From: Kees Cook <keescook@chromium.org>
To: Justin Stitt <justinstitt@google.com>
Cc: Sathya Prakash Veerichetty <sathya.prakash@broadcom.com>,
Kashyap Desai <kashyap.desai@broadcom.com>,
Sumit Saxena <sumit.saxena@broadcom.com>,
Sreekanth Reddy <sreekanth.reddy@broadcom.com>,
"James E.J. Bottomley" <jejb@linux.ibm.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
Suganath Prabu Subramani <suganath-prabu.subramani@broadcom.com>,
Ariel Elior <aelior@marvell.com>,
Manish Chopra <manishc@marvell.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Saurav Kashyap <skashyap@marvell.com>,
Javed Hasan <jhasan@marvell.com>,
GR-QLogic-Storage-Upstream@marvell.com,
Nilesh Javali <njavali@marvell.com>,
Manish Rangankar <mrangankar@marvell.com>,
Don Brace <don.brace@microchip.com>,
mpi3mr-linuxdrv.pdl@broadcom.com, linux-scsi@vger.kernel.org,
linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org,
MPT-FusionLinux.pdl@broadcom.com, netdev@vger.kernel.org,
storagedev@microchip.com
Subject: Re: [PATCH v2 4/7] scsi: qla4xxx: replace deprecated strncpy with strscpy
Date: Wed, 28 Feb 2024 16:15:35 -0800 [thread overview]
Message-ID: <202402281606.199AC93A4B@keescook> (raw)
In-Reply-To: <20240228-strncpy-drivers-scsi-mpi3mr-mpi3mr_fw-c-v2-4-dacebd3fcfa0@google.com>
On Wed, Feb 28, 2024 at 10:59:04PM +0000, Justin Stitt wrote:
> Replace 3 instances of strncpy in ql4_mbx.c
>
> No bugs exist in the current implementation as some care was taken to
> ensure the write length was decreased by one to leave some space for a
> NUL-byte. However, instead of using strncpy(dest, src, LEN-1) we can opt
> for strscpy(dest, src, sizeof(dest)) which will result in
> NUL-termination as well. It should be noted that the entire chap_table
> is zero-allocated so the NUL-padding provided by strncpy is not needed.
>
> While here, I noticed that MIN_CHAP_SECRET_LEN was not used anywhere.
> Since strscpy gives us the number of bytes copied into the destination
> buffer (or an -E2BIG) we can check both for an error during copying and
> also for a non-length compliant secret. Add a new jump label so we can
> properly clean up our chap_table should we have to abort due to bad
> secret.
>
> The third instance in this file involves some more peculiar handling of
> strings:
> | uint32_t mbox_cmd[MBOX_REG_COUNT];
> | ...
> | memset(&mbox_cmd, 0, sizeof(mbox_cmd));
> | ...
> | mbox_cmd[0] = MBOX_CMD_SET_PARAM;
> | if (param == SET_DRVR_VERSION) {
> | mbox_cmd[1] = SET_DRVR_VERSION;
> | strncpy((char *)&mbox_cmd[2], QLA4XXX_DRIVER_VERSION,
> | MAX_DRVR_VER_LEN - 1);
>
> mbox_cmd has a size of 8:
> | #define MBOX_REG_COUNT 8
> ... and its type width is 4 bytes. Hence, we have 32 bytes to work with
> here. The first 4 bytes are used as a flag for the MBOX_CMD_SET_PARAM.
> The next 4 bytes are used for SET_DRVR_VERSION. We now have 32-8=24
> bytes remaining -- which thankfully is what MAX_DRVR_VER_LEN is equal to
> | #define MAX_DRVR_VER_LEN 24
>
> ... and the thing we're copying into this pseudo-string buffer is
> | #define QLA4XXX_DRIVER_VERSION "5.04.00-k6"
>
> ... which is great because its less than 24 bytes (therefore we aren't
> truncating the source).
>
> All to say, there's no bug in the existing implementation (yay!) but we
> can clean the code up a bit by using strscpy().
>
> In ql4_os.c, there aren't any strncpy() uses to replace but there are
> some existing strscpy() calls that could be made more idiomatic. Where
> possible, use strscpy(dest, src, sizeof(dest)). Note that
> chap_rec->password has a size of ISCSI_CHAP_AUTH_SECRET_MAX_LEN
> | #define ISCSI_CHAP_AUTH_SECRET_MAX_LEN 256
> ... while the current strscpy usage uses QL4_CHAP_MAX_SECRET_LEN
> | #define QL4_CHAP_MAX_SECRET_LEN 100
> ... however since chap_table->secret was set and bounded properly in its
> string assignment its probably safe here to switch over to sizeof().
>
> | struct iscsi_chap_rec {
> ...
> | char username[ISCSI_CHAP_AUTH_NAME_MAX_LEN];
> | uint8_t password[ISCSI_CHAP_AUTH_SECRET_MAX_LEN];
> ...
> | };
>
> | strscpy(chap_rec->password, chap_table->secret,
> | QL4_CHAP_MAX_SECRET_LEN);
>
> Signed-off-by: Justin Stitt <justinstitt@google.com>
> ---
> drivers/scsi/qla4xxx/ql4_mbx.c | 17 ++++++++++++-----
> drivers/scsi/qla4xxx/ql4_os.c | 14 +++++++-------
> 2 files changed, 19 insertions(+), 12 deletions(-)
>
> diff --git a/drivers/scsi/qla4xxx/ql4_mbx.c b/drivers/scsi/qla4xxx/ql4_mbx.c
> index 249f1d7021d4..75125d2021f5 100644
> --- a/drivers/scsi/qla4xxx/ql4_mbx.c
> +++ b/drivers/scsi/qla4xxx/ql4_mbx.c
> @@ -1641,6 +1641,7 @@ int qla4xxx_set_chap(struct scsi_qla_host *ha, char *username, char *password,
> struct ql4_chap_table *chap_table;
> uint32_t chap_size = 0;
> dma_addr_t chap_dma;
> + ssize_t secret_len;
>
> chap_table = dma_pool_zalloc(ha->chap_dma_pool, GFP_KERNEL, &chap_dma);
> if (chap_table == NULL) {
> @@ -1652,9 +1653,13 @@ int qla4xxx_set_chap(struct scsi_qla_host *ha, char *username, char *password,
> chap_table->flags |= BIT_6; /* peer */
> else
> chap_table->flags |= BIT_7; /* local */
> - chap_table->secret_len = strlen(password);
> - strncpy(chap_table->secret, password, MAX_CHAP_SECRET_LEN - 1);
> - strncpy(chap_table->name, username, MAX_CHAP_NAME_LEN - 1);
> +
> + secret_len = strscpy(chap_table->secret, password,
> + sizeof(chap_table->secret));
> + if (secret_len < MIN_CHAP_SECRET_LEN)
> + goto cleanup_chap_table;
> + chap_table->secret_len = (uint8_t)secret_len;
> + strscpy(chap_table->name, username, sizeof(chap_table->name));
> chap_table->cookie = cpu_to_le16(CHAP_VALID_COOKIE);
>
> if (is_qla40XX(ha)) {
> @@ -1679,6 +1684,8 @@ int qla4xxx_set_chap(struct scsi_qla_host *ha, char *username, char *password,
> memcpy((struct ql4_chap_table *)ha->chap_list + idx,
> chap_table, sizeof(struct ql4_chap_table));
> }
> +
> +cleanup_chap_table:
> dma_pool_free(ha->chap_dma_pool, chap_table, chap_dma);
> if (rval != QLA_SUCCESS)
> ret = -EINVAL;
> @@ -2281,8 +2288,8 @@ int qla4_8xxx_set_param(struct scsi_qla_host *ha, int param)
> mbox_cmd[0] = MBOX_CMD_SET_PARAM;
> if (param == SET_DRVR_VERSION) {
> mbox_cmd[1] = SET_DRVR_VERSION;
> - strncpy((char *)&mbox_cmd[2], QLA4XXX_DRIVER_VERSION,
> - MAX_DRVR_VER_LEN - 1);
> + strscpy((char *)&mbox_cmd[2], QLA4XXX_DRIVER_VERSION,
> + MAX_DRVR_VER_LEN);
> } else {
> ql4_printk(KERN_ERR, ha, "%s: invalid parameter 0x%x\n",
> __func__, param);
> diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
> index 675332e49a7b..17cccd14765f 100644
> --- a/drivers/scsi/qla4xxx/ql4_os.c
> +++ b/drivers/scsi/qla4xxx/ql4_os.c
> @@ -799,10 +799,10 @@ static int qla4xxx_get_chap_list(struct Scsi_Host *shost, uint16_t chap_tbl_idx,
>
> chap_rec->chap_tbl_idx = i;
> strscpy(chap_rec->username, chap_table->name,
> - ISCSI_CHAP_AUTH_NAME_MAX_LEN);
> - strscpy(chap_rec->password, chap_table->secret,
> - QL4_CHAP_MAX_SECRET_LEN);
> - chap_rec->password_length = chap_table->secret_len;
> + sizeof(chap_rec->username));
> + chap_rec->password_length = strscpy(chap_rec->password,
> + chap_table->secret,
> + sizeof(chap_rec->password));
This hunk took me a bit to convince myself it's safe, but yes, I agree.
It all boils down to sizeof(chap_table->secret) being less than
sizeof(chap_rec->password), so there's no behavioral change here.
Reviewed-by: Kees Cook <keescook@chromium.org>
--
Kees Cook
next prev parent reply other threads:[~2024-02-29 0:15 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-28 22:59 [PATCH v2 0/7] scsi: replace deprecated strncpy Justin Stitt
2024-02-28 22:59 ` [PATCH v2 1/7] scsi: mpi3mr: replace deprecated strncpy with assignments Justin Stitt
2024-02-29 0:02 ` Kees Cook
2024-02-28 22:59 ` [PATCH v2 2/7] scsi: mpt3sas: replace deprecated strncpy with strscpy Justin Stitt
2024-02-29 0:03 ` Kees Cook
2024-02-28 22:59 ` [PATCH v2 3/7] scsi: qedf: " Justin Stitt
2024-02-29 0:04 ` Kees Cook
2024-02-28 22:59 ` [PATCH v2 4/7] scsi: qla4xxx: " Justin Stitt
2024-02-29 0:15 ` Kees Cook [this message]
2024-02-28 22:59 ` [PATCH v2 5/7] scsi: devinfo: replace strncpy and manual pad Justin Stitt
2024-02-28 22:59 ` [PATCH v2 6/7] scsi: smartpqi: replace deprecated strncpy with strscpy Justin Stitt
2024-02-28 22:59 ` [PATCH v2 7/7] scsi: wd33c93: " Justin Stitt
2024-02-29 0:18 ` [PATCH v2 0/7] scsi: replace deprecated strncpy Kees Cook
2024-03-05 23:35 ` Justin Stitt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202402281606.199AC93A4B@keescook \
--to=keescook@chromium.org \
--cc=GR-QLogic-Storage-Upstream@marvell.com \
--cc=MPT-FusionLinux.pdl@broadcom.com \
--cc=aelior@marvell.com \
--cc=davem@davemloft.net \
--cc=don.brace@microchip.com \
--cc=edumazet@google.com \
--cc=jejb@linux.ibm.com \
--cc=jhasan@marvell.com \
--cc=justinstitt@google.com \
--cc=kashyap.desai@broadcom.com \
--cc=kuba@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=manishc@marvell.com \
--cc=martin.petersen@oracle.com \
--cc=mpi3mr-linuxdrv.pdl@broadcom.com \
--cc=mrangankar@marvell.com \
--cc=netdev@vger.kernel.org \
--cc=njavali@marvell.com \
--cc=pabeni@redhat.com \
--cc=sathya.prakash@broadcom.com \
--cc=skashyap@marvell.com \
--cc=sreekanth.reddy@broadcom.com \
--cc=storagedev@microchip.com \
--cc=suganath-prabu.subramani@broadcom.com \
--cc=sumit.saxena@broadcom.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.