+ strscpy-reject-buffer-sizes-larger-than-int_max.patch added to -mm tree

akpm@xxxxxxxxxxxxxxxxxxxx · Fri, 26 Jul 2019 15:46:44 -0700

The patch titled
     Subject: strscpy: reject buffer sizes larger than INT_MAX
has been added to the -mm tree.  Its filename is
     strscpy-reject-buffer-sizes-larger-than-int_max.patch

This patch should soon appear at
    http://ozlabs.org/~akpm/mmots/broken-out/strscpy-reject-buffer-sizes-larger-than-int_max.patch
and later at
    http://ozlabs.org/~akpm/mmotm/broken-out/strscpy-reject-buffer-sizes-larger-than-int_max.patch

Before you just go and hit "reply", please:
   a) Consider who else should be cc'ed
   b) Prefer to cc a suitable mailing list as well
   c) Ideally: find the original patch on the mailing list and do a
      reply-to-all to that, adding suitable additional cc's

*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***

The -mm tree is included into linux-next and is updated
there every 3-4 working days

------------------------------------------------------
From: Kees Cook <keescook@xxxxxxxxxxxx>
Subject: strscpy: reject buffer sizes larger than INT_MAX

As already done for snprintf(), add a check in strscpy() for giant (i.e. 
likely negative and/or miscalculated) copy sizes, WARN, and error out.

Link: http://lkml.kernel.org/r/201907260928.23DE35406@keescook
Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
Cc: Joe Perches <joe@xxxxxxxxxxx>
Cc: Rasmus Villemoes <linux@xxxxxxxxxxxxxxxxxx>
Cc: Yann Droneaud <ydroneaud@xxxxxxxxxx>
Cc: David Laight <David.Laight@xxxxxxxxxx>
Cc: Jonathan Corbet <corbet@xxxxxxx>
Cc: Stephen Kitt <steve@xxxxxxx>
Cc: Jann Horn <jannh@xxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---

 lib/string.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/lib/string.c~strscpy-reject-buffer-sizes-larger-than-int_max
+++ a/lib/string.c
@@ -183,7 +183,7 @@ ssize_t strscpy(char *dest, const char *
 	size_t max = count;
 	long res = 0;
 
-	if (count == 0)
+	if (count == 0 || WARN_ON_ONCE(count > INT_MAX))
 		return -E2BIG;
 
 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
_

Patches currently in -mm which might be from keescook@xxxxxxxxxxxx are

strscpy-reject-buffer-sizes-larger-than-int_max.patch







