From: David Laight <david.laight.linux@gmail.com>
To: Viacheslav Dubeyko <slava@dubeyko.com>
Cc: "Darrick J. Wong" <djwong@kernel.org>,
Kees Cook <kees@kernel.org>,
linux-hardening@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, Arnd Bergmann <arnd@kernel.org>,
John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>,
Yangtao Li <frank.li@vivo.com>
Subject: Re: [PATCH next] fs/hfsplus/xattr: Use memcpy() and strscpy() to build xattr_name
Date: Tue, 16 Jun 2026 08:51:27 +0100 [thread overview]
Message-ID: <20260616085127.3b11d855@pumpkin> (raw)
In-Reply-To: <ba59fcb77c31c1848d4a7f52e87829711b747567.camel@dubeyko.com>
On Mon, 15 Jun 2026 23:33:09 -0700
Viacheslav Dubeyko <slava@dubeyko.com> wrote:
> On Wed, 2026-06-10 at 21:18 -0700, Darrick J. Wong wrote:
> > On Wed, Jun 10, 2026 at 08:50:33PM -0700, Viacheslav Dubeyko wrote:
> > > On Mon, 2026-06-08 at 10:55 +0100,
> > > david.laight.linux@gmail.com wrote:
> > > > From: David Laight <david.laight.linux@gmail.com>
> > > >
> > > > xattr_name is kmalloc()ed at the (assumed) maximal size and then
> > > > the
> > > > prefix
> > > > and name concatenated together.
> > > > Use memcpy() for the prefix - its length is passed and strscpy()
> > > > for
> > > > the
> > > > name to ensure it really doesnt overflow.
> > > >
> > > > Prior to bf29e886b242c the buffers were smaller and on-stack.
> > > > (But I cant see the copy in the old code.)
> > > > I am also not sure why the buffer isnt created "just long
> > > > enough".
> > > >
> > > > Signed-off-by: David Laight <david.laight.linux@gmail.com>
> > > > ---
> > > > This is one of a group of patches that remove potentially
> > > > unbounded
> > > > strcpy() calls.
> > > >
> > > > They are mostly replaced by strscpy() or, when strlen() has just
> > > > been
> > > > called, with memcpy() (usually including the '\0').
> > > >
> > > > Calls with copy string literals into arrays are left unchanged.
> > > > They are safe and easily detected as such.
> > > >
> > > > The changes were made by getting the compiler to detect the calls
> > > > and
> > > > then fixing the code by hand.
> > > >
> > > > Note that all the changes are only compile tested.
> > > >
> > > > Some Makefiles were changed to allow files to contain strcpy().
> > > > As well as 'difficult to fix' files, this included 'show'
> > > > functions
> > > > as they really need to use sysfs_emit() or seq_printf().
> > > >
> > > > All the patches are being sent individually to avoid very long cc
> > > > lists.
> > > > Apologies for the terse commit messages and likely unexpected
> > > > tags.
> > > > (There are about 100 patches in total.)
> > > >
> > > > fs/hfsplus/xattr.c | 12 ++++++------
> > > > 1 file changed, 6 insertions(+), 6 deletions(-)
> > > >
> > > > diff --git a/fs/hfsplus/xattr.c b/fs/hfsplus/xattr.c
> > > > index 452a1f9becb2..0b3dd48c28c9 100644
> > > > --- a/fs/hfsplus/xattr.c
> > > > +++ b/fs/hfsplus/xattr.c
> > > > @@ -550,8 +550,8 @@ int hfsplus_setxattr(struct inode *inode,
> > > > const
> > > > char *name,
> > > > xattr_name = kmalloc(xattr_name_len, GFP_KERNEL);
> > > > if (!xattr_name)
> > > > return -ENOMEM;
> > > > - strcpy(xattr_name, prefix);
> > > > - strcpy(xattr_name + prefixlen, name);
> > > > + memcpy(xattr_name, prefix, prefixlen);
> > >
> > > What's the point to mix memcpy and str*() family of methods? What's
> > > wrong with str*() method here? Otherwise, if it is wrong to use
> > > str*()
> > > family of methods, then why is it correct to use for second
> > > operation?
> > >
> > > > + strscpy(xattr_name + prefixlen, name, xattr_name_len -
> > > > prefixlen);
> > >
> > > Why strscpy() is better than strncpy()? What is the main argument
> > > here?
> > >
> > > > res = __hfsplus_setxattr(inode, xattr_name, value, size,
> > > > flags);
> > > > kfree(xattr_name);
> > > >
> > > > @@ -698,6 +698,7 @@ ssize_t hfsplus_getxattr(struct inode *inode,
> > > > const char *name,
> > > > void *value, size_t size,
> > > > const char *prefix, size_t prefixlen)
> > > > {
> > > > + size_t xattr_name_len = NLS_MAX_CHARSET_SIZE *
> > > > HFSPLUS_ATTR_MAX_STRLEN + 1;
> > >
> > > Frankly speaking, it looks like a constant that should be declared
> > > in
> > > hfs_common.h. Even if we would like to declare it here, then it
> > > should
> > > be const size_t, from my point of view.
> > >
> > > > int res;
> > > > char *xattr_name;
> > > >
> > > > @@ -705,13 +706,12 @@ ssize_t hfsplus_getxattr(struct inode
> > > > *inode,
> > > > const char *name,
> > > > inode->i_ino, name ? name : NULL,
> > > > prefix ? prefix : NULL);
> > > >
> > > > - xattr_name = kmalloc(NLS_MAX_CHARSET_SIZE *
> > > > HFSPLUS_ATTR_MAX_STRLEN + 1,
> > > > - GFP_KERNEL);
> > > > + xattr_name = kmalloc(xattr_name_len, GFP_KERNEL);
> > >
> > > Finally, I think kzalloc() should be much better for both cases.
> >
> > kasprintf()?
> > >
>
> It sounds much better than suggested fix.
If performance matters here it will be a lot slower.
The snprintf() code itself is slow and kasprintf() has to do it twice.
(As well as looking at the strings twice.)
It also only allocates a buffer that is big enough for a single
terminating '\0' - and (at least some versions) of this code zero
the rest of the buffer (possibly to avoid a bug).
One option would be something like kstrdup() that concatenates two
strings.
David
>
> Thanks,
> Slava.
next prev parent reply other threads:[~2026-06-16 7:51 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-08 9:55 [PATCH next] fs/hfsplus/xattr: Use memcpy() and strscpy() to build xattr_name david.laight.linux
2026-06-10 1:04 ` Viacheslav Dubeyko
2026-06-10 9:09 ` David Laight
2026-06-11 1:05 ` Viacheslav Dubeyko
2026-06-11 8:09 ` David Laight
2026-06-11 3:50 ` Viacheslav Dubeyko
2026-06-11 4:18 ` Darrick J. Wong
2026-06-16 6:33 ` Viacheslav Dubeyko
2026-06-16 7:51 ` David Laight [this message]
2026-06-11 8:18 ` David Laight
2026-06-12 4:02 ` Viacheslav Dubeyko
2026-06-12 7:11 ` David Laight
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260616085127.3b11d855@pumpkin \
--to=david.laight.linux@gmail.com \
--cc=arnd@kernel.org \
--cc=djwong@kernel.org \
--cc=frank.li@vivo.com \
--cc=glaubitz@physik.fu-berlin.de \
--cc=kees@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=slava@dubeyko.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox