Re: [PATCH] rpmsg: virtio: replace deprecated strncpy with strscpy/_pad

[Mathieu Poirier <mathieu.poirier@linaro.org>]

Hi Justin,

On Sat, Oct 21, 2023 at 12:09:16AM +0000, Justin Stitt wrote:
> strncpy() is deprecated for use on NUL-terminated destination strings
> [1] and as such we should prefer more robust and less ambiguous string
> interfaces.
> 
> This patch replaces 3 callsites of strncpy().
> 
> The first two populate the destination buffer `nsm.name` -- which we
> expect to be NUL-terminated based on their use with format strings.
> 
> Firstly, as I understand it, virtio_rpmsg_announce_create() creates an
> rpmsg_ns_msg and sends via:
> 
> virtio_rpmsg_bus.c:
> 336: err = rpmsg_sendto(rpdev->ept, &nsm, sizeof(nsm), RPMSG_NS_ADDR);
> 
> ... which uses:
> virtio_rpmsg_sendto() -> rpmsg_send_offchannel_raw()
> 
> ... which copies its data into an rpmsg_hdr `msg` in virtio_rpmsg_bus.c
> 618: memcpy(msg->data, data, len);
> 
> ... and we end up receiving here via a callback:
>

Function rpmsg_ns_cb() is called when a message is received from the remote
processor and not on the downward path from rpmsg_send_offchannel_raw().  I am
good with the code modification but the changelog needs to be amended.

> rpmsg_ns.c:
> 30: /* invoked when a name service announcement arrives */
> 31: static int rpmsg_ns_cb(struct rpmsg_device *rpdev, void *data, int len,
> 32: 		       void *priv, u32 src)
> 33: {
> 34:         struct rpmsg_ns_msg *msg = data;
> ...
> 50:         /* don't trust the remote processor for null terminating the name */
> 51:         msg->name[RPMSG_NAME_SIZE - 1] = '\0';
> 
> ... which finally leads into the use of `name` within a format string:
> rpmsg_ns.c:
> 57: dev_info(dev, "%sing channel %s addr 0x%x\n",
> 58:          rpmsg32_to_cpu(rpdev, msg->flags) & RPMSG_NS_DESTROY ?
> 59:          "destroy" : "creat", msg->name, chinfo.dst);
> 
> Taking another look at this comment + NUL-byte assignment:
> 50: /* don't trust the remote processor for null terminating the name */
> 51: msg->name[RPMSG_NAME_SIZE - 1] = '\0';
> 
> ...  we probably _can_ trust that this string is NUL-terminated with the
> introduction of strscpy(). However, since there might be some magic
> happening between the announcement create and the callback that I don't
> understand, I've opted to leave this comment and assignment alone as it
> doesn't hurt.
> 
> We can also observe that `nsm` is not zero-initialized and as such we
> should maintain the NUL-padding behavior that strncpy() provides:
> 
> virtio_rpmsg_bus.c:
> 330: struct rpmsg_ns_msg nsm;
> 
> Considering the above, a suitable replacement is `strscpy_pad` due to
> the fact that it guarantees both NUL-termination and NUL-padding on the
> destination buffer.
> 
> Now, for the third and final destination buffer rpdev->id.name we can
> just go for strscpy() (not _pad()) as rpdev points to &vch->rpdev:
> |       rpdev = &vch->rpdev;
> 
> ... and vch is zero-allocated:
> |       vch = kzalloc(sizeof(*vch), GFP_KERNEL);
> 
> ... this renders any additional NUL-byte assignments (like the ones
> strncpy() or strscpy_pad() does) redundant.

I agree with the above rational.

Thanks,
Mathieu

> 
> Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
> Link: https://github.com/KSPP/linux/issues/90
> Cc: linux-hardening@vger.kernel.org
> Signed-off-by: Justin Stitt <justinstitt@google.com>
> ---
> Note: build-tested only.
> 
> Found with: $ rg "strncpy\("
> ---
>  drivers/rpmsg/virtio_rpmsg_bus.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/rpmsg/virtio_rpmsg_bus.c b/drivers/rpmsg/virtio_rpmsg_bus.c
> index 905ac7910c98..dc87965f8164 100644
> --- a/drivers/rpmsg/virtio_rpmsg_bus.c
> +++ b/drivers/rpmsg/virtio_rpmsg_bus.c
> @@ -329,7 +329,7 @@ static int virtio_rpmsg_announce_create(struct rpmsg_device *rpdev)
>  	    virtio_has_feature(vrp->vdev, VIRTIO_RPMSG_F_NS)) {
>  		struct rpmsg_ns_msg nsm;
>  
> -		strncpy(nsm.name, rpdev->id.name, RPMSG_NAME_SIZE);
> +		strscpy_pad(nsm.name, rpdev->id.name, sizeof(nsm.name));
>  		nsm.addr = cpu_to_rpmsg32(rpdev, rpdev->ept->addr);
>  		nsm.flags = cpu_to_rpmsg32(rpdev, RPMSG_NS_CREATE);
>  
> @@ -353,7 +353,7 @@ static int virtio_rpmsg_announce_destroy(struct rpmsg_device *rpdev)
>  	    virtio_has_feature(vrp->vdev, VIRTIO_RPMSG_F_NS)) {
>  		struct rpmsg_ns_msg nsm;
>  
> -		strncpy(nsm.name, rpdev->id.name, RPMSG_NAME_SIZE);
> +		strscpy_pad(nsm.name, rpdev->id.name, sizeof(nsm.name));
>  		nsm.addr = cpu_to_rpmsg32(rpdev, rpdev->ept->addr);
>  		nsm.flags = cpu_to_rpmsg32(rpdev, RPMSG_NS_DESTROY);
>  
> @@ -424,7 +424,7 @@ static struct rpmsg_device *__rpmsg_create_channel(struct virtproc_info *vrp,
>  	 */
>  	rpdev->announce = rpdev->src != RPMSG_ADDR_ANY;
>  
> -	strncpy(rpdev->id.name, chinfo->name, RPMSG_NAME_SIZE);
> +	strscpy(rpdev->id.name, chinfo->name, sizeof(rpdev->id.name));
>  
>  	rpdev->dev.parent = &vrp->vdev->dev;
>  	rpdev->dev.release = virtio_rpmsg_release_device;
> 
> ---
> base-commit: 9c5d00cb7b6bbc5a7965d9ab7d223b5402d1f02c
> change-id: 20231020-strncpy-drivers-rpmsg-virtio_rpmsg_bus-c-dba15db4e890
> 
> Best regards,
> --
> Justin Stitt <justinstitt@google.com>
>