[PATCH next] drivers/video/fbdev/s3fb: Use strscpy() to copy strings into arrays

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH next] drivers/video/fbdev/s3fb: Use strscpy() to copy strings into arrays
@ 2026-06-08  9:54 david.laight.linux
  2026-06-08 10:05 ` sashiko-bot
  0 siblings, 1 reply; 2+ messages in thread
From: david.laight.linux @ 2026-06-08  9:54 UTC (permalink / raw)
  To: Kees Cook, linux-hardening, dri-devel, linux-fbdev, linux-kernel
  Cc: Arnd Bergmann, Helge Deller, David Laight

From: David Laight <david.laight.linux@gmail.com>

Replacing strcpy() with strscpy() ensures that overflow of the target
buffer cannot happen.

Signed-off-by: David Laight <david.laight.linux@gmail.com>
---
This is one of a group of patches that remove potentially unbounded
strcpy() calls.

They are mostly replaced by strscpy() or, when strlen() has just been
called, with memcpy() (usually including the '\0').

Calls with copy string literals into arrays are left unchanged.
They are safe and easily detected as such.

The changes were made by getting the compiler to detect the calls and
then fixing the code by hand.

Note that all the changes are only compile tested.

Some Makefiles were changed to allow files to contain strcpy().
As well as 'difficult to fix' files, this included 'show' functions
as they really need to use sysfs_emit() or seq_printf().

All the patches are being sent individually to avoid very long cc lists.
Apologies for the terse commit messages and likely unexpected tags.
(There are about 100 patches in total.)

 drivers/video/fbdev/s3fb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/video/fbdev/s3fb.c b/drivers/video/fbdev/s3fb.c
index ba30e5568cab..b679ccdb38e2 100644
--- a/drivers/video/fbdev/s3fb.c
+++ b/drivers/video/fbdev/s3fb.c
@@ -1333,7 +1333,7 @@ static int s3_pci_probe(struct pci_dev *dev, const struct pci_device_id *id)
 	vga_wcrt(par->state.vgabase, 0x38, cr38);
 	vga_wcrt(par->state.vgabase, 0x39, cr39);

-	strcpy(info->fix.id, s3_names [par->chip]);
+	strscpy(info->fix.id, s3_names[par->chip]);
 	info->fix.mmio_start = 0;
 	info->fix.mmio_len = 0;
 	info->fix.type = FB_TYPE_PACKED_PIXELS;
-- 
2.39.5

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH next] drivers/video/fbdev/s3fb: Use strscpy() to copy strings into arrays
  2026-06-08  9:54 [PATCH next] drivers/video/fbdev/s3fb: Use strscpy() to copy strings into arrays david.laight.linux
@ 2026-06-08 10:05 ` sashiko-bot
  0 siblings, 0 replies; 2+ messages in thread
From: sashiko-bot @ 2026-06-08 10:05 UTC (permalink / raw)
  To: david.laight.linux; +Cc: dri-devel

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Out-of-bounds array read in `s3_names` due to unvalidated PCI `driver_data` provided via sysfs `new_id`.
--

commit b390c20a52cf582227c3e8af3febb7b07f89b2a7
Author: David Laight <david.laight.linux@gmail.com>

drivers/video/fbdev/s3fb: Use strscpy() to copy strings into arrays

This commit replaces strcpy() with strscpy() in s3_pci_probe() to ensure
that target buffer overflows cannot occur.

> diff --git a/drivers/video/fbdev/s3fb.c b/drivers/video/fbdev/s3fb.c
> index ba30e5568cabc..b679ccdb38e2c 100644
> --- a/drivers/video/fbdev/s3fb.c
> +++ b/drivers/video/fbdev/s3fb.c
[ ... ]
> @@ -1333,7 +1333,7 @@ static int s3_pci_probe(struct pci_dev *dev, const struct pci_device_id *id)
>  	vga_wcrt(par->state.vgabase, 0x38, cr38);
>  	vga_wcrt(par->state.vgabase, 0x39, cr39);
>  
> -	strcpy(info->fix.id, s3_names [par->chip]);
> +	strscpy(info->fix.id, s3_names[par->chip]);

[Severity: High]
This is a pre-existing issue, but does this array access risk an
out-of-bounds read if a privileged user provides a dynamic PCI ID?

In s3_pci_probe() in drivers/video/fbdev/s3fb.c, par->chip is derived
from the PCI driver_data:

s3_pci_probe() {
        ...
        par->chip = id->driver_data & CHIP_MASK;
        par->rev = vga_rcrt(par->state.vgabase, 0x2f);
        if (par->chip & CHIP_UNDECIDED_FLAG)
                par->chip = s3_identification(par);
        ...
}

If a user binds the driver via the sysfs new_id interface and supplies
a driver_data value between 21 and 127, it safely bypasses the
CHIP_UNDECIDED_FLAG (0x80) check. This leaves par->chip unvalidated.

Since the s3_names array contains exactly 21 elements, using this
unvalidated par->chip as an index could result in reading past the
end of the array. Passing the resulting invalid pointer to strscpy()
could then trigger an invalid memory dereference.

Should we add a bounds check for par->chip before accessing s3_names[]?

>  	info->fix.mmio_start = 0;
>  	info->fix.mmio_len = 0;
>  	info->fix.type = FB_TYPE_PACKED_PIXELS;

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260608095523.2606-11-david.laight.linux@gmail.com?part=1

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-06-08 10:05 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-08  9:54 [PATCH next] drivers/video/fbdev/s3fb: Use strscpy() to copy strings into arrays david.laight.linux
2026-06-08 10:05 ` sashiko-bot

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.