From: Lee Jones <lee.jones@linaro.org>
To: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: Arnd Bergmann <arnd@arndb.de>,
Greg KH <gregkh@linuxfoundation.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
"Eurotech S.p.A" <info@eurotech.it>,
Rodolfo Giometti <giometti@linux.it>,
Linux ARM <linux-arm-kernel@lists.infradead.org>
Subject: Re: [PATCH 01/10] misc: c2port: core: Ensure source size does not equal destination size in strncpy()
Date: Tue, 14 Jul 2020 09:01:12 +0100 [thread overview]
Message-ID: <20200714080112.GJ3500@dell> (raw)
In-Reply-To: <CAMuHMdVW_MzdDQk4f0RN-FsaedEr8WHREuTHxymWGpx3CmDX0Q@mail.gmail.com>
On Tue, 14 Jul 2020, Geert Uytterhoeven wrote:
> Hi Lee,
>
> On Tue, Jul 14, 2020 at 9:46 AM Lee Jones <lee.jones@linaro.org> wrote:
> > On Mon, 13 Jul 2020, Geert Uytterhoeven wrote:
> > > On Fri, Jun 26, 2020 at 3:06 PM Lee Jones <lee.jones@linaro.org> wrote:
> > > > We need to ensure there's a place for the NULL terminator.
> > >
> > > But who's filling that space with a NUL (not NULL) terminator?
> > >
> > > > Fixes the following W=1 warning(s):
> > > >
> > > > In file included from include/linux/bitmap.h:9,
> > > > from include/linux/nodemask.h:95,
> > > > from include/linux/mmzone.h:17,
> > > > from include/linux/gfp.h:6,
> > > > from include/linux/umh.h:4,
> > > > from include/linux/kmod.h:9,
> > > > from include/linux/module.h:16,
> > > > from drivers/misc/c2port/core.c:9:
> > > > In function ‘strncpy’,
> > > > inlined from ‘c2port_device_register’ at drivers/misc/c2port/core.c:926:2:
> > > > include/linux/string.h:297:30: warning: ‘__builtin_strncpy’ specified bound 32 equals destination size [-Wstringop-truncation]
> > > > 297 | #define __underlying_strncpy __builtin_strncpy
> > > > | ^
> > > > include/linux/string.h:307:9: note: in expansion of macro ‘__underlying_strncpy’
> > > > 307 | return __underlying_strncpy(p, q, size);
> > > > | ^~~~~~~~~~~~~~~~~~~~
> > > >
> > > > Cc: Rodolfo Giometti <giometti@linux.it>
> > > > Cc: "Eurotech S.p.A" <info@eurotech.it>
> > > > Signed-off-by: Lee Jones <lee.jones@linaro.org>
> > > > ---
> > > > drivers/misc/c2port/core.c | 2 +-
> > > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > > >
> > > > diff --git a/drivers/misc/c2port/core.c b/drivers/misc/c2port/core.c
> > > > index 33bba18022892..80d87e8a0bea9 100644
> > > > --- a/drivers/misc/c2port/core.c
> > > > +++ b/drivers/misc/c2port/core.c
> > > > @@ -923,7 +923,7 @@ struct c2port_device *c2port_device_register(char *name,
> > > > }
> > > > dev_set_drvdata(c2dev->dev, c2dev);
> > >
> > > c2dev is allocated using:
> > >
> > > c2dev = kmalloc(sizeof(struct c2port_device), GFP_KERNEL);
> > >
> > > hence the allocated memory is not zeroed.
> > >
> > > >
> > > > - strncpy(c2dev->name, name, C2PORT_NAME_LEN);
> > > > + strncpy(c2dev->name, name, C2PORT_NAME_LEN - 1);
> > >
> > > strncpy()
> > > 1. does not terminate the destination with a NUL if the source length
> > > is C2PORT_NAME_LEN - 1,
> > > 2. fills all remaining space in the destination buffer with NUL characters.
> > >
> > > So c2dev.name[C2PORT_NAME_LEN - 1] always contains an uninitialized
> > > value.
> > >
> > > Now, it seems the only caller of c2port_device_register() passes
> > > "uc" as the name. Which means in practice c2dev.name[] will be
> > > NUL-terminated. However, the last byte will still be uninitialized, and
> > > if the buffer is ever copied to userspace, your patch will have introduced
> > > a leak.
> >
> > Quite right. Good spot. I must have made the assumption that the
> > destination buffer would be pre-initialised. Not sure why it's not in
> > this case. Seems like an odd practice.
> >
> > So we have a choice. We can either enlarge the destination buffer to
> > *actually* allow a full length (32 byte in this case) naming string,
> > or zero the buffer.
> >
> > Or even both!
> >
> > Do you have a preference?
>
> Do we know if the buffer or full c2dev struct is ever copied to userspace?
I don't know that, but I think we should err on the side of caution.
> If it may be copied => kalloc().
Do you mean kzalloc()?
> If it will never be copied => strlcpy() (no NUL-padding, only NUL-terminator).
>
> Oh, and there is a newer one on the block (which I always have to lookup),
> which is preferred over strlcpy() and strncpy(): strscpy().
> And reading lib/string.c, there's strscpy_pad(), too ;-)
Let's not get too crazy. ;)
--
Lee Jones [李琼斯]
Senior Technical Lead - Developer Services
Linaro.org │ Open source software for Arm SoCs
Follow Linaro: Facebook | Twitter | Blog
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
WARNING: multiple messages have this Message-ID (diff)
From: Lee Jones <lee.jones@linaro.org>
To: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: Arnd Bergmann <arnd@arndb.de>,
Greg KH <gregkh@linuxfoundation.org>,
"Eurotech S.p.A" <info@eurotech.it>,
Rodolfo Giometti <giometti@linux.it>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Linux ARM <linux-arm-kernel@lists.infradead.org>
Subject: Re: [PATCH 01/10] misc: c2port: core: Ensure source size does not equal destination size in strncpy()
Date: Tue, 14 Jul 2020 09:01:12 +0100 [thread overview]
Message-ID: <20200714080112.GJ3500@dell> (raw)
In-Reply-To: <CAMuHMdVW_MzdDQk4f0RN-FsaedEr8WHREuTHxymWGpx3CmDX0Q@mail.gmail.com>
On Tue, 14 Jul 2020, Geert Uytterhoeven wrote:
> Hi Lee,
>
> On Tue, Jul 14, 2020 at 9:46 AM Lee Jones <lee.jones@linaro.org> wrote:
> > On Mon, 13 Jul 2020, Geert Uytterhoeven wrote:
> > > On Fri, Jun 26, 2020 at 3:06 PM Lee Jones <lee.jones@linaro.org> wrote:
> > > > We need to ensure there's a place for the NULL terminator.
> > >
> > > But who's filling that space with a NUL (not NULL) terminator?
> > >
> > > > Fixes the following W=1 warning(s):
> > > >
> > > > In file included from include/linux/bitmap.h:9,
> > > > from include/linux/nodemask.h:95,
> > > > from include/linux/mmzone.h:17,
> > > > from include/linux/gfp.h:6,
> > > > from include/linux/umh.h:4,
> > > > from include/linux/kmod.h:9,
> > > > from include/linux/module.h:16,
> > > > from drivers/misc/c2port/core.c:9:
> > > > In function ‘strncpy’,
> > > > inlined from ‘c2port_device_register’ at drivers/misc/c2port/core.c:926:2:
> > > > include/linux/string.h:297:30: warning: ‘__builtin_strncpy’ specified bound 32 equals destination size [-Wstringop-truncation]
> > > > 297 | #define __underlying_strncpy __builtin_strncpy
> > > > | ^
> > > > include/linux/string.h:307:9: note: in expansion of macro ‘__underlying_strncpy’
> > > > 307 | return __underlying_strncpy(p, q, size);
> > > > | ^~~~~~~~~~~~~~~~~~~~
> > > >
> > > > Cc: Rodolfo Giometti <giometti@linux.it>
> > > > Cc: "Eurotech S.p.A" <info@eurotech.it>
> > > > Signed-off-by: Lee Jones <lee.jones@linaro.org>
> > > > ---
> > > > drivers/misc/c2port/core.c | 2 +-
> > > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > > >
> > > > diff --git a/drivers/misc/c2port/core.c b/drivers/misc/c2port/core.c
> > > > index 33bba18022892..80d87e8a0bea9 100644
> > > > --- a/drivers/misc/c2port/core.c
> > > > +++ b/drivers/misc/c2port/core.c
> > > > @@ -923,7 +923,7 @@ struct c2port_device *c2port_device_register(char *name,
> > > > }
> > > > dev_set_drvdata(c2dev->dev, c2dev);
> > >
> > > c2dev is allocated using:
> > >
> > > c2dev = kmalloc(sizeof(struct c2port_device), GFP_KERNEL);
> > >
> > > hence the allocated memory is not zeroed.
> > >
> > > >
> > > > - strncpy(c2dev->name, name, C2PORT_NAME_LEN);
> > > > + strncpy(c2dev->name, name, C2PORT_NAME_LEN - 1);
> > >
> > > strncpy()
> > > 1. does not terminate the destination with a NUL if the source length
> > > is C2PORT_NAME_LEN - 1,
> > > 2. fills all remaining space in the destination buffer with NUL characters.
> > >
> > > So c2dev.name[C2PORT_NAME_LEN - 1] always contains an uninitialized
> > > value.
> > >
> > > Now, it seems the only caller of c2port_device_register() passes
> > > "uc" as the name. Which means in practice c2dev.name[] will be
> > > NUL-terminated. However, the last byte will still be uninitialized, and
> > > if the buffer is ever copied to userspace, your patch will have introduced
> > > a leak.
> >
> > Quite right. Good spot. I must have made the assumption that the
> > destination buffer would be pre-initialised. Not sure why it's not in
> > this case. Seems like an odd practice.
> >
> > So we have a choice. We can either enlarge the destination buffer to
> > *actually* allow a full length (32 byte in this case) naming string,
> > or zero the buffer.
> >
> > Or even both!
> >
> > Do you have a preference?
>
> Do we know if the buffer or full c2dev struct is ever copied to userspace?
I don't know that, but I think we should err on the side of caution.
> If it may be copied => kalloc().
Do you mean kzalloc()?
> If it will never be copied => strlcpy() (no NUL-padding, only NUL-terminator).
>
> Oh, and there is a newer one on the block (which I always have to lookup),
> which is preferred over strlcpy() and strncpy(): strscpy().
> And reading lib/string.c, there's strscpy_pad(), too ;-)
Let's not get too crazy. ;)
--
Lee Jones [李琼斯]
Senior Technical Lead - Developer Services
Linaro.org │ Open source software for Arm SoCs
Follow Linaro: Facebook | Twitter | Blog
next prev parent reply other threads:[~2020-07-14 8:03 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-26 13:05 [PATCH 00/10] Fix a bunch of W=1 warnings in Misc Lee Jones
2020-06-26 13:05 ` Lee Jones
2020-06-26 13:05 ` [PATCH 01/10] misc: c2port: core: Ensure source size does not equal destination size in strncpy() Lee Jones
2020-06-26 13:05 ` Lee Jones
2020-06-26 13:15 ` Rodolfo Giometti
2020-06-26 13:15 ` Rodolfo Giometti
2020-07-13 19:10 ` Geert Uytterhoeven
2020-07-13 19:10 ` Geert Uytterhoeven
2020-07-14 7:46 ` Lee Jones
2020-07-14 7:46 ` Lee Jones
2020-07-14 7:52 ` Geert Uytterhoeven
2020-07-14 7:52 ` Geert Uytterhoeven
2020-07-14 8:01 ` Lee Jones [this message]
2020-07-14 8:01 ` Lee Jones
2020-07-14 8:02 ` Geert Uytterhoeven
2020-07-14 8:02 ` Geert Uytterhoeven
2020-06-26 13:05 ` [PATCH 02/10] misc: ti-st: st_core: Tidy-up bespoke commentry Lee Jones
2020-06-26 13:05 ` Lee Jones
2020-06-26 14:05 ` Arnd Bergmann
2020-06-26 14:05 ` Arnd Bergmann
2020-06-26 13:05 ` [PATCH 03/10] misc: ti-st: st_kim: " Lee Jones
2020-06-26 13:05 ` Lee Jones
2020-06-26 14:06 ` Arnd Bergmann
2020-06-26 14:06 ` Arnd Bergmann
2020-06-26 13:05 ` [PATCH 04/10] misc: lkdtm: bugs: At least try to use popuated variable Lee Jones
2020-06-26 13:05 ` Lee Jones
2020-06-26 14:37 ` Arnd Bergmann
2020-06-26 14:37 ` Arnd Bergmann
2020-06-26 15:26 ` Kees Cook
2020-06-26 15:26 ` Kees Cook
2020-06-26 13:05 ` [PATCH 05/10] misc: lkdtm: Always provide prototype for lkdtm_DOUBLE_FAULT() Lee Jones
2020-06-26 13:05 ` Lee Jones
2020-06-26 14:37 ` Arnd Bergmann
2020-06-26 14:37 ` Arnd Bergmann
2020-06-26 15:23 ` Kees Cook
2020-06-26 15:23 ` Kees Cook
2020-06-26 13:05 ` [PATCH 06/10] misc: eeprom: eeprom_93cx6: Repair function arg descriptions Lee Jones
2020-06-26 13:05 ` Lee Jones
2020-06-26 14:38 ` Arnd Bergmann
2020-06-26 14:38 ` Arnd Bergmann
2020-06-27 20:33 ` Wolfram Sang
2020-06-27 20:33 ` Wolfram Sang
2020-06-29 8:14 ` Lee Jones
2020-06-29 8:14 ` Lee Jones
2020-06-29 8:20 ` Wolfram Sang
2020-06-29 8:20 ` Wolfram Sang
2020-06-29 8:46 ` Lee Jones
2020-06-29 8:46 ` Lee Jones
2020-06-26 13:05 ` [PATCH 07/10] misc: mic: vop: vop_main: Remove set but unused variable 'ret' Lee Jones
2020-06-26 13:05 ` Lee Jones
2020-06-26 14:39 ` Arnd Bergmann
2020-06-26 14:39 ` Arnd Bergmann
2020-06-26 15:29 ` Lee Jones
2020-06-26 15:29 ` Lee Jones
2020-06-26 18:38 ` Arnd Bergmann
2020-06-26 18:38 ` Arnd Bergmann
2020-06-26 13:05 ` [PATCH 08/10] misc: cb710: sgbuf2: Add missing documentation for cb710_sg_dwiter_write_next_block()'s 'data' arg Lee Jones
2020-06-26 13:05 ` Lee Jones
2020-06-26 14:39 ` Arnd Bergmann
2020-06-26 14:39 ` Arnd Bergmann
2020-06-26 16:46 ` Michał Mirosław
2020-06-26 16:46 ` Michał Mirosław
2020-06-26 13:05 ` [PATCH 09/10] misc: habanalabs: irq: Add missing struct identifier for 'struct hl_eqe_work' Lee Jones
2020-06-26 13:05 ` Lee Jones
2020-06-26 13:45 ` Oded Gabbay
2020-06-26 13:45 ` Oded Gabbay
2020-06-26 13:46 ` Oded Gabbay
2020-06-26 13:46 ` Oded Gabbay
2020-06-26 13:05 ` [PATCH 10/10] misc: pti: Fix documentation for bit-rotted function pti_tty_driver_write() Lee Jones
2020-06-26 13:05 ` Lee Jones
2020-06-26 14:40 ` Arnd Bergmann
2020-06-26 14:40 ` Arnd Bergmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200714080112.GJ3500@dell \
--to=lee.jones@linaro.org \
--cc=arnd@arndb.de \
--cc=geert@linux-m68k.org \
--cc=giometti@linux.it \
--cc=gregkh@linuxfoundation.org \
--cc=info@eurotech.it \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.