Skip to content

Commit f43f399

Browse files
ebiggersherbertx
authored andcommitted
crypto: user - fix leaking uninitialized memory to userspace
All bytes of the NETLINK_CRYPTO report structures must be initialized, since they are copied to userspace. The change from strncpy() to strlcpy() broke this. As a minimal fix, change it back. Fixes: 4473710 ("crypto: user - Prepare for CRYPTO_MAX_ALG_NAME expansion") Cc: <stable@vger.kernel.org> # v4.12+ Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
1 parent 508a1c4 commit f43f399

File tree

1 file changed

+9
-9
lines changed

1 file changed

+9
-9
lines changed

Diff for: crypto/crypto_user_base.c

+9-9
Original file line numberDiff line numberDiff line change
@@ -84,7 +84,7 @@ static int crypto_report_cipher(struct sk_buff *skb, struct crypto_alg *alg)
8484
{
8585
struct crypto_report_cipher rcipher;
8686

87-
strlcpy(rcipher.type, "cipher", sizeof(rcipher.type));
87+
strncpy(rcipher.type, "cipher", sizeof(rcipher.type));
8888

8989
rcipher.blocksize = alg->cra_blocksize;
9090
rcipher.min_keysize = alg->cra_cipher.cia_min_keysize;
@@ -103,7 +103,7 @@ static int crypto_report_comp(struct sk_buff *skb, struct crypto_alg *alg)
103103
{
104104
struct crypto_report_comp rcomp;
105105

106-
strlcpy(rcomp.type, "compression", sizeof(rcomp.type));
106+
strncpy(rcomp.type, "compression", sizeof(rcomp.type));
107107
if (nla_put(skb, CRYPTOCFGA_REPORT_COMPRESS,
108108
sizeof(struct crypto_report_comp), &rcomp))
109109
goto nla_put_failure;
@@ -117,7 +117,7 @@ static int crypto_report_acomp(struct sk_buff *skb, struct crypto_alg *alg)
117117
{
118118
struct crypto_report_acomp racomp;
119119

120-
strlcpy(racomp.type, "acomp", sizeof(racomp.type));
120+
strncpy(racomp.type, "acomp", sizeof(racomp.type));
121121

122122
if (nla_put(skb, CRYPTOCFGA_REPORT_ACOMP,
123123
sizeof(struct crypto_report_acomp), &racomp))
@@ -132,7 +132,7 @@ static int crypto_report_akcipher(struct sk_buff *skb, struct crypto_alg *alg)
132132
{
133133
struct crypto_report_akcipher rakcipher;
134134

135-
strlcpy(rakcipher.type, "akcipher", sizeof(rakcipher.type));
135+
strncpy(rakcipher.type, "akcipher", sizeof(rakcipher.type));
136136

137137
if (nla_put(skb, CRYPTOCFGA_REPORT_AKCIPHER,
138138
sizeof(struct crypto_report_akcipher), &rakcipher))
@@ -147,7 +147,7 @@ static int crypto_report_kpp(struct sk_buff *skb, struct crypto_alg *alg)
147147
{
148148
struct crypto_report_kpp rkpp;
149149

150-
strlcpy(rkpp.type, "kpp", sizeof(rkpp.type));
150+
strncpy(rkpp.type, "kpp", sizeof(rkpp.type));
151151

152152
if (nla_put(skb, CRYPTOCFGA_REPORT_KPP,
153153
sizeof(struct crypto_report_kpp), &rkpp))
@@ -161,10 +161,10 @@ static int crypto_report_kpp(struct sk_buff *skb, struct crypto_alg *alg)
161161
static int crypto_report_one(struct crypto_alg *alg,
162162
struct crypto_user_alg *ualg, struct sk_buff *skb)
163163
{
164-
strlcpy(ualg->cru_name, alg->cra_name, sizeof(ualg->cru_name));
165-
strlcpy(ualg->cru_driver_name, alg->cra_driver_name,
164+
strncpy(ualg->cru_name, alg->cra_name, sizeof(ualg->cru_name));
165+
strncpy(ualg->cru_driver_name, alg->cra_driver_name,
166166
sizeof(ualg->cru_driver_name));
167-
strlcpy(ualg->cru_module_name, module_name(alg->cra_module),
167+
strncpy(ualg->cru_module_name, module_name(alg->cra_module),
168168
sizeof(ualg->cru_module_name));
169169

170170
ualg->cru_type = 0;
@@ -177,7 +177,7 @@ static int crypto_report_one(struct crypto_alg *alg,
177177
if (alg->cra_flags & CRYPTO_ALG_LARVAL) {
178178
struct crypto_report_larval rl;
179179

180-
strlcpy(rl.type, "larval", sizeof(rl.type));
180+
strncpy(rl.type, "larval", sizeof(rl.type));
181181
if (nla_put(skb, CRYPTOCFGA_REPORT_LARVAL,
182182
sizeof(struct crypto_report_larval), &rl))
183183
goto nla_put_failure;

0 commit comments

Comments
 (0)