[PATCH] EDAC, thunderx: fix possible out-of-bounds string access.

[PATCH] EDAC, thunderx: fix possible out-of-bounds string access.

[Arnd Bergmann]

From: Arnd Bergmann <arnd@arndb.de>

Commit 1b56c90018f0 ("Makefile: Enable -Wstringop-overflow globally") exposes a
warning for a common bug in the usage of strncat():

drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr':
drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
 1136 |                 strncat(msg, other, OCX_MESSAGE_SIZE);
      |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/edac/thunderx_edac.c:1145:33: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
 1145 |                                 strncat(msg, other, OCX_MESSAGE_SIZE);
      |                                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/edac/thunderx_edac.c:1150:33: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
 1150 |                                 strncat(msg, other, OCX_MESSAGE_SIZE);
      |                                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/edac/thunderx_edac.c: In function 'thunderx_l2c_threaded_isr':
drivers/edac/thunderx_edac.c:1899:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
 1899 |                 strncat(msg, other, L2C_MESSAGE_SIZE);
      |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_lnk_threaded_isr':
drivers/edac/thunderx_edac.c:1220:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
 1220 |                 strncat(msg, other, OCX_MESSAGE_SIZE);
      |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Apparently the author of this driver expected strncat() to behave the
way that strlcat() does, which uses the size of the destination buffer
as its third argument rather than the length of the source buffer.
The result is that there is no check on the size of the allocated
buffer.

Change it to use strncat().

Fixes: 41003396f932 ("EDAC, thunderx: Add Cavium ThunderX EDAC driver")
Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
 drivers/edac/thunderx_edac.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/edac/thunderx_edac.c b/drivers/edac/thunderx_edac.c
index b9c5772da959..90d46e5c4ff0 100644
--- a/drivers/edac/thunderx_edac.c
+++ b/drivers/edac/thunderx_edac.c
@@ -1133,7 +1133,7 @@ static irqreturn_t thunderx_ocx_com_threaded_isr(int irq, void *irq_id)
 		decode_register(other, OCX_OTHER_SIZE,
 				ocx_com_errors, ctx->reg_com_int);
 
-		strncat(msg, other, OCX_MESSAGE_SIZE);
+		strlcat(msg, other, OCX_MESSAGE_SIZE);
 
 		for (lane = 0; lane < OCX_RX_LANES; lane++)
 			if (ctx->reg_com_int & BIT(lane)) {
@@ -1142,12 +1142,12 @@ static irqreturn_t thunderx_ocx_com_threaded_isr(int irq, void *irq_id)
 					 lane, ctx->reg_lane_int[lane],
 					 lane, ctx->reg_lane_stat11[lane]);
 
-				strncat(msg, other, OCX_MESSAGE_SIZE);
+				strlcat(msg, other, OCX_MESSAGE_SIZE);
 
 				decode_register(other, OCX_OTHER_SIZE,
 						ocx_lane_errors,
 						ctx->reg_lane_int[lane]);
-				strncat(msg, other, OCX_MESSAGE_SIZE);
+				strlcat(msg, other, OCX_MESSAGE_SIZE);
 			}
 
 		if (ctx->reg_com_int & OCX_COM_INT_CE)
@@ -1217,7 +1217,7 @@ static irqreturn_t thunderx_ocx_lnk_threaded_isr(int irq, void *irq_id)
 		decode_register(other, OCX_OTHER_SIZE,
 				ocx_com_link_errors, ctx->reg_com_link_int);
 
-		strncat(msg, other, OCX_MESSAGE_SIZE);
+		strlcat(msg, other, OCX_MESSAGE_SIZE);
 
 		if (ctx->reg_com_link_int & OCX_COM_LINK_INT_UE)
 			edac_device_handle_ue(ocx->edac_dev, 0, 0, msg);
@@ -1896,7 +1896,7 @@ static irqreturn_t thunderx_l2c_threaded_isr(int irq, void *irq_id)
 
 		decode_register(other, L2C_OTHER_SIZE, l2_errors, ctx->reg_int);
 
-		strncat(msg, other, L2C_MESSAGE_SIZE);
+		strlcat(msg, other, L2C_MESSAGE_SIZE);
 
 		if (ctx->reg_int & mask_ue)
 			edac_device_handle_ue(l2c->edac_dev, 0, 0, msg);
-- 
2.39.2

Re: [PATCH] EDAC, thunderx: fix possible out-of-bounds string access.

[Gustavo A. R. Silva]

On 11/22/23 16:19, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@arndb.de>
> 
> Commit 1b56c90018f0 ("Makefile: Enable -Wstringop-overflow globally") exposes a
> warning for a common bug in the usage of strncat():

Great to see this catching bugs already. :)

> 
> drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr':
> drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
>   1136 |                 strncat(msg, other, OCX_MESSAGE_SIZE);
>        |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> drivers/edac/thunderx_edac.c:1145:33: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
>   1145 |                                 strncat(msg, other, OCX_MESSAGE_SIZE);
>        |                                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> drivers/edac/thunderx_edac.c:1150:33: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
>   1150 |                                 strncat(msg, other, OCX_MESSAGE_SIZE);
>        |                                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> drivers/edac/thunderx_edac.c: In function 'thunderx_l2c_threaded_isr':
> drivers/edac/thunderx_edac.c:1899:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
>   1899 |                 strncat(msg, other, L2C_MESSAGE_SIZE);
>        |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_lnk_threaded_isr':
> drivers/edac/thunderx_edac.c:1220:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
>   1220 |                 strncat(msg, other, OCX_MESSAGE_SIZE);
>        |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> Apparently the author of this driver expected strncat() to behave the
> way that strlcat() does, which uses the size of the destination buffer
> as its third argument rather than the length of the source buffer.
> The result is that there is no check on the size of the allocated
> buffer.
> 
> Change it to use strncat().

s/strncat/strlcat

with that:

Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>

Thanks!
--
Gustavo

> 
> Fixes: 41003396f932 ("EDAC, thunderx: Add Cavium ThunderX EDAC driver")
> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> Cc: Kees Cook <keescook@chromium.org>
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> ---
>   drivers/edac/thunderx_edac.c | 10 +++++-----
>   1 file changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/edac/thunderx_edac.c b/drivers/edac/thunderx_edac.c
> index b9c5772da959..90d46e5c4ff0 100644
> --- a/drivers/edac/thunderx_edac.c
> +++ b/drivers/edac/thunderx_edac.c
> @@ -1133,7 +1133,7 @@ static irqreturn_t thunderx_ocx_com_threaded_isr(int irq, void *irq_id)
>   		decode_register(other, OCX_OTHER_SIZE,
>   				ocx_com_errors, ctx->reg_com_int);
>   
> -		strncat(msg, other, OCX_MESSAGE_SIZE);
> +		strlcat(msg, other, OCX_MESSAGE_SIZE);
>   
>   		for (lane = 0; lane < OCX_RX_LANES; lane++)
>   			if (ctx->reg_com_int & BIT(lane)) {
> @@ -1142,12 +1142,12 @@ static irqreturn_t thunderx_ocx_com_threaded_isr(int irq, void *irq_id)
>   					 lane, ctx->reg_lane_int[lane],
>   					 lane, ctx->reg_lane_stat11[lane]);
>   
> -				strncat(msg, other, OCX_MESSAGE_SIZE);
> +				strlcat(msg, other, OCX_MESSAGE_SIZE);
>   
>   				decode_register(other, OCX_OTHER_SIZE,
>   						ocx_lane_errors,
>   						ctx->reg_lane_int[lane]);
> -				strncat(msg, other, OCX_MESSAGE_SIZE);
> +				strlcat(msg, other, OCX_MESSAGE_SIZE);
>   			}
>   
>   		if (ctx->reg_com_int & OCX_COM_INT_CE)
> @@ -1217,7 +1217,7 @@ static irqreturn_t thunderx_ocx_lnk_threaded_isr(int irq, void *irq_id)
>   		decode_register(other, OCX_OTHER_SIZE,
>   				ocx_com_link_errors, ctx->reg_com_link_int);
>   
> -		strncat(msg, other, OCX_MESSAGE_SIZE);
> +		strlcat(msg, other, OCX_MESSAGE_SIZE);
>   
>   		if (ctx->reg_com_link_int & OCX_COM_LINK_INT_UE)
>   			edac_device_handle_ue(ocx->edac_dev, 0, 0, msg);
> @@ -1896,7 +1896,7 @@ static irqreturn_t thunderx_l2c_threaded_isr(int irq, void *irq_id)
>   
>   		decode_register(other, L2C_OTHER_SIZE, l2_errors, ctx->reg_int);
>   
> -		strncat(msg, other, L2C_MESSAGE_SIZE);
> +		strlcat(msg, other, L2C_MESSAGE_SIZE);
>   
>   		if (ctx->reg_int & mask_ue)
>   			edac_device_handle_ue(l2c->edac_dev, 0, 0, msg);

Re: [PATCH] EDAC, thunderx: fix possible out-of-bounds string access.

[Borislav Petkov]

On Wed, Nov 22, 2023 at 11:19:53PM +0100, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@arndb.de>
> 
> Commit 1b56c90018f0 ("Makefile: Enable -Wstringop-overflow globally") exposes a

$ git describe 1b56c90018f0
fatal: Not a valid object name 1b56c90018f0

I'm assuming that's in linux-next?

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH] EDAC, thunderx: fix possible out-of-bounds string access.

[Gustavo A. R. Silva]

On 11/23/23 05:58, Borislav Petkov wrote:
> On Wed, Nov 22, 2023 at 11:19:53PM +0100, Arnd Bergmann wrote:
>> From: Arnd Bergmann <arnd@arndb.de>
>>
>> Commit 1b56c90018f0 ("Makefile: Enable -Wstringop-overflow globally") exposes a
> 
> $ git describe 1b56c90018f0
> fatal: Not a valid object name 1b56c90018f0
> 
> I'm assuming that's in linux-next?

That's correct, yes.

--
Gustavo

Re: [PATCH] EDAC, thunderx: fix possible out-of-bounds string access.

[Borislav Petkov]

On Thu, Nov 23, 2023 at 08:03:58AM -0600, Gustavo A. R. Silva wrote:
> That's correct, yes.

Commit ID is stable enough so that it doesn't change?

I don't want to commit it now and it would happen to change later and
I'll have a stale reference in the commit message...

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH] EDAC, thunderx: fix possible out-of-bounds string access.

[Gustavo A. R. Silva]

On 11/23/23 08:30, Borislav Petkov wrote:
> On Thu, Nov 23, 2023 at 08:03:58AM -0600, Gustavo A. R. Silva wrote:
>> That's correct, yes.
> 
> Commit ID is stable enough so that it doesn't change?

Well, it has changed a couple of times in a week.

> 
> I don't want to commit it now and it would happen to change later and
> I'll have a stale reference in the commit message...
> 

To avoid that, I would just say (in the changelog text) that this patch
is fixing some -Wstringop-overflow warnings, without specifying any
commit ID.

--
Gustavo

Re: [PATCH] EDAC, thunderx: fix possible out-of-bounds string access.

[Borislav Petkov]

On Thu, Nov 23, 2023 at 08:41:33AM -0600, Gustavo A. R. Silva wrote:
> To avoid that, I would just say (in the changelog text) that this patch
> is fixing some -Wstringop-overflow warnings, without specifying any
> commit ID.

Doh, obviously.

I hope Arnd is reading this. :-)

Thx, lemme do that.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [PATCH] EDAC, thunderx: fix possible out-of-bounds string access.

[Borislav Petkov]

On Wed, Nov 22, 2023 at 11:19:53PM +0100, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@arndb.de>
> 
> Commit 1b56c90018f0 ("Makefile: Enable -Wstringop-overflow globally") exposes a
> warning for a common bug in the usage of strncat():
> 
> drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr':
> drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
>  1136 |                 strncat(msg, other, OCX_MESSAGE_SIZE);
>       |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> drivers/edac/thunderx_edac.c:1145:33: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
>  1145 |                                 strncat(msg, other, OCX_MESSAGE_SIZE);
>       |                                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> drivers/edac/thunderx_edac.c:1150:33: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
>  1150 |                                 strncat(msg, other, OCX_MESSAGE_SIZE);
>       |                                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> drivers/edac/thunderx_edac.c: In function 'thunderx_l2c_threaded_isr':
> drivers/edac/thunderx_edac.c:1899:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
>  1899 |                 strncat(msg, other, L2C_MESSAGE_SIZE);
>       |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_lnk_threaded_isr':
> drivers/edac/thunderx_edac.c:1220:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
>  1220 |                 strncat(msg, other, OCX_MESSAGE_SIZE);
>       |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> Apparently the author of this driver expected strncat() to behave the
> way that strlcat() does, which uses the size of the destination buffer
> as its third argument rather than the length of the source buffer.
> The result is that there is no check on the size of the allocated
> buffer.
> 
> Change it to use strncat().
> 
> Fixes: 41003396f932 ("EDAC, thunderx: Add Cavium ThunderX EDAC driver")
> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> Cc: Kees Cook <keescook@chromium.org>
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> ---
>  drivers/edac/thunderx_edac.c | 10 +++++-----
>  1 file changed, 5 insertions(+), 5 deletions(-)

Applied, thanks.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette