From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-input-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 418B9E728D6
	for <linux-input@archiver.kernel.org>; Fri, 29 Sep 2023 18:52:57 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233717AbjI2Sw5 (ORCPT <rfc822;linux-input@archiver.kernel.org>);
        Fri, 29 Sep 2023 14:52:57 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50954 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233493AbjI2Sw4 (ORCPT
        <rfc822;linux-input@vger.kernel.org>);
        Fri, 29 Sep 2023 14:52:56 -0400
Received: from mail-pl1-x636.google.com (mail-pl1-x636.google.com [IPv6:2607:f8b0:4864:20::636])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0FC27193
        for <linux-input@vger.kernel.org>; Fri, 29 Sep 2023 11:52:54 -0700 (PDT)
Received: by mail-pl1-x636.google.com with SMTP id d9443c01a7336-1c6219307b2so72806815ad.1
        for <linux-input@vger.kernel.org>; Fri, 29 Sep 2023 11:52:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1696013573; x=1696618373; darn=vger.kernel.org;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=FzdCDgqRjuyIGpHmaR9Azk80J00BBZTlSEkRESoXfhQ=;
        b=gRYCQfyue2HOkrNKQXh+SDKrMBQbgRjw4K8UKCMusaqHYTkiU4YM0PmWVwVIkppfBO
         MAVirEXb9dMjXkV10N0x6fXxKiBPNJVNDkxtk1NlflvPE1ly7o/iL9zkM/sYKnFHRucV
         RxPqyNPswzW6VL+6N6xmp9AHH0TuKWR1kPhAI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1696013573; x=1696618373;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=FzdCDgqRjuyIGpHmaR9Azk80J00BBZTlSEkRESoXfhQ=;
        b=LoCRhHVxXm4OMpwR9NPywYY7Nzg63Fxy1haGcm5Rd/OuLEW9znwaq2l+7ChLDWbIlO
         h+v4bvom/DD66UCpJKs0l/DCRmYMKTz66EbZdzIw+Z8MoMLenYoryBbHiOhi0Hd3gEQh
         1+Wh3rTtbKoRpxPpOhuTcxVDqfHQUvG8WBwUrXSHPjx+YLoXIdk2t1a1PoK98Xw8/MYU
         9FynCvd0Q4OuutQr++uSRp95D+PNjx7yahhp8jjMMjX529JRqbZSV7F1EIBsCmntpIay
         q/QCItCpuo7ozRCvtF6zGI8EPK91UOjvf0OsnZLjnEonRMbADP7H/zHDAuCeg6DkckEy
         h3vg==
X-Gm-Message-State: AOJu0Yx+eIBEaTXSQVf+9StVKUHnqEQdlNhDdtDQYGYZsJBenpYHIDz8
        tGIMQRwFtLLApqWAALP696mzPQ==
X-Google-Smtp-Source: AGHT+IENEEnMjhVkasG2A9B4/nMon9HuhFU3IIPi76rU6zOburdOWJMnX9N1jfa2EOABWMIx9iDMnA==
X-Received: by 2002:a17:903:32c7:b0:1c3:f764:8428 with SMTP id i7-20020a17090332c700b001c3f7648428mr6177351plr.0.1696013573528;
        Fri, 29 Sep 2023 11:52:53 -0700 (PDT)
Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241])
        by smtp.gmail.com with ESMTPSA id m18-20020a170902db1200b001c72c07c9d9sm4829458plx.308.2023.09.29.11.52.52
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 29 Sep 2023 11:52:53 -0700 (PDT)
Date:   Fri, 29 Sep 2023 11:52:52 -0700
From:   Kees Cook <keescook@chromium.org>
To:     David Rheinsberg <david@readahead.eu>
Cc:     Justin Stitt <justinstitt@google.com>,
        Jiri Kosina <jikos@kernel.org>,
        Benjamin Tissoires <benjamin.tissoires@redhat.com>,
        linux-input@vger.kernel.org, linux-kernel@vger.kernel.org,
        linux-hardening@vger.kernel.org,
        David Herrmann <dh.herrmann@gmail.com>
Subject: Re: [PATCH] HID: uhid: refactor deprecated strncpy
Message-ID: <202309291151.11AFC5F83@keescook>
References: <20230914-strncpy-drivers-hid-uhid-c-v1-1-18a190060d8d@google.com>
 <202309142206.60836CE@keescook>
 <98d981a1-4e4c-4173-b8eb-09b4245bca60@app.fastmail.com>
 <202309151342.DFA6CA5C7@keescook>
 <72b7c13a-5f82-498b-84a3-b6e9b61c0e3a@app.fastmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <72b7c13a-5f82-498b-84a3-b6e9b61c0e3a@app.fastmail.com>
Precedence: bulk
List-ID: <linux-input.vger.kernel.org>
X-Mailing-List: linux-input@vger.kernel.org

On Mon, Sep 18, 2023 at 09:37:53AM +0200, David Rheinsberg wrote:
> Hey
> 
> On Fri, Sep 15, 2023, at 10:48 PM, Kees Cook wrote:
> > On Fri, Sep 15, 2023 at 09:36:23AM +0200, David Rheinsberg wrote:
> >> Hi
> >> 
> >> On Fri, Sep 15, 2023, at 7:13 AM, Kees Cook wrote:
> >> >> -	/* @hid is zero-initialized, strncpy() is correct, strlcpy() not */
> >> >> -	len = min(sizeof(hid->name), sizeof(ev->u.create2.name)) - 1;
> >> >> -	strncpy(hid->name, ev->u.create2.name, len);
> >> >> -	len = min(sizeof(hid->phys), sizeof(ev->u.create2.phys)) - 1;
> >> >> -	strncpy(hid->phys, ev->u.create2.phys, len);
> >> >> -	len = min(sizeof(hid->uniq), sizeof(ev->u.create2.uniq)) - 1;
> >> >> -	strncpy(hid->uniq, ev->u.create2.uniq, len);
> >> >
> >> > ev->u.create2 is:
> >> > struct uhid_create2_req {
> >> >         __u8 name[128];
> >> >         __u8 phys[64];
> >> >         __u8 uniq[64];
> >> > 	...
> >> >
> >> > hid is:
> >> > struct hid_device { /* device report descriptor */
> >> > 	...
> >> >         char name[128]; /* Device name */
> >> >         char phys[64]; /* Device physical location */
> >> >         char uniq[64]; /* Device unique identifier (serial #) */
> >> >
> >> > So these "min" calls are redundant -- it wants to copy at most 1 less so
> >> > it can be %NUL terminated. Which is what strscpy() already does. And
> >> > source and dest are the same size, so we can't over-read source if it
> >> > weren't terminated (since strscpy won't overread like strlcpy).
> >> 
> >> I *really* think we should keep the `min` calls. The compiler
> >> should already optimize them away, as both arguments are compile-time
> >> constants. There is no inherent reason why source and target are equal in
> >> size. Yes, it is unlikely to change, but I don't understand why we would
> >> want to implicitly rely on it, rather than make the compiler verify it for
> >> us. And `struct hid_device` is very much allowed to change in the future.
> >> 
> >> As an alternative, you can use BUILD_BUG_ON() and verify both are equal in length.
> >
> > If we can't depend on ev->u.create2.name/phys/uniq being %NUL-terminated,
> > we've already done the "min" calculations, and we've already got the
> > dest zeroed, then I suspect the thing to do is just use memcpy instead
> > of strncpy (or strscpy).
> 
> If you use memcpy, you might copy garbage trailing the terminating zero. This is not particularly wrong, but also not really nice if user-space relies on the kernel to treat it as a string. You don't know whether a query of the string returns trailing bytes, and thus might expose data that user-space did not intend to share.
> 
> I mean, this is why the code uses strncpy().

Justin, can you respin this patch (with an updated Subject and commit
log), and add BUILD_BUG_ON() to verify the sizes are the same in addition
to what you already had in the original patch?

I think that'll give us the right balance between correctness,
readability, and future-proofing.

-Kees

-- 
Kees Cook