From nobody Thu Sep 02 20:57:42 2021 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 3BC2617ABF89 for ; Thu, 2 Sep 2021 20:57:48 +0000 (UTC) (envelope-from jo@bruelltuete.com) Received: from email.jo-t.de (seppel.jo-t.de [45.132.244.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4H0tY74n3Rz3NyX for ; Thu, 2 Sep 2021 20:57:47 +0000 (UTC) (envelope-from jo@bruelltuete.com) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=bruelltuete.com; s=bruelltuete18a; t=1630616005; bh=LdZ+NP8TilExmAYQTCl6Qz3syJsDgoPwQq0m1TGbHJo=; h=Message-ID:Date:MIME-Version:From:Subject:To:From; b=IljjIoRAY3UtEW+oxJ1vKR/IMNHCiktxkMgpCgOYV2J/3L8gyyqO1S/1AeLtbb9Rv ASlmx0SeLl/DlpJv3jHxptyTR1BjE3kf3Ytej1enZI2zIoQhrPOCRuqJY2U3PnJiRe lwM6RiZ9dcXRMTclA0kLANXJtYz6N1/svN7n+YJtLA2FIgENJZdsisqQVeblLL/QbZ j6GGAmeAtxy2pl7rM0Z45oiKpwAjvGEcChLaaeMhfTgqUsqNnvQ6/hUmAsYxYQwmH5 Ah/qJhdDX5CgQrcdj8GoKIWyRRbUaZplpWYUa0c4nWa5+32DVynTwb9y+Q1M3d4Z25 F/dXG2EyWM1GQ== Message-ID: <2b59c3ae-8330-facd-def9-c0640c56cf3a@bruelltuete.com> Date: Thu, 2 Sep 2021 21:57:42 +0100 List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 Subject: String functions considered unsafe in kernel Content-Language: en-GB To: freebsd-hackers@FreeBSD.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4H0tY74n3Rz3NyX X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=bruelltuete.com header.s=bruelltuete18a header.b=IljjIoRA; dmarc=pass (policy=reject) header.from=bruelltuete.com; spf=pass (mx1.freebsd.org: domain of jo@bruelltuete.com designates 45.132.244.126 as permitted sender) smtp.mailfrom=jo@bruelltuete.com X-Spamd-Result: default: False [-4.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[bruelltuete.com:s=bruelltuete18a]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx:c]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCPT_COUNT_ONE(0.00)[1]; DKIM_TRACE(0.00)[bruelltuete.com:+]; DMARC_POLICY_ALLOW(-0.50)[bruelltuete.com,reject]; NEURAL_HAM_SHORT(-1.00)[-0.999]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:197540, ipnet:45.132.244.0/22, country:DE]; MID_RHS_MATCH_FROM(0.00)[] Reply-To: jo@bruelltuete.com From: Johannes Totz via freebsd-hackers X-Original-From: Johannes Totz X-ThisMailContainsUnwantedMimeParts: N (looks like gmane swallowed my 1st message, trying again) Hi folks, there are a few string (copy, formatting) functions I would consider unsafe when used in kernel, in particular when used with untrusted input coming from user space. For example: snprintf. Yes it has the size of its output buffer given. But its return value is problematic. Lets say we have something like struct ioctl_structure { int blahblah; char device_name[64]; } void ioctl_handler(... caddr_t addr ...) { struct ioctl_structure* inputdata = addr; char some_internal_buffer[64]; snprintf(some_internal_buffer, sizeof(some_internal_buffer), "%s", inputdata->device_name); } Here, snprintf is supposed to return the number of characters that would have been printed. Ie it will scan the input string all the way to the end. Unfortunately we can craft input that's not null terminated. So snprintf will read well past the end of the buffer, potentially all the way into the next page that may or may not be present. There are more string functions that return similar stuff. For example strlcpy. These functions are used *a lot*. Quite often where the source string is an obvious fixed compile time constant, so no problem there. But also where it's not obvious at first glance. Have we thought about this as a potential source of problems before?