[PATCH linux-next] tracing: use strscpy() to instead of strncpy()

linux-trace-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH linux-next] tracing: use strscpy() to instead of strncpy()
@ 2023-01-09 11:39 yang.yang29
  2023-01-10  0:03 ` Masami Hiramatsu
  2023-01-24 17:17 ` Steven Rostedt
  0 siblings, 2 replies; 5+ messages in thread
From: yang.yang29 @ 2023-01-09 11:39 UTC (permalink / raw)
  To: rostedt; +Cc: mhiramat, linux-kernel, linux-trace-kernel, xu.panda, yang.yang29

From: Xu Panda <xu.panda@zte.com.cn>

The implementation of strscpy() is more robust and safer.
That's now the recommended way to copy NUL-terminated strings.

Signed-off-by: Xu Panda <xu.panda@zte.com.cn>
Signed-off-by: Yang Yang <yang.yang29@zte.com.cn>
---
 kernel/trace/trace_events_synth.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/kernel/trace/trace_events_synth.c b/kernel/trace/trace_events_synth.c
index 67592eed0be8..cd636edd045e 100644
--- a/kernel/trace/trace_events_synth.c
+++ b/kernel/trace/trace_events_synth.c
@@ -195,8 +195,7 @@ static int synth_field_string_size(char *type)
 	if (len == 0)
 		return 0; /* variable-length string */

-	strncpy(buf, start, len);
-	buf[len] = '\0';
+	strscpy(buf, start, len + 1);

 	err = kstrtouint(buf, 0, &size);
 	if (err)
-- 
2.15.2

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH linux-next] tracing: use strscpy() to instead of strncpy()
  2023-01-09 11:39 [PATCH linux-next] tracing: use strscpy() to instead of strncpy() yang.yang29
@ 2023-01-10  0:03 ` Masami Hiramatsu
  2023-01-24 17:17 ` Steven Rostedt
  1 sibling, 0 replies; 5+ messages in thread
From: Masami Hiramatsu @ 2023-01-10  0:03 UTC (permalink / raw)
  To: yang.yang29; +Cc: rostedt, mhiramat, linux-kernel, linux-trace-kernel, xu.panda

On Mon, 9 Jan 2023 19:39:21 +0800 (CST)
<yang.yang29@zte.com.cn> wrote:

> From: Xu Panda <xu.panda@zte.com.cn>
> 
> The implementation of strscpy() is more robust and safer.
> That's now the recommended way to copy NUL-terminated strings.

This looks good to me.

Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>

Thank you,

> 
> Signed-off-by: Xu Panda <xu.panda@zte.com.cn>
> Signed-off-by: Yang Yang <yang.yang29@zte.com.cn>
> ---
>  kernel/trace/trace_events_synth.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/kernel/trace/trace_events_synth.c b/kernel/trace/trace_events_synth.c
> index 67592eed0be8..cd636edd045e 100644
> --- a/kernel/trace/trace_events_synth.c
> +++ b/kernel/trace/trace_events_synth.c
> @@ -195,8 +195,7 @@ static int synth_field_string_size(char *type)
>  	if (len == 0)
>  		return 0; /* variable-length string */
> 
> -	strncpy(buf, start, len);
> -	buf[len] = '\0';
> +	strscpy(buf, start, len + 1);
> 
>  	err = kstrtouint(buf, 0, &size);
>  	if (err)
> -- 
> 2.15.2


-- 
Masami Hiramatsu (Google) <mhiramat@kernel.org>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH linux-next] tracing: use strscpy() to instead of strncpy()
  2023-01-09 11:39 [PATCH linux-next] tracing: use strscpy() to instead of strncpy() yang.yang29
  2023-01-10  0:03 ` Masami Hiramatsu
@ 2023-01-24 17:17 ` Steven Rostedt
  2024-10-01  1:33   ` Justin Stitt
  2025-02-14 22:27   ` Thorsten Blum
  1 sibling, 2 replies; 5+ messages in thread
From: Steven Rostedt @ 2023-01-24 17:17 UTC (permalink / raw)
  To: yang.yang29; +Cc: mhiramat, linux-kernel, linux-trace-kernel, xu.panda

On Mon, 9 Jan 2023 19:39:21 +0800 (CST)
<yang.yang29@zte.com.cn> wrote:

> From: Xu Panda <xu.panda@zte.com.cn>
> 
> The implementation of strscpy() is more robust and safer.
> That's now the recommended way to copy NUL-terminated strings.

But the string being copied is *not* NUL-terminated! And this change causes
a bug.

This is the 3rd patch I've seen that blindly converts strncpy() to
strscpy() and causes a bug in doing so. Not very safe if you ask me.

> 
> Signed-off-by: Xu Panda <xu.panda@zte.com.cn>
> Signed-off-by: Yang Yang <yang.yang29@zte.com.cn>
> ---
>  kernel/trace/trace_events_synth.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/kernel/trace/trace_events_synth.c b/kernel/trace/trace_events_synth.c
> index 67592eed0be8..cd636edd045e 100644
> --- a/kernel/trace/trace_events_synth.c
> +++ b/kernel/trace/trace_events_synth.c
> @@ -195,8 +195,7 @@ static int synth_field_string_size(char *type)
>  	if (len == 0)
>  		return 0; /* variable-length string */
> 
> -	strncpy(buf, start, len);
> -	buf[len] = '\0';
> +	strscpy(buf, start, len + 1);
> 
>  	err = kstrtouint(buf, 0, &size);
>  	if (err)


Here's the code being affected:

static int synth_field_string_size(char *type)
{
	char buf[4], *end, *start;
	unsigned int len;
	int size, err;

	start = strstr(type, "char[");
	if (start == NULL)
		return -EINVAL;
	start += sizeof("char[") - 1;

	end = strchr(type, ']');
	if (!end || end < start || type + strlen(type) > end + 1)
		return -EINVAL;

	len = end - start;
	if (len > 3)
		return -EINVAL;

	if (len == 0)
		return 0; /* variable-length string */

	strncpy(buf, start, len);
	buf[len] = '\0';

And you are replacing the above two lines with just:

	strscpy(buf, start, len + 1);


If you noticed, the string being placed into buf is:

  "char[123]"

Where we want to copy that "123" into buf.

strscpy() expects the source to be nul terminated, or it will return -E2BIG.

So the above will *always* return -E2BIG *and* not end buf[] with '\0' as
if strscpy() returns -E2BIG, then buf[] is not guaranteed to be
NUL-terminated.

  NACK!

-- Steve

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH linux-next] tracing: use strscpy() to instead of strncpy()
  2023-01-24 17:17 ` Steven Rostedt
@ 2024-10-01  1:33   ` Justin Stitt
  2025-02-14 22:27   ` Thorsten Blum
  1 sibling, 0 replies; 5+ messages in thread
From: Justin Stitt @ 2024-10-01  1:33 UTC (permalink / raw)
  To: Steven Rostedt
  Cc: yang.yang29, mhiramat, linux-kernel, linux-trace-kernel, xu.panda

Hi Steve,

Can we revisit this patch? see below.

On Tue, Jan 24, 2023 at 12:17:03PM GMT, Steven Rostedt wrote:
> On Mon, 9 Jan 2023 19:39:21 +0800 (CST)
> <yang.yang29@zte.com.cn> wrote:
> 
> > From: Xu Panda <xu.panda@zte.com.cn>
> > 
> > The implementation of strscpy() is more robust and safer.
> > That's now the recommended way to copy NUL-terminated strings.
> 
> But the string being copied is *not* NUL-terminated! And this change causes
> a bug.
> 
> This is the 3rd patch I've seen that blindly converts strncpy() to
> strscpy() and causes a bug in doing so. Not very safe if you ask me.
> 
> > 
> > Signed-off-by: Xu Panda <xu.panda@zte.com.cn>
> > Signed-off-by: Yang Yang <yang.yang29@zte.com.cn>
> > ---
> >  kernel/trace/trace_events_synth.c | 3 +--
> >  1 file changed, 1 insertion(+), 2 deletions(-)
> > 
> > diff --git a/kernel/trace/trace_events_synth.c b/kernel/trace/trace_events_synth.c
> > index 67592eed0be8..cd636edd045e 100644
> > --- a/kernel/trace/trace_events_synth.c
> > +++ b/kernel/trace/trace_events_synth.c
> > @@ -195,8 +195,7 @@ static int synth_field_string_size(char *type)
> >  	if (len == 0)
> >  		return 0; /* variable-length string */
> > 
> > -	strncpy(buf, start, len);
> > -	buf[len] = '\0';
> > +	strscpy(buf, start, len + 1);
> > 
> >  	err = kstrtouint(buf, 0, &size);
> >  	if (err)
> 
> 
> Here's the code being affected:
> 
> static int synth_field_string_size(char *type)
> {
> 	char buf[4], *end, *start;
> 	unsigned int len;
> 	int size, err;
> 
> 	start = strstr(type, "char[");
> 	if (start == NULL)
> 		return -EINVAL;
> 	start += sizeof("char[") - 1;
> 
> 	end = strchr(type, ']');
> 	if (!end || end < start || type + strlen(type) > end + 1)
> 		return -EINVAL;
> 
> 	len = end - start;
> 	if (len > 3)
> 		return -EINVAL;
> 
> 	if (len == 0)
> 		return 0; /* variable-length string */
> 
> 	strncpy(buf, start, len);
> 	buf[len] = '\0';
> 
> And you are replacing the above two lines with just:
> 
> 	strscpy(buf, start, len + 1);
> 
> 
> If you noticed, the string being placed into buf is:
> 
>   "char[123]"
> 
> Where we want to copy that "123" into buf.
> 
> strscpy() expects the source to be nul terminated, or it will return -E2BIG.
> 
> So the above will *always* return -E2BIG *and* not end buf[] with '\0' as
> if strscpy() returns -E2BIG, then buf[] is not guaranteed to be
> NUL-terminated.

@buf should still be NUL-terminated while returning -E2BIG in this
instance. For context, here's the implementation of strscpy():
  ...
  /* Hit buffer length without finding a NUL; force NUL-termination. */
  if (res)
    dest[res-1] = '\0';

  return -E2BIG;

... and the only other spot where we can return E2BIG is way earlier in
the function where we check the count.
  if (count == 0 || WARN_ON_ONCE(count > INT_MAX))
    return -E2BIG;

So it seems we should be NUL-terminating @buf in all cases, considering
count is greater than 0 and certainly not larger than INT_MAX. And, with
the `len + 1` we shouldn't be seeing any data loss either.

> 
>   NACK!
> 
> -- Steve
>

I'm keen on replacing this instance of strncpy towards the goal of [1].
If we don't want to use strscpy() I think memcpy() is another viable
alternative (of course leaving the manual NUL-byte assignment as-is).

[1]: https://github.com/KSPP/linux/issues/90

Thanks
Justin

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH linux-next] tracing: use strscpy() to instead of strncpy()
  2023-01-24 17:17 ` Steven Rostedt
  2024-10-01  1:33   ` Justin Stitt
@ 2025-02-14 22:27   ` Thorsten Blum
  1 sibling, 0 replies; 5+ messages in thread
From: Thorsten Blum @ 2025-02-14 22:27 UTC (permalink / raw)
  To: Steven Rostedt
  Cc: yang.yang29, mhiramat, linux-kernel, linux-trace-kernel, xu.panda,
	linux-hardening, Justin Stitt

Hi Steven,

I was about to submit the same patch when I found this one from 2023.

On 24. Jan 2023, at 18:17, Steven Rostedt wrote:
> So the above will *always* return -E2BIG *and* not end buf[] with '\0' as
> if strscpy() returns -E2BIG, then buf[] is not guaranteed to be
> NUL-terminated.

The return value is not used and the strscpy() documentation in
linux/string.h says:

"The destination @dst buffer is always NUL terminated, unless it's zero-
sized." and "Preferred to strncpy() since it always returns a valid
string, ..."

Has strscpy() changed since 2023 or could this patch be revisited? I saw
that Justin also made an effort in September 2024 [1] to revisit it and
to remove the deprecated strncpy() here.

> NACK!
> 
> -- Steve

Thanks,
Thorsten

[1] https://lore.kernel.org/r/yhv3rzg6vhgwage27cyvg72t4vwf5x3tdtj3zjipryzvz3u55x@c33q753uxyi3/
Cc: linux-hardening@vger.kernel.org

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2025-02-14 22:27 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-01-09 11:39 [PATCH linux-next] tracing: use strscpy() to instead of strncpy() yang.yang29
2023-01-10  0:03 ` Masami Hiramatsu
2023-01-24 17:17 ` Steven Rostedt
2024-10-01  1:33   ` Justin Stitt
2025-02-14 22:27   ` Thorsten Blum

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).