12,
from ../arch/x86/coco/tdx/tdx.c:7:
../arch/x86/coco/tdx/tdx.c: In function 'tdx_panic.constprop':
../include/linux/string.h:284:9: error: 'strnlen' specified bound 64 exceeds source size 60 [-Werror=stringop-overread]
284 | memcpy_and_pad(dest, _dest_len, src, strnlen(src, _dest_len), pad); \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../arch/x86/coco/tdx/tdx.c:124:9: note: in expansion of macro 'strtomem_pad'
124 | strtomem_pad(message.str, msg, '\0');
| ^~~~~~~~~~~~
Use the smaller of the two buffer sizes when calling strnlen(). When
src length is unknown (SIZE_MAX), it is adjusted to use dest length,
which is what the original code did.
Reported-by: Arnd Bergmann <[email protected]>
Fixes: dfbafa70bde2 ("string: Introduce strtomem() and strtomem_pad()")
Tested-by: Arnd Bergmann <[email protected]>
Cc: Andy Shevchenko <[email protected]>
Cc: [email protected]
Signed-off-by: Kees Cook <[email protected]>
Diffstat (limited to 'scripts/gcc-plugins')
0 files changed, 0 insertions, 0 deletions