From: "David Rheinsberg" <david@readahead.eu>
To: "Kees Cook" <keescook@chromium.org>,
"Justin Stitt" <justinstitt@google.com>
Cc: "Jiri Kosina" <jikos@kernel.org>,
"Benjamin Tissoires" <benjamin.tissoires@redhat.com>,
linux-input@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-hardening@vger.kernel.org,
"David Herrmann" <dh.herrmann@gmail.com>
Subject: Re: [PATCH] HID: uhid: refactor deprecated strncpy
Date: Fri, 15 Sep 2023 09:36:23 +0200 [thread overview]
Message-ID: <98d981a1-4e4c-4173-b8eb-09b4245bca60@app.fastmail.com> (raw)
In-Reply-To: <202309142206.60836CE@keescook>
Hi
On Fri, Sep 15, 2023, at 7:13 AM, Kees Cook wrote:
>> - /* @hid is zero-initialized, strncpy() is correct, strlcpy() not */
>> - len = min(sizeof(hid->name), sizeof(ev->u.create2.name)) - 1;
>> - strncpy(hid->name, ev->u.create2.name, len);
>> - len = min(sizeof(hid->phys), sizeof(ev->u.create2.phys)) - 1;
>> - strncpy(hid->phys, ev->u.create2.phys, len);
>> - len = min(sizeof(hid->uniq), sizeof(ev->u.create2.uniq)) - 1;
>> - strncpy(hid->uniq, ev->u.create2.uniq, len);
>
> ev->u.create2 is:
> struct uhid_create2_req {
> __u8 name[128];
> __u8 phys[64];
> __u8 uniq[64];
> ...
>
> hid is:
> struct hid_device { /* device report descriptor */
> ...
> char name[128]; /* Device name */
> char phys[64]; /* Device physical location */
> char uniq[64]; /* Device unique identifier (serial #) */
>
> So these "min" calls are redundant -- it wants to copy at most 1 less so
> it can be %NUL terminated. Which is what strscpy() already does. And
> source and dest are the same size, so we can't over-read source if it
> weren't terminated (since strscpy won't overread like strlcpy).
I *really* think we should keep the `min` calls. The compiler should already optimize them away, as both arguments are compile-time constants. There is no inherent reason why source and target are equal in size. Yes, it is unlikely to change, but I don't understand why we would want to implicitly rely on it, rather than make the compiler verify it for us. And `struct hid_device` is very much allowed to change in the future.
As an alternative, you can use BUILD_BUG_ON() and verify both are equal in length.
Thanks
David
next prev parent reply other threads:[~2023-09-15 7:36 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-14 22:47 [PATCH] HID: uhid: refactor deprecated strncpy Justin Stitt
2023-09-15 5:13 ` Kees Cook
2023-09-15 7:36 ` David Rheinsberg [this message]
2023-09-15 20:48 ` Kees Cook
2023-09-18 7:37 ` David Rheinsberg
2023-09-29 18:52 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=98d981a1-4e4c-4173-b8eb-09b4245bca60@app.fastmail.com \
--to=david@readahead.eu \
--cc=benjamin.tissoires@redhat.com \
--cc=dh.herrmann@gmail.com \
--cc=jikos@kernel.org \
--cc=justinstitt@google.com \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).