* [PATCH next] fs/hfsplus/xattr: Use memcpy() and strscpy() to build xattr_name
@ 2026-06-08 9:55 david.laight.linux
2026-06-10 1:04 ` Viacheslav Dubeyko
0 siblings, 1 reply; 3+ messages in thread
From: david.laight.linux @ 2026-06-08 9:55 UTC (permalink / raw)
To: Kees Cook, linux-hardening, linux-fsdevel, linux-kernel
Cc: Arnd Bergmann, John Paul Adrian Glaubitz, Viacheslav Dubeyko,
Yangtao Li, David Laight
From: David Laight <david.laight.linux@gmail.com>
xattr_name is kmalloc()ed at the (assumed) maximal size and then the prefix
and name concatenated together.
Use memcpy() for the prefix - its length is passed and strscpy() for the
name to ensure it really doesnt overflow.
Prior to bf29e886b242c the buffers were smaller and on-stack.
(But I cant see the copy in the old code.)
I am also not sure why the buffer isnt created "just long enough".
Signed-off-by: David Laight <david.laight.linux@gmail.com>
---
This is one of a group of patches that remove potentially unbounded
strcpy() calls.
They are mostly replaced by strscpy() or, when strlen() has just been
called, with memcpy() (usually including the '\0').
Calls with copy string literals into arrays are left unchanged.
They are safe and easily detected as such.
The changes were made by getting the compiler to detect the calls and
then fixing the code by hand.
Note that all the changes are only compile tested.
Some Makefiles were changed to allow files to contain strcpy().
As well as 'difficult to fix' files, this included 'show' functions
as they really need to use sysfs_emit() or seq_printf().
All the patches are being sent individually to avoid very long cc lists.
Apologies for the terse commit messages and likely unexpected tags.
(There are about 100 patches in total.)
fs/hfsplus/xattr.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/fs/hfsplus/xattr.c b/fs/hfsplus/xattr.c
index 452a1f9becb2..0b3dd48c28c9 100644
--- a/fs/hfsplus/xattr.c
+++ b/fs/hfsplus/xattr.c
@@ -550,8 +550,8 @@ int hfsplus_setxattr(struct inode *inode, const char *name,
xattr_name = kmalloc(xattr_name_len, GFP_KERNEL);
if (!xattr_name)
return -ENOMEM;
- strcpy(xattr_name, prefix);
- strcpy(xattr_name + prefixlen, name);
+ memcpy(xattr_name, prefix, prefixlen);
+ strscpy(xattr_name + prefixlen, name, xattr_name_len - prefixlen);
res = __hfsplus_setxattr(inode, xattr_name, value, size, flags);
kfree(xattr_name);
@@ -698,6 +698,7 @@ ssize_t hfsplus_getxattr(struct inode *inode, const char *name,
void *value, size_t size,
const char *prefix, size_t prefixlen)
{
+ size_t xattr_name_len = NLS_MAX_CHARSET_SIZE * HFSPLUS_ATTR_MAX_STRLEN + 1;
int res;
char *xattr_name;
@@ -705,13 +706,12 @@ ssize_t hfsplus_getxattr(struct inode *inode, const char *name,
inode->i_ino, name ? name : NULL,
prefix ? prefix : NULL);
- xattr_name = kmalloc(NLS_MAX_CHARSET_SIZE * HFSPLUS_ATTR_MAX_STRLEN + 1,
- GFP_KERNEL);
+ xattr_name = kmalloc(xattr_name_len, GFP_KERNEL);
if (!xattr_name)
return -ENOMEM;
- strcpy(xattr_name, prefix);
- strcpy(xattr_name + prefixlen, name);
+ memcpy(xattr_name, prefix, prefixlen);
+ strscpy(xattr_name + prefixlen, name, xattr_name_len - prefixlen);
res = __hfsplus_getxattr(inode, xattr_name, value, size);
kfree(xattr_name);
--
2.39.5
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH next] fs/hfsplus/xattr: Use memcpy() and strscpy() to build xattr_name
2026-06-08 9:55 [PATCH next] fs/hfsplus/xattr: Use memcpy() and strscpy() to build xattr_name david.laight.linux
@ 2026-06-10 1:04 ` Viacheslav Dubeyko
2026-06-10 9:09 ` David Laight
0 siblings, 1 reply; 3+ messages in thread
From: Viacheslav Dubeyko @ 2026-06-10 1:04 UTC (permalink / raw)
To: david.laight.linux, Kees Cook, linux-hardening, linux-fsdevel,
linux-kernel
Cc: Arnd Bergmann, John Paul Adrian Glaubitz, Yangtao Li
On Mon, 2026-06-08 at 10:55 +0100, david.laight.linux@gmail.com wrote:
> From: David Laight <david.laight.linux@gmail.com>
>
> xattr_name is kmalloc()ed at the (assumed) maximal size and then the
> prefix
> and name concatenated together.
> Use memcpy() for the prefix - its length is passed and strscpy() for
> the
> name to ensure it really doesnt overflow.
>
> Prior to bf29e886b242c the buffers were smaller and on-stack.
> (But I cant see the copy in the old code.)
> I am also not sure why the buffer isnt created "just long enough".
What do you mean by "the buffer isn't created just long enough"? And
what is your vision of correct implementation of the logic?
Thanks,
Slava.
>
> Signed-off-by: David Laight <david.laight.linux@gmail.com>
> ---
> This is one of a group of patches that remove potentially unbounded
> strcpy() calls.
>
> They are mostly replaced by strscpy() or, when strlen() has just been
> called, with memcpy() (usually including the '\0').
>
> Calls with copy string literals into arrays are left unchanged.
> They are safe and easily detected as such.
>
> The changes were made by getting the compiler to detect the calls and
> then fixing the code by hand.
>
> Note that all the changes are only compile tested.
>
> Some Makefiles were changed to allow files to contain strcpy().
> As well as 'difficult to fix' files, this included 'show' functions
> as they really need to use sysfs_emit() or seq_printf().
>
> All the patches are being sent individually to avoid very long cc
> lists.
> Apologies for the terse commit messages and likely unexpected tags.
> (There are about 100 patches in total.)
>
> fs/hfsplus/xattr.c | 12 ++++++------
> 1 file changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/fs/hfsplus/xattr.c b/fs/hfsplus/xattr.c
> index 452a1f9becb2..0b3dd48c28c9 100644
> --- a/fs/hfsplus/xattr.c
> +++ b/fs/hfsplus/xattr.c
> @@ -550,8 +550,8 @@ int hfsplus_setxattr(struct inode *inode, const
> char *name,
> xattr_name = kmalloc(xattr_name_len, GFP_KERNEL);
> if (!xattr_name)
> return -ENOMEM;
> - strcpy(xattr_name, prefix);
> - strcpy(xattr_name + prefixlen, name);
> + memcpy(xattr_name, prefix, prefixlen);
> + strscpy(xattr_name + prefixlen, name, xattr_name_len -
> prefixlen);
> res = __hfsplus_setxattr(inode, xattr_name, value, size,
> flags);
> kfree(xattr_name);
>
> @@ -698,6 +698,7 @@ ssize_t hfsplus_getxattr(struct inode *inode,
> const char *name,
> void *value, size_t size,
> const char *prefix, size_t prefixlen)
> {
> + size_t xattr_name_len = NLS_MAX_CHARSET_SIZE *
> HFSPLUS_ATTR_MAX_STRLEN + 1;
> int res;
> char *xattr_name;
>
> @@ -705,13 +706,12 @@ ssize_t hfsplus_getxattr(struct inode *inode,
> const char *name,
> inode->i_ino, name ? name : NULL,
> prefix ? prefix : NULL);
>
> - xattr_name = kmalloc(NLS_MAX_CHARSET_SIZE *
> HFSPLUS_ATTR_MAX_STRLEN + 1,
> - GFP_KERNEL);
> + xattr_name = kmalloc(xattr_name_len, GFP_KERNEL);
> if (!xattr_name)
> return -ENOMEM;
>
> - strcpy(xattr_name, prefix);
> - strcpy(xattr_name + prefixlen, name);
> + memcpy(xattr_name, prefix, prefixlen);
> + strscpy(xattr_name + prefixlen, name, xattr_name_len -
> prefixlen);
>
> res = __hfsplus_getxattr(inode, xattr_name, value, size);
> kfree(xattr_name);
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH next] fs/hfsplus/xattr: Use memcpy() and strscpy() to build xattr_name
2026-06-10 1:04 ` Viacheslav Dubeyko
@ 2026-06-10 9:09 ` David Laight
0 siblings, 0 replies; 3+ messages in thread
From: David Laight @ 2026-06-10 9:09 UTC (permalink / raw)
To: Viacheslav Dubeyko
Cc: Kees Cook, linux-hardening, linux-fsdevel, linux-kernel,
Arnd Bergmann, John Paul Adrian Glaubitz, Yangtao Li
On Tue, 09 Jun 2026 18:04:46 -0700
Viacheslav Dubeyko <slava@dubeyko.com> wrote:
> On Mon, 2026-06-08 at 10:55 +0100, david.laight.linux@gmail.com wrote:
> > From: David Laight <david.laight.linux@gmail.com>
> >
> > xattr_name is kmalloc()ed at the (assumed) maximal size and then the
> > prefix
> > and name concatenated together.
> > Use memcpy() for the prefix - its length is passed and strscpy() for
> > the
> > name to ensure it really doesnt overflow.
> >
> > Prior to bf29e886b242c the buffers were smaller and on-stack.
> > (But I cant see the copy in the old code.)
> > I am also not sure why the buffer isnt created "just long enough".
>
> What do you mean by "the buffer isn't created just long enough"? And
> what is your vision of correct implementation of the logic?
The old code is:
> xattr_name = kmalloc(xattr_name_len, GFP_KERNEL);
> if (!xattr_name)
> return -ENOMEM;
> strcpy(xattr_name, prefix);
> strcpy(xattr_name + prefixlen, name);
It would be more usual to do:
size_t name_len = strlen(name) + 1;
xattr_name = kmalloc(prefixlen + name_len);
memcpy(xattr_name, prefix, prefixlen)
memcpy(xattr_name + prefixlen, name, name_len);
So that the buffer is allocated the correct size for the strings.
(Not that it really makes much difference whether you do kmalloc(32) or
kmalloc(1024) for a temporary buffer - both come of a per-cpu list.)
What I couldn't decide, but seems to be inferred from some of fixes,
was whether a double-terminator was needed.
(That might just be the attribute value.)
One of the related functions got fixed to zero fill a buffer in a loop
because (AFICT) something was reading beyond a '\0' terminator.
This code does seem strange though.
It seems to add a text prefix here and then the called function does
string compares to find out which prefix has added and than act
differently based on the prefix.
I didn't try to follow things any further.
I also don't know if 'name' itself can be 127 wide characters (before the
prefix is added)?
The fixed length buffer isn't long enough if all 127 characters require
6 bytes to encode.
-- David
>
> Thanks,
> Slava.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-06-10 9:09 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-08 9:55 [PATCH next] fs/hfsplus/xattr: Use memcpy() and strscpy() to build xattr_name david.laight.linux
2026-06-10 1:04 ` Viacheslav Dubeyko
2026-06-10 9:09 ` David Laight
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox