Re: [PATCH] arm64/sysreg: refactor deprecated strncpy

From: Kees Cook <keescook@chromium.org>
To: Justin Stitt <justinstitt@google.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>,
	Will Deacon <will@kernel.org>,
	linux-arm-kernel@lists.infradead.org,
	linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH] arm64/sysreg: refactor deprecated strncpy
Date: Thu, 10 Aug 2023 12:58:06 -0700	[thread overview]
Message-ID: <202308101257.47E6ACBD5@keescook> (raw)
In-Reply-To: <CAFhGd8rfKLY5KujEdvSnqv2MZFhTbEBo_bi7xVacY1pcBC1jRg@mail.gmail.com>

On Thu, Aug 10, 2023 at 12:25:37PM -0700, Justin Stitt wrote:
> On Thu, Aug 10, 2023 at 12:00 PM Kees Cook <keescook@chromium.org> wrote:
> >
> > On Thu, Aug 10, 2023 at 06:39:03PM +0000, Justin Stitt wrote:
> > > `strncpy` is deprecated for use on NUL-terminated destination strings
> > > [1]. Which seems to be the case here due to the forceful setting of `buf`'s
> > > tail to 0.
> >
> > Another note to include in these evaluations would be "does the
> > destination expect to be %NUL padded?". Here, it looks like no, as all
> > the routines "buf" is passed to expect a regular C string (padding
> > doesn't matter).
> >
> > >
> > > A suitable replacement is `strscpy` [2] due to the fact that it
> > > guarantees NUL-termination on its destination buffer argument which is
> > > _not_ the case for `strncpy`!
> > >
> > > In this case, there is some behavior being used in conjunction with
> > > `strncpy` that `strscpy` already implements. This means we can drop some
> > > of the extra stuff like `... -1` and `buf[len] = 0`
> > >
> > > This should have no functional change and yet uses a more robust and
> > > less ambiguous interface whilst reducing code complexity.
> > >
> > > Link: www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings[1]
> > > Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2]
> > > Link: https://github.com/KSPP/linux/issues/90
> > > Cc: linux-hardening@vger.kernel.org
> > >
> > > Signed-off-by: Justin Stitt <justinstitt@google.com>
> > > ---
> > > For reference, see a part of `strscpy`'s implementation here:
> > >
> > > |     /* Hit buffer length without finding a NUL; force NUL-termination. */
> > > |     if (res)
> > > |             dest[res-1] = '\0';
> > >
> > > Note: compile tested
> > > ---
> > >  arch/arm64/kernel/idreg-override.c | 5 ++---
> > >  1 file changed, 2 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/arch/arm64/kernel/idreg-override.c b/arch/arm64/kernel/idreg-override.c
> > > index 2fe2491b692c..482dc5c71e90 100644
> > > --- a/arch/arm64/kernel/idreg-override.c
> > > +++ b/arch/arm64/kernel/idreg-override.c
> > > @@ -262,9 +262,8 @@ static __init void __parse_cmdline(const char *cmdline, bool parse_aliases)
> > >               if (!len)
> > >                       return;
> > >
> > > -             len = min(len, ARRAY_SIZE(buf) - 1);
> > > -             strncpy(buf, cmdline, len);
> > > -             buf[len] = 0;
> > > +             len = min(len, ARRAY_SIZE(buf));
> > > +             strscpy(buf, cmdline, len);
> >
> > This, however, isn't correct: "cmdline" will be incremented by "leN"
> > later, and we want a count of the characters copied into "buf", even if
> > they're truncated. I think this should be:
> >
> >                 strscpy(buf, cmdline, ARRAY_SIZE(buf));
> >                 len = strlen(buf);
> >
> Thoughts on using the return value from `strscpy` here?

This code seems to silently accept truncation, so -E2BIG will cause a
problem if it only looks at the return value.

-Kees

-- 
Kees Cook

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel