From: Kees Cook <kees@kernel.org>
To: Thorsten Blum <thorsten.blum@linux.dev>
Cc: "Martin K. Petersen" <martin.petersen@oracle.com>,
linux-hardening@vger.kernel.org, linux-scsi@vger.kernel.org,
target-devel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] scsi: target: Replace deprecated strncpy() with strscpy()
Date: Fri, 28 Feb 2025 12:10:43 -0800 [thread overview]
Message-ID: <202502281204.CE15A6BA35@keescook> (raw)
In-Reply-To: <20250226121003.359876-1-thorsten.blum@linux.dev>
On Wed, Feb 26, 2025 at 01:10:03PM +0100, Thorsten Blum wrote:
> Since strncpy() is deprecated for NUL-terminated destination buffers,
> use strscpy() instead.
>
> Compile-tested only.
>
> Link: https://github.com/KSPP/linux/issues/90
> Cc: linux-hardening@vger.kernel.org
> Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
> ---
> drivers/target/target_core_configfs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/target/target_core_configfs.c b/drivers/target/target_core_configfs.c
> index c40217f44b1b..446682f900e4 100644
> --- a/drivers/target/target_core_configfs.c
> +++ b/drivers/target/target_core_configfs.c
> @@ -143,7 +143,7 @@ static ssize_t target_core_item_dbroot_store(struct config_item *item,
> }
> filp_close(fp, NULL);
>
> - strncpy(db_root, db_root_stage, read_bytes);
> + strscpy(db_root, db_root_stage, read_bytes);
> pr_debug("Target_Core_ConfigFS: db_root set to %s\n", db_root);
>
> r = read_bytes;
When doing strncpy() to strscpy() conversions, please include details
of your analysis for several things:
- why is it safe to be NUL-terminated?
- why is NUL padding needed/not needed?
- why is the maximum length argument correct?
In this case, db_root is used with "%s" format strings, so we know it is
expected to be NUL-terminated. Additionally, it is _only_ ever used with
"5s" format strings, so padding is not needed.
As for length, read_bytes will always be less than DB_ROOT_LEN because
it is explicitly tested for against "count" which, enforced by the
SETATTR API, will always be the number of valid bytes in "page", and
snprintf() will be limited to DB_ROOT_LEN. (snprintf may return more
than its length argument, but because of the "count" check, this should
be impossible.)
While you're in this file, though, can you replace the other strncpy
that is used in target_init_dbroot() also?
-Kees
--
Kees Cook
next prev parent reply other threads:[~2025-02-28 20:10 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-26 12:10 [PATCH] scsi: target: Replace deprecated strncpy() with strscpy() Thorsten Blum
2025-02-28 20:10 ` Kees Cook [this message]
2025-03-02 11:41 ` Thorsten Blum
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202502281204.CE15A6BA35@keescook \
--to=kees@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=target-devel@vger.kernel.org \
--cc=thorsten.blum@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox