On Fri, Apr 27, 2018 at 11:26 AM, Florian Westphal <fw@xxxxxxxxx> wrote: > Paolo Abeni <pabeni@xxxxxxxxxx> wrote: >> strlcpy() can't be safely used on a user-space provided string, >> as it can try to read beyond the buffer's end, if the latter is >> not NULL terminated. > > Yes. > >> Leveraging the above, syzbot has been able to trigger the following >> splat: >> >> BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 >> [inline] >> BUG: KASAN: stack-out-of-bounds in compat_mtw_from_user >> net/bridge/netfilter/ebtables.c:1957 [inline] >> BUG: KASAN: stack-out-of-bounds in ebt_size_mwt >> net/bridge/netfilter/ebtables.c:2059 [inline] >> BUG: KASAN: stack-out-of-bounds in size_entry_mwt >> net/bridge/netfilter/ebtables.c:2155 [inline] >> BUG: KASAN: stack-out-of-bounds in compat_copy_entries+0x96c/0x14a0 >> net/bridge/netfilter/ebtables.c:2194 >> Write of size 33 at addr ffff8801b0abf888 by task syz-executor0/4504 > > Which is weird, I don't understand this report. > The code IS wrong, but it should cause out-of-bounds read (strlen on > src), but not out-of-bounds write. Please see this for explanation: https://groups.google.com/d/msg/syzkaller-bugs/-Jyti8zBWjU/6n-fkmXeBAAJ The stack overwrite actually happens here. > Yes, I sent a recent patch (dceb48d86b4871984b8ce9ad5057fb2c01aa33de in > nf.git) that would now allow to get rid of the strlcpy and use the > source directly. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
