On Thu, Jan 09, 2025 at 11:31:59AM +0000, Lorenzo Stoakes wrote:
> On Wed, Jan 08, 2025 at 06:15:36PM -0800, Isaac Manjarres wrote:
> > On Wed, Jan 08, 2025 at 06:58:00PM +0000, Lorenzo Stoakes wrote:
> > > On Tue, Jan 07, 2025 at 10:48:02AM -0800, Isaac J. Manjarres wrote:
> > > > goto err_name;
> > > > - }
> > > > -
> > > > - /* terminating-zero may have changed after strnlen_user() returned */
> > > > - if (name[len + MFD_NAME_PREFIX_LEN - 1]) {
> > > > - error = -EFAULT;
> > > > + } else if (len > MFD_NAME_MAX_LEN) {
> > > > + error = -EINVAL;
> > >
> > > I don't think this can ever happen? It just truncates, looking at the code
> > > for strncpy_from_user().
> > >
> >
> > I double checked, and this case is possible. The maximum we allow to
> > strncpy_from_user() to read is MFD_NAME_MAX_LEN + 1 via the count
> > argument, so that includes the NULL terminator in the userspace buffer.
> >
>
> > strncpy_from_user() then returns the length of the string without the
> > NULL terminator. The check is for just MFD_NAME_MAX_LEN, so this is
> > meant to catch the case where the string, not including the NULL
> > terminator, is greater than MFD_NAME_MAX_LEN, which is invalid, as
> > well as the case where the string becomes malformed/corrupted mid-copy.
>
> Actually you're right :) apologies, I misread the strncpy_from_user()
> implementation.
>
> So I think you should be good here - have you tested this scenario in
> practice just to confirm?
>
> Cheers!
No worries! Yes, I tested this out and confirmed that we do return
-EINVAL in this case before and after this change, so it should be
fine.
Thanks for the review :)! I'll be sending out v3 of this series
shortly.
--Isaac
