1. Patchew
  2. linux
  3. View series

[PATCH] rpmsg: glink: Fix buffer overflow

Hardevsinh Palaniya posted 1 patch 2 years ago
[PATCH] rpmsg: glink: Fix buffer overflow
Posted by Hardevsinh Palaniya 2 years ago 
In qcom_glink_send_open_req() remove error: strcpy() 'channel->name'
too large for 'req.name' (1010102 vs 32)

Signed-off-by: Hardevsinh Palaniya <hardevsinh.palaniya@siliconsignals.io>

diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c
index 82d460ff4777..2d6a592e1c72 100644
--- a/drivers/rpmsg/qcom_glink_native.c
+++ b/drivers/rpmsg/qcom_glink_native.c
@@ -479,7 +479,7 @@ static int qcom_glink_send_open_req(struct qcom_glink *glink,
 	req.msg.cmd = cpu_to_le16(GLINK_CMD_OPEN);
 	req.msg.param1 = cpu_to_le16(channel->lcid);
 	req.msg.param2 = cpu_to_le32(name_len);
-	strcpy(req.name, channel->name);
+	strscpy_pad(req.name, channel->name, sizeof(req.name));
 
 	ret = qcom_glink_tx(glink, &req, req_len, NULL, 0, true);
 	if (ret)
-- 
2.25.1
Re: [PATCH] rpmsg: glink: Fix buffer overflow
Posted by Bjorn Andersson 2 years ago 
On Mon, Dec 11, 2023 at 09:32:20PM +0530, Hardevsinh Palaniya wrote:
> In qcom_glink_send_open_req() remove error: strcpy() 'channel->name'
> too large for 'req.name' (1010102 vs 32)
> 

As far as I can tell, channel->name comes from the struct
rpmsg_channel_info->name, which is a 32-byte array, and all code paths I
can find either uses strscpy() or explicitly NUL-terminates this string.

I'm curious to know which path took us here.

> Signed-off-by: Hardevsinh Palaniya <hardevsinh.palaniya@siliconsignals.io>
> 
> diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c
> index 82d460ff4777..2d6a592e1c72 100644
> --- a/drivers/rpmsg/qcom_glink_native.c
> +++ b/drivers/rpmsg/qcom_glink_native.c
> @@ -479,7 +479,7 @@ static int qcom_glink_send_open_req(struct qcom_glink *glink,
>  	req.msg.cmd = cpu_to_le16(GLINK_CMD_OPEN);
>  	req.msg.param1 = cpu_to_le16(channel->lcid);
>  	req.msg.param2 = cpu_to_le32(name_len);
> -	strcpy(req.name, channel->name);
> +	strscpy_pad(req.name, channel->name, sizeof(req.name));

I think this patch is incomplete. While it makes sure we don't overwrite
the stack. name_len is strlen(channel->name) + 1 and the amount of data
sent out is based on name_len.

As such, if you can get here with a @name of arbitrary length, then you
can control how much of the stack we're going to now leak to the
recipient.

Regards,
Bjorn

>  
>  	ret = qcom_glink_tx(glink, &req, req_len, NULL, 0, true);
>  	if (ret)
> -- 
> 2.25.1
> 
>

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.