From: Kees Cook <kees@kernel.org>
To: Fuad Tabba <tabba@google.com>
Cc: Andy Shevchenko <andy@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org,
will@kernel.org
Subject: Re: [PATCH] lib/string: Fix UBSAN misaligned access in sized_strscpy
Date: Tue, 24 Feb 2026 13:07:48 -0800 [thread overview]
Message-ID: <202602241302.75B565883@keescook> (raw)
In-Reply-To: <20260224170427.2296592-1-tabba@google.com>
On Tue, Feb 24, 2026 at 05:04:27PM +0000, Fuad Tabba wrote:
> sized_strscpy() performs word-at-a-time writes to the destination
> buffer. If the destination buffer is not aligned to unsigned long,
> direct assignment causes UBSAN misaligned-access errors.
Is this via CONFIG_UBSAN_ALIGNMENT=y ? Note this in the Kconfig:
Enabling this option on architectures that support unaligned
accesses may produce a lot of false positives.
which architecture are you checking this on?
> Use put_unaligned() to safely write the words to the destination.
Also, I thought the word-at-a-time work in sized_strscpy() was
specifically to take advantage of aligned word writes? This doesn't seem
like the right solution, and I think we're already disabling the
unaligned access by using "max=0" in the earlier checks.
I think the bug may be that you got CONFIG_UBSAN_ALIGNMENT enabled for
an arch that doesn't suffer from unaligned access problems. :) We should
fix the Kconfig!
-Kees
>
> Fixes: 30035e45753b7 ("string: provide strscpy()")
> Signed-off-by: Fuad Tabba <tabba@google.com>
> ---
> lib/string.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/lib/string.c b/lib/string.c
> index b632c71df1a5..a1697bf72078 100644
> --- a/lib/string.c
> +++ b/lib/string.c
> @@ -157,16 +157,16 @@ ssize_t sized_strscpy(char *dest, const char *src, size_t count)
> if (has_zero(c, &data, &constants)) {
> data = prep_zero_mask(c, data, &constants);
> data = create_zero_mask(data);
> - *(unsigned long *)(dest+res) = c & zero_bytemask(data);
> + put_unaligned(c & zero_bytemask(data), (unsigned long *)(dest+res));
> return res + find_zero(data);
> }
> count -= sizeof(unsigned long);
> if (unlikely(!count)) {
> c &= ALLBUTLAST_BYTE_MASK;
> - *(unsigned long *)(dest+res) = c;
> + put_unaligned(c, (unsigned long *)(dest+res));
> return -E2BIG;
> }
> - *(unsigned long *)(dest+res) = c;
> + put_unaligned(c, (unsigned long *)(dest+res));
> res += sizeof(unsigned long);
> max -= sizeof(unsigned long);
> }
> --
> 2.53.0.371.g1d285c8824-goog
>
>
--
Kees Cook
next prev parent reply other threads:[~2026-02-24 21:07 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-24 17:04 [PATCH] lib/string: Fix UBSAN misaligned access in sized_strscpy Fuad Tabba
2026-02-24 17:21 ` Andy Shevchenko
2026-02-24 17:54 ` Fuad Tabba
2026-02-24 23:06 ` David Laight
2026-02-25 8:33 ` Fuad Tabba
2026-02-25 10:11 ` David Laight
2026-02-25 11:09 ` Fuad Tabba
2026-02-24 21:07 ` Kees Cook [this message]
2026-02-25 8:08 ` Fuad Tabba
2026-02-25 9:32 ` Andy Shevchenko
2026-02-25 14:40 ` David Laight
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202602241302.75B565883@keescook \
--to=kees@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=andy@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=tabba@google.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.