• Eric Biggers's avatar
    crypto: user - clean up report structure copying · 37db69e0
    Eric Biggers authored
    There have been a pretty ridiculous number of issues with initializing
    the report structures that are copied to userspace by NETLINK_CRYPTO.
    Commit 4473710d ("crypto: user - Prepare for CRYPTO_MAX_ALG_NAME
    expansion") replaced some strncpy()s with strlcpy()s, thereby
    introducing information leaks.  Later two other people tried to replace
    other strncpy()s with strlcpy() too, which would have introduced even
    more information leaks:
    
        - https://lore.kernel.org/patchwork/patch/954991/
        - https://patchwork.kernel.org/patch/10434351/
    
    Commit cac5818c ("crypto: user - Implement a generic crypto
    statistics") also uses the buggy strlcpy() approach and therefore leaks
    uninitialized memory to userspace.  A fix was proposed, but it was
    originally incomplete.
    
    Seeing as how apparently no one can get this right with the current
    approach, change all the reporting functions to:
    
    - Start by memsetting the report structure to 0.  This guarantees it's
      always initialized, regardless of what happens later.
    - Initialize all strings using strscpy().  This is safe after the
      memset, ensures null termination of long strings, avoids unnecessary
      work, and avoids the -Wstringop-truncation warnings from gcc.
    - Use sizeof(var) instead of sizeof(type).  This is more robust against
      copy+paste errors.
    
    For simplicity, also reuse the -EMSGSIZE return value from nla_put().
    Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
    Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    37db69e0
kpp.c 2.9 KB