On Wed, Aug 30, 2023 at 1:57 PM Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> wrote: > > On Wed, Aug 30, 2023 at 04:04:10PM +0000, Azeem Shaikh wrote: > > strlcpy() reads the entire source buffer first. > > This read may exceed the destination size limit if > > a source string is not NUL-terminated [1]. > > But that's not the case here, right? So your "potential read overflow" > isn't relevant here. > > > The copy_to_user() call uses @len returned from strlcpy() directly > > without checking its value. This could potentially lead to read > > overflow. > > But can it? How? > The case I was considering is when the null-terminated hardcoded string @func_table[kb_func] has length @new_len > @len. In this case, strlcpy() will assign @len = @new_len and copy_to_user() would read @new_len from the kmalloc-ed memory of @len. This is the potential read overflow I was referring to. Let me know if I'm mistaken.
