* [PATCH v3 0/2] wifi: brcm80211: replace deprecated strncpy
@ 2023-10-17 20:11 Justin Stitt
2023-10-17 20:11 ` [PATCH v3 1/2] wifi: brcm80211: replace deprecated strncpy with strscpy Justin Stitt
` (2 more replies)
0 siblings, 3 replies; 10+ messages in thread
From: Justin Stitt @ 2023-10-17 20:11 UTC (permalink / raw)
To: Arend van Spriel, Franky Lin, Hante Meuleman, Kalle Valo
Cc: linux-wireless, brcm80211-dev-list.pdl, SHA-cyfmac-dev-list,
linux-kernel, linux-hardening, Justin Stitt
Hi,
This series used to be just one patch in [v2] but I've split it into two
separate patches.
The motivation behind this series is that strncpy() is deprecated for
use on NUL-terminated destination strings [1] and as such we should
prefer more robust and less ambiguous string interfaces.
In cases where we expect the destination buffer to be NUL-terminated
let's opt for strscpy() as this guarantees NUL-termination. Other cases
are just simple byte copies with pre-determined bounds; for these let's
use plain-ol' memcpy().
Each change is detailed in its accompanying patch message.
Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2]
Link: https://github.com/KSPP/linux/issues/90
Signed-off-by: Justin Stitt <justinstitt@google.com>
---
Changes in v3:
- split up into two separate patches (thanks Franky)
- use better subject line (thanks Franky + Kalle)
- Link to v2: https://lore.kernel.org/r/20231016-strncpy-drivers-net-wireless-broadcom-brcm80211-brcmfmac-cfg80211-c-v2-1-6c7567e1d3b8@google.com
Changes in v2:
- add other strncpy replacements
- Link to v1: https://lore.kernel.org/r/20231016-strncpy-drivers-net-wireless-broadcom-brcm80211-brcmfmac-cfg80211-c-v1-1-4234807ca07e@google.com
---
Justin Stitt (2):
wifi: brcm80211: replace deprecated strncpy with strscpy
wifi: brcmsmac: replace deprecated strncpy with memcpy
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 +-
drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 2 +-
drivers/net/wireless/broadcom/brcm80211/brcmsmac/channel.c | 6 +++---
drivers/net/wireless/broadcom/brcm80211/brcmsmac/dma.c | 3 +--
drivers/net/wireless/broadcom/brcm80211/brcmsmac/main.c | 4 ++--
5 files changed, 8 insertions(+), 9 deletions(-)
---
base-commit: cbf3a2cb156a2c911d8f38d8247814b4c07f49a2
change-id: 20231016-strncpy-drivers-net-wireless-broadcom-brcm80211-brcmfmac-cfg80211-c-a20108421685
Best regards,
--
Justin Stitt <justinstitt@google.com>
^ permalink raw reply [flat|nested] 10+ messages in thread* [PATCH v3 1/2] wifi: brcm80211: replace deprecated strncpy with strscpy 2023-10-17 20:11 [PATCH v3 0/2] wifi: brcm80211: replace deprecated strncpy Justin Stitt @ 2023-10-17 20:11 ` Justin Stitt 2023-10-26 17:20 ` Kees Cook 2023-10-30 17:20 ` Kalle Valo 2023-10-17 20:11 ` [PATCH v3 2/2] wifi: brcmsmac: replace deprecated strncpy with memcpy Justin Stitt 2023-10-17 21:27 ` [PATCH v3 0/2] wifi: brcm80211: replace deprecated strncpy Franky Lin 2 siblings, 2 replies; 10+ messages in thread From: Justin Stitt @ 2023-10-17 20:11 UTC (permalink / raw) To: Arend van Spriel, Franky Lin, Hante Meuleman, Kalle Valo Cc: linux-wireless, brcm80211-dev-list.pdl, SHA-cyfmac-dev-list, linux-kernel, linux-hardening, Justin Stitt Let's move away from using strncpy and instead favor a less ambiguous and more robust interface. For ifp->ndev->name, we expect ifp->ndev->name to be NUL-terminated based on its use in format strings within core.c: 67 | char *brcmf_ifname(struct brcmf_if *ifp) 68 | { 69 | if (!ifp) 70 | return "<if_null>"; 71 | 72 | if (ifp->ndev) 73 | return ifp->ndev->name; 74 | 75 | return "<if_none>"; 76 | } ... 288 | static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb, 289 | struct net_device *ndev) { ... 330 | brcmf_dbg(INFO, "%s: insufficient headroom (%d)\n", 331 | brcmf_ifname(ifp), head_delta); ... 336 | bphy_err(drvr, "%s: failed to expand headroom\n", 337 | brcmf_ifname(ifp)); For di->name, we expect di->name to be NUL-terminated based on its usage with format strings: | brcms_dbg_dma(di->core, | "%s: DMA64 tx doesn't have AE set\n", | di->name); Looking at its allocation we can see that it is already zero-allocated which means NUL-padding is not required: | di = kzalloc(sizeof(struct dma_info), GFP_ATOMIC); For wlc->modulecb[i].name, we expect each name in wlc->modulecb to be NUL-terminated based on their usage with strcmp(): | if (!strcmp(wlc->modulecb[i].name, name) && NUL-padding is not required as wlc is zero-allocated in: brcms_c_attach_malloc() -> | wlc = kzalloc(sizeof(struct brcms_c_info), GFP_ATOMIC); For all these cases, a suitable replacement is `strscpy` due to the fact that it guarantees NUL-termination on the destination buffer without unnecessarily NUL-padding. Signed-off-by: Justin Stitt <justinstitt@google.com> --- drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 +- drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 2 +- drivers/net/wireless/broadcom/brcm80211/brcmsmac/dma.c | 3 +-- drivers/net/wireless/broadcom/brcm80211/brcmsmac/main.c | 4 ++-- 4 files changed, 5 insertions(+), 6 deletions(-) diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c index 2a90bb24ba77..7daa418df877 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c @@ -866,7 +866,7 @@ struct wireless_dev *brcmf_apsta_add_vif(struct wiphy *wiphy, const char *name, goto fail; } - strncpy(ifp->ndev->name, name, sizeof(ifp->ndev->name) - 1); + strscpy(ifp->ndev->name, name, sizeof(ifp->ndev->name)); err = brcmf_net_attach(ifp, true); if (err) { bphy_err(drvr, "Registering netdevice failed\n"); diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c index d4492d02e4ea..6e0c90f4718b 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c @@ -2334,7 +2334,7 @@ struct wireless_dev *brcmf_p2p_add_vif(struct wiphy *wiphy, const char *name, goto fail; } - strncpy(ifp->ndev->name, name, sizeof(ifp->ndev->name) - 1); + strscpy(ifp->ndev->name, name, sizeof(ifp->ndev->name)); ifp->ndev->name_assign_type = name_assign_type; err = brcmf_net_attach(ifp, true); if (err) { diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/dma.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/dma.c index b7df576bb84d..3d5c1ef8f7f2 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/dma.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/dma.c @@ -584,8 +584,7 @@ struct dma_pub *dma_attach(char *name, struct brcms_c_info *wlc, rxextheadroom, nrxpost, rxoffset, txregbase, rxregbase); /* make a private copy of our callers name */ - strncpy(di->name, name, MAXNAMEL); - di->name[MAXNAMEL - 1] = '\0'; + strscpy(di->name, name, sizeof(di->name)); di->dmadev = core->dma_dev; diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/main.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/main.c index b3663c5ef382..34460b5815d0 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/main.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/main.c @@ -5551,8 +5551,8 @@ int brcms_c_module_register(struct brcms_pub *pub, /* find an empty entry and just add, no duplication check! */ for (i = 0; i < BRCMS_MAXMODULES; i++) { if (wlc->modulecb[i].name[0] == '\0') { - strncpy(wlc->modulecb[i].name, name, - sizeof(wlc->modulecb[i].name) - 1); + strscpy(wlc->modulecb[i].name, name, + sizeof(wlc->modulecb[i].name)); wlc->modulecb[i].hdl = hdl; wlc->modulecb[i].down_fn = d_fn; return 0; -- 2.42.0.655.g421f12c284-goog ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH v3 1/2] wifi: brcm80211: replace deprecated strncpy with strscpy 2023-10-17 20:11 ` [PATCH v3 1/2] wifi: brcm80211: replace deprecated strncpy with strscpy Justin Stitt @ 2023-10-26 17:20 ` Kees Cook 2023-10-30 17:20 ` Kalle Valo 1 sibling, 0 replies; 10+ messages in thread From: Kees Cook @ 2023-10-26 17:20 UTC (permalink / raw) To: Justin Stitt Cc: Arend van Spriel, Franky Lin, Hante Meuleman, Kalle Valo, linux-wireless, brcm80211-dev-list.pdl, SHA-cyfmac-dev-list, linux-kernel, linux-hardening On Tue, Oct 17, 2023 at 08:11:28PM +0000, Justin Stitt wrote: > Let's move away from using strncpy and instead favor a less ambiguous > and more robust interface. > > For ifp->ndev->name, we expect ifp->ndev->name to be NUL-terminated based > on its use in format strings within core.c: > 67 | char *brcmf_ifname(struct brcmf_if *ifp) > 68 | { > 69 | if (!ifp) > 70 | return "<if_null>"; > 71 | > 72 | if (ifp->ndev) > 73 | return ifp->ndev->name; > 74 | > 75 | return "<if_none>"; > 76 | } > ... > 288 | static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb, > 289 | struct net_device *ndev) { > ... > 330 | brcmf_dbg(INFO, "%s: insufficient headroom (%d)\n", > 331 | brcmf_ifname(ifp), head_delta); > ... > 336 | bphy_err(drvr, "%s: failed to expand headroom\n", > 337 | brcmf_ifname(ifp)); > > For di->name, we expect di->name to be NUL-terminated based on its usage > with format strings: > | brcms_dbg_dma(di->core, > | "%s: DMA64 tx doesn't have AE set\n", > | di->name); > > Looking at its allocation we can see that it is already zero-allocated > which means NUL-padding is not required: > | di = kzalloc(sizeof(struct dma_info), GFP_ATOMIC); > > For wlc->modulecb[i].name, we expect each name in wlc->modulecb to be > NUL-terminated based on their usage with strcmp(): > | if (!strcmp(wlc->modulecb[i].name, name) && > > NUL-padding is not required as wlc is zero-allocated in: > brcms_c_attach_malloc() -> > | wlc = kzalloc(sizeof(struct brcms_c_info), GFP_ATOMIC); > > For all these cases, a suitable replacement is `strscpy` due to the fact > that it guarantees NUL-termination on the destination buffer without > unnecessarily NUL-padding. > > Signed-off-by: Justin Stitt <justinstitt@google.com> Good; this looks like standard direct replacements. Reviewed-by: Kees Cook <keescook@chromium.org> -- Kees Cook ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v3 1/2] wifi: brcm80211: replace deprecated strncpy with strscpy 2023-10-17 20:11 ` [PATCH v3 1/2] wifi: brcm80211: replace deprecated strncpy with strscpy Justin Stitt 2023-10-26 17:20 ` Kees Cook @ 2023-10-30 17:20 ` Kalle Valo 1 sibling, 0 replies; 10+ messages in thread From: Kalle Valo @ 2023-10-30 17:20 UTC (permalink / raw) To: Justin Stitt Cc: Arend van Spriel, Franky Lin, Hante Meuleman, linux-wireless, brcm80211-dev-list.pdl, SHA-cyfmac-dev-list, linux-kernel, linux-hardening, Justin Stitt Justin Stitt <justinstitt@google.com> wrote: > Let's move away from using strncpy and instead favor a less ambiguous > and more robust interface. > > For ifp->ndev->name, we expect ifp->ndev->name to be NUL-terminated based > on its use in format strings within core.c: > 67 | char *brcmf_ifname(struct brcmf_if *ifp) > 68 | { > 69 | if (!ifp) > 70 | return "<if_null>"; > 71 | > 72 | if (ifp->ndev) > 73 | return ifp->ndev->name; > 74 | > 75 | return "<if_none>"; > 76 | } > ... > 288 | static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb, > 289 | struct net_device *ndev) { > ... > 330 | brcmf_dbg(INFO, "%s: insufficient headroom (%d)\n", > 331 | brcmf_ifname(ifp), head_delta); > ... > 336 | bphy_err(drvr, "%s: failed to expand headroom\n", > 337 | brcmf_ifname(ifp)); > > For di->name, we expect di->name to be NUL-terminated based on its usage > with format strings: > | brcms_dbg_dma(di->core, > | "%s: DMA64 tx doesn't have AE set\n", > | di->name); > > Looking at its allocation we can see that it is already zero-allocated > which means NUL-padding is not required: > | di = kzalloc(sizeof(struct dma_info), GFP_ATOMIC); > > For wlc->modulecb[i].name, we expect each name in wlc->modulecb to be > NUL-terminated based on their usage with strcmp(): > | if (!strcmp(wlc->modulecb[i].name, name) && > > NUL-padding is not required as wlc is zero-allocated in: > brcms_c_attach_malloc() -> > | wlc = kzalloc(sizeof(struct brcms_c_info), GFP_ATOMIC); > > For all these cases, a suitable replacement is `strscpy` due to the fact > that it guarantees NUL-termination on the destination buffer without > unnecessarily NUL-padding. > > Signed-off-by: Justin Stitt <justinstitt@google.com> > Reviewed-by: Kees Cook <keescook@chromium.org> 2 patches applied to wireless-next.git, thanks. 9d0d0a207040 wifi: brcm80211: replace deprecated strncpy with strscpy a614f9579705 wifi: brcmsmac: replace deprecated strncpy with memcpy -- https://patchwork.kernel.org/project/linux-wireless/patch/20231017-strncpy-drivers-net-wireless-broadcom-brcm80211-brcmfmac-cfg80211-c-v3-1-af780d74ae38@google.com/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches ^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH v3 2/2] wifi: brcmsmac: replace deprecated strncpy with memcpy 2023-10-17 20:11 [PATCH v3 0/2] wifi: brcm80211: replace deprecated strncpy Justin Stitt 2023-10-17 20:11 ` [PATCH v3 1/2] wifi: brcm80211: replace deprecated strncpy with strscpy Justin Stitt @ 2023-10-17 20:11 ` Justin Stitt 2023-10-19 0:03 ` Kees Cook 2023-10-17 21:27 ` [PATCH v3 0/2] wifi: brcm80211: replace deprecated strncpy Franky Lin 2 siblings, 1 reply; 10+ messages in thread From: Justin Stitt @ 2023-10-17 20:11 UTC (permalink / raw) To: Arend van Spriel, Franky Lin, Hante Meuleman, Kalle Valo Cc: linux-wireless, brcm80211-dev-list.pdl, SHA-cyfmac-dev-list, linux-kernel, linux-hardening, Justin Stitt Let's move away from using strncpy and instead use the more obvious interface for this context. For wlc->pub->srom_ccode, we're just copying two bytes from ccode into wlc->pub->srom_ccode with no expectation that srom_ccode be NUL-terminated: wlc->pub->srom_ccode is only used in regulatory_hint(): 1193 | if (wl->pub->srom_ccode[0] && 1194 | regulatory_hint(wl->wiphy, wl->pub->srom_ccode)) 1195 | wiphy_err(wl->wiphy, "%s: regulatory hint failed\n", __func__); We can see that only index 0 and index 1 are accessed. 3307 | int regulatory_hint(struct wiphy *wiphy, const char *alpha2) 3308 | { ... | ... 3322 | request->alpha2[0] = alpha2[0]; 3323 | request->alpha2[1] = alpha2[1]; ... | ... 3332 | } Since this is just a simple byte copy with correct lengths, let's use memcpy(). There should be no functional change. In a similar boat, both wlc->country_default and wlc->autocountry_default are just simple byte copies so let's use memcpy. However, FWICT they aren't used anywhere. (they should be used or removed -- not in scope of my patch, though). Signed-off-by: Justin Stitt <justinstitt@google.com> --- drivers/net/wireless/broadcom/brcm80211/brcmsmac/channel.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/channel.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/channel.c index 5a6d9c86552a..f6962e558d7c 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/channel.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/channel.c @@ -341,7 +341,7 @@ struct brcms_cm_info *brcms_c_channel_mgr_attach(struct brcms_c_info *wlc) /* store the country code for passing up as a regulatory hint */ wlc_cm->world_regd = brcms_world_regd(ccode, ccode_len); if (brcms_c_country_valid(ccode)) - strncpy(wlc->pub->srom_ccode, ccode, ccode_len); + memcpy(wlc->pub->srom_ccode, ccode, ccode_len); /* * If no custom world domain is found in the SROM, use the @@ -354,10 +354,10 @@ struct brcms_cm_info *brcms_c_channel_mgr_attach(struct brcms_c_info *wlc) } /* save default country for exiting 11d regulatory mode */ - strncpy(wlc->country_default, ccode, ccode_len); + memcpy(wlc->country_default, ccode, ccode_len); /* initialize autocountry_default to driver default */ - strncpy(wlc->autocountry_default, ccode, ccode_len); + memcpy(wlc->autocountry_default, ccode, ccode_len); brcms_c_set_country(wlc_cm, wlc_cm->world_regd); -- 2.42.0.655.g421f12c284-goog ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH v3 2/2] wifi: brcmsmac: replace deprecated strncpy with memcpy 2023-10-17 20:11 ` [PATCH v3 2/2] wifi: brcmsmac: replace deprecated strncpy with memcpy Justin Stitt @ 2023-10-19 0:03 ` Kees Cook 2023-10-19 17:37 ` Justin Stitt 2023-10-26 17:21 ` Kees Cook 0 siblings, 2 replies; 10+ messages in thread From: Kees Cook @ 2023-10-19 0:03 UTC (permalink / raw) To: Justin Stitt Cc: Arend van Spriel, Franky Lin, Hante Meuleman, Kalle Valo, linux-wireless, brcm80211-dev-list.pdl, SHA-cyfmac-dev-list, linux-kernel, linux-hardening On Tue, Oct 17, 2023 at 08:11:29PM +0000, Justin Stitt wrote: > Let's move away from using strncpy and instead use the more obvious > interface for this context. > > For wlc->pub->srom_ccode, we're just copying two bytes from ccode into > wlc->pub->srom_ccode with no expectation that srom_ccode be > NUL-terminated: > wlc->pub->srom_ccode is only used in regulatory_hint(): > 1193 | if (wl->pub->srom_ccode[0] && > 1194 | regulatory_hint(wl->wiphy, wl->pub->srom_ccode)) > 1195 | wiphy_err(wl->wiphy, "%s: regulatory hint failed\n", __func__); > > We can see that only index 0 and index 1 are accessed. > 3307 | int regulatory_hint(struct wiphy *wiphy, const char *alpha2) > 3308 | { > ... | ... > 3322 | request->alpha2[0] = alpha2[0]; > 3323 | request->alpha2[1] = alpha2[1]; > ... | ... > 3332 | } > > Since this is just a simple byte copy with correct lengths, let's use > memcpy(). There should be no functional change. > > In a similar boat, both wlc->country_default and > wlc->autocountry_default are just simple byte copies so let's use > memcpy. However, FWICT they aren't used anywhere. (they should be > used or removed -- not in scope of my patch, though). > > Signed-off-by: Justin Stitt <justinstitt@google.com> > --- > drivers/net/wireless/broadcom/brcm80211/brcmsmac/channel.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/channel.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/channel.c > index 5a6d9c86552a..f6962e558d7c 100644 > --- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/channel.c > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/channel.c > @@ -341,7 +341,7 @@ struct brcms_cm_info *brcms_c_channel_mgr_attach(struct brcms_c_info *wlc) > /* store the country code for passing up as a regulatory hint */ > wlc_cm->world_regd = brcms_world_regd(ccode, ccode_len); > if (brcms_c_country_valid(ccode)) > - strncpy(wlc->pub->srom_ccode, ccode, ccode_len); > + memcpy(wlc->pub->srom_ccode, ccode, ccode_len); const char *ccode = sprom->alpha2; int ccode_len = sizeof(sprom->alpha2); struct ssb_sprom { ... char alpha2[2]; /* Country Code as two chars like EU or US */ This should be marked __nonstring, IMO. struct brcms_pub { ... char srom_ccode[BRCM_CNTRY_BUF_SZ]; /* Country Code in SROM */ #define BRCM_CNTRY_BUF_SZ 4 /* Country string is 3 bytes + NUL */ This, however, is shown as explicitly %NUL terminated. The old strncpy wasn't %NUL terminating wlc->pub->srom_ccode, though, so the memcpy is the same result, but is that actually _correct_ here? > > /* > * If no custom world domain is found in the SROM, use the > @@ -354,10 +354,10 @@ struct brcms_cm_info *brcms_c_channel_mgr_attach(struct brcms_c_info *wlc) > } > > /* save default country for exiting 11d regulatory mode */ > - strncpy(wlc->country_default, ccode, ccode_len); > + memcpy(wlc->country_default, ccode, ccode_len); > > /* initialize autocountry_default to driver default */ > - strncpy(wlc->autocountry_default, ccode, ccode_len); > + memcpy(wlc->autocountry_default, ccode, ccode_len); struct brcms_c_info { ... char country_default[BRCM_CNTRY_BUF_SZ]; char autocountry_default[BRCM_CNTRY_BUF_SZ]; These are similar... So, this change results in the same behavior, but is it right? -Kees -- Kees Cook ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v3 2/2] wifi: brcmsmac: replace deprecated strncpy with memcpy 2023-10-19 0:03 ` Kees Cook @ 2023-10-19 17:37 ` Justin Stitt 2023-10-26 17:21 ` Kees Cook 1 sibling, 0 replies; 10+ messages in thread From: Justin Stitt @ 2023-10-19 17:37 UTC (permalink / raw) To: Kees Cook Cc: Arend van Spriel, Franky Lin, Hante Meuleman, Kalle Valo, linux-wireless, brcm80211-dev-list.pdl, SHA-cyfmac-dev-list, linux-kernel, linux-hardening On Wed, Oct 18, 2023 at 5:03 PM Kees Cook <keescook@chromium.org> wrote: > > On Tue, Oct 17, 2023 at 08:11:29PM +0000, Justin Stitt wrote: > > Let's move away from using strncpy and instead use the more obvious > > interface for this context. > > > > For wlc->pub->srom_ccode, we're just copying two bytes from ccode into > > wlc->pub->srom_ccode with no expectation that srom_ccode be > > NUL-terminated: > > wlc->pub->srom_ccode is only used in regulatory_hint(): > > 1193 | if (wl->pub->srom_ccode[0] && > > 1194 | regulatory_hint(wl->wiphy, wl->pub->srom_ccode)) > > 1195 | wiphy_err(wl->wiphy, "%s: regulatory hint failed\n", __func__); > > > > We can see that only index 0 and index 1 are accessed. > > 3307 | int regulatory_hint(struct wiphy *wiphy, const char *alpha2) > > 3308 | { > > ... | ... > > 3322 | request->alpha2[0] = alpha2[0]; > > 3323 | request->alpha2[1] = alpha2[1]; > > ... | ... > > 3332 | } > > > > Since this is just a simple byte copy with correct lengths, let's use > > memcpy(). There should be no functional change. > > > > In a similar boat, both wlc->country_default and > > wlc->autocountry_default are just simple byte copies so let's use > > memcpy. However, FWICT they aren't used anywhere. (they should be > > used or removed -- not in scope of my patch, though). > > > > Signed-off-by: Justin Stitt <justinstitt@google.com> > > --- > > drivers/net/wireless/broadcom/brcm80211/brcmsmac/channel.c | 6 +++--- > > 1 file changed, 3 insertions(+), 3 deletions(-) > > > > diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/channel.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/channel.c > > index 5a6d9c86552a..f6962e558d7c 100644 > > --- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/channel.c > > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/channel.c > > @@ -341,7 +341,7 @@ struct brcms_cm_info *brcms_c_channel_mgr_attach(struct brcms_c_info *wlc) > > /* store the country code for passing up as a regulatory hint */ > > wlc_cm->world_regd = brcms_world_regd(ccode, ccode_len); > > if (brcms_c_country_valid(ccode)) > > - strncpy(wlc->pub->srom_ccode, ccode, ccode_len); > > + memcpy(wlc->pub->srom_ccode, ccode, ccode_len); > > const char *ccode = sprom->alpha2; > int ccode_len = sizeof(sprom->alpha2); > > struct ssb_sprom { > ... > char alpha2[2]; /* Country Code as two chars like EU or US */ > > This should be marked __nonstring, IMO. > > struct brcms_pub { > ... > char srom_ccode[BRCM_CNTRY_BUF_SZ]; /* Country Code in SROM */ > > #define BRCM_CNTRY_BUF_SZ 4 /* Country string is 3 bytes + NUL */ > > This, however, is shown as explicitly %NUL terminated. > > The old strncpy wasn't %NUL terminating wlc->pub->srom_ccode, though, so > the memcpy is the same result, but is that actually _correct_ here? Judging from the usage, we can see that only bytes at offset 0 and 1 are used. I think the comment "/* Country string is 3 bytes + NUL */" might be misleading or perhaps there are other uses that I can't find (which require NUL-termination)? > > > > > /* > > * If no custom world domain is found in the SROM, use the > > @@ -354,10 +354,10 @@ struct brcms_cm_info *brcms_c_channel_mgr_attach(struct brcms_c_info *wlc) > > } > > > > /* save default country for exiting 11d regulatory mode */ > > - strncpy(wlc->country_default, ccode, ccode_len); > > + memcpy(wlc->country_default, ccode, ccode_len); > > > > /* initialize autocountry_default to driver default */ > > - strncpy(wlc->autocountry_default, ccode, ccode_len); > > + memcpy(wlc->autocountry_default, ccode, ccode_len); > > struct brcms_c_info { > ... > char country_default[BRCM_CNTRY_BUF_SZ]; > char autocountry_default[BRCM_CNTRY_BUF_SZ]; > > These are similar... I can't find any uses for these either. > > So, this change results in the same behavior, but is it right? > > -Kees > > -- > Kees Cook Thanks Justin ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v3 2/2] wifi: brcmsmac: replace deprecated strncpy with memcpy 2023-10-19 0:03 ` Kees Cook 2023-10-19 17:37 ` Justin Stitt @ 2023-10-26 17:21 ` Kees Cook 1 sibling, 0 replies; 10+ messages in thread From: Kees Cook @ 2023-10-26 17:21 UTC (permalink / raw) To: Justin Stitt Cc: Arend van Spriel, Franky Lin, Hante Meuleman, Kalle Valo, linux-wireless, brcm80211-dev-list.pdl, SHA-cyfmac-dev-list, linux-kernel, linux-hardening On Wed, Oct 18, 2023 at 05:03:02PM -0700, Kees Cook wrote: > On Tue, Oct 17, 2023 at 08:11:29PM +0000, Justin Stitt wrote: > > Let's move away from using strncpy and instead use the more obvious > > interface for this context. > [...] > So, this change results in the same behavior ... I should have included my r-b tag: Reviewed-by: Kees Cook <keescook@chromium.org> -- Kees Cook ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v3 0/2] wifi: brcm80211: replace deprecated strncpy 2023-10-17 20:11 [PATCH v3 0/2] wifi: brcm80211: replace deprecated strncpy Justin Stitt 2023-10-17 20:11 ` [PATCH v3 1/2] wifi: brcm80211: replace deprecated strncpy with strscpy Justin Stitt 2023-10-17 20:11 ` [PATCH v3 2/2] wifi: brcmsmac: replace deprecated strncpy with memcpy Justin Stitt @ 2023-10-17 21:27 ` Franky Lin 2023-10-18 9:33 ` Arend van Spriel 2 siblings, 1 reply; 10+ messages in thread From: Franky Lin @ 2023-10-17 21:27 UTC (permalink / raw) To: Justin Stitt Cc: Arend van Spriel, Hante Meuleman, Kalle Valo, linux-wireless, brcm80211-dev-list.pdl, SHA-cyfmac-dev-list, linux-kernel, linux-hardening [-- Attachment #1: Type: text/plain, Size: 2420 bytes --] On Tue, Oct 17, 2023 at 1:11 PM 'Justin Stitt' via BRCM80211-DEV-LIST,PDL <brcm80211-dev-list.pdl@broadcom.com> wrote: > > Hi, > > This series used to be just one patch in [v2] but I've split it into two > separate patches. > > The motivation behind this series is that strncpy() is deprecated for > use on NUL-terminated destination strings [1] and as such we should > prefer more robust and less ambiguous string interfaces. > > In cases where we expect the destination buffer to be NUL-terminated > let's opt for strscpy() as this guarantees NUL-termination. Other cases > are just simple byte copies with pre-determined bounds; for these let's > use plain-ol' memcpy(). > > Each change is detailed in its accompanying patch message. > > Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1] > Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2] > Link: https://github.com/KSPP/linux/issues/90 > Signed-off-by: Justin Stitt <justinstitt@google.com> Reviewed-by: Franky Lin <franky.lin@broadcom.com> > --- > Changes in v3: > - split up into two separate patches (thanks Franky) > - use better subject line (thanks Franky + Kalle) > - Link to v2: https://lore.kernel.org/r/20231016-strncpy-drivers-net-wireless-broadcom-brcm80211-brcmfmac-cfg80211-c-v2-1-6c7567e1d3b8@google.com > > Changes in v2: > - add other strncpy replacements > - Link to v1: https://lore.kernel.org/r/20231016-strncpy-drivers-net-wireless-broadcom-brcm80211-brcmfmac-cfg80211-c-v1-1-4234807ca07e@google.com > > --- > Justin Stitt (2): > wifi: brcm80211: replace deprecated strncpy with strscpy > wifi: brcmsmac: replace deprecated strncpy with memcpy > > drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 +- > drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 2 +- > drivers/net/wireless/broadcom/brcm80211/brcmsmac/channel.c | 6 +++--- > drivers/net/wireless/broadcom/brcm80211/brcmsmac/dma.c | 3 +-- > drivers/net/wireless/broadcom/brcm80211/brcmsmac/main.c | 4 ++-- > 5 files changed, 8 insertions(+), 9 deletions(-) > --- > base-commit: cbf3a2cb156a2c911d8f38d8247814b4c07f49a2 > change-id: 20231016-strncpy-drivers-net-wireless-broadcom-brcm80211-brcmfmac-cfg80211-c-a20108421685 > > Best regards, > -- > Justin Stitt <justinstitt@google.com> > [-- Attachment #2: S/MIME Cryptographic Signature --] [-- Type: application/pkcs7-signature, Size: 4203 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v3 0/2] wifi: brcm80211: replace deprecated strncpy 2023-10-17 21:27 ` [PATCH v3 0/2] wifi: brcm80211: replace deprecated strncpy Franky Lin @ 2023-10-18 9:33 ` Arend van Spriel 0 siblings, 0 replies; 10+ messages in thread From: Arend van Spriel @ 2023-10-18 9:33 UTC (permalink / raw) To: Franky Lin, Justin Stitt Cc: Arend van Spriel, Hante Meuleman, Kalle Valo, linux-wireless, brcm80211-dev-list.pdl, SHA-cyfmac-dev-list, linux-kernel, linux-hardening [-- Attachment #1: Type: text/plain, Size: 2301 bytes --] On 10/17/2023 11:27 PM, Franky Lin wrote: > On Tue, Oct 17, 2023 at 1:11 PM 'Justin Stitt' via > BRCM80211-DEV-LIST,PDL <brcm80211-dev-list.pdl@broadcom.com> wrote: >> >> Hi, >> >> This series used to be just one patch in [v2] but I've split it into two >> separate patches. >> >> The motivation behind this series is that strncpy() is deprecated for >> use on NUL-terminated destination strings [1] and as such we should >> prefer more robust and less ambiguous string interfaces. >> >> In cases where we expect the destination buffer to be NUL-terminated >> let's opt for strscpy() as this guarantees NUL-termination. Other cases >> are just simple byte copies with pre-determined bounds; for these let's >> use plain-ol' memcpy(). >> >> Each change is detailed in its accompanying patch message. >> >> Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1] >> Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2] >> Link: https://github.com/KSPP/linux/issues/90 >> Signed-off-by: Justin Stitt <justinstitt@google.com> > > Reviewed-by: Franky Lin <franky.lin@broadcom.com> Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com> >> --- >> Changes in v3: >> - split up into two separate patches (thanks Franky) >> - use better subject line (thanks Franky + Kalle) >> - Link to v2: https://lore.kernel.org/r/20231016-strncpy-drivers-net-wireless-broadcom-brcm80211-brcmfmac-cfg80211-c-v2-1-6c7567e1d3b8@google.com >> >> Changes in v2: >> - add other strncpy replacements >> - Link to v1: https://lore.kernel.org/r/20231016-strncpy-drivers-net-wireless-broadcom-brcm80211-brcmfmac-cfg80211-c-v1-1-4234807ca07e@google.com >> >> --- >> Justin Stitt (2): >> wifi: brcm80211: replace deprecated strncpy with strscpy >> wifi: brcmsmac: replace deprecated strncpy with memcpy >> >> drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 +- >> drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 2 +- >> drivers/net/wireless/broadcom/brcm80211/brcmsmac/channel.c | 6 +++--- >> drivers/net/wireless/broadcom/brcm80211/brcmsmac/dma.c | 3 +-- >> drivers/net/wireless/broadcom/brcm80211/brcmsmac/main.c | 4 ++-- >> 5 files changed, 8 insertions(+), 9 deletions(-) >> --- [-- Attachment #2: S/MIME Cryptographic Signature --] [-- Type: application/pkcs7-signature, Size: 4219 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2023-10-30 17:20 UTC | newest] Thread overview: 10+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2023-10-17 20:11 [PATCH v3 0/2] wifi: brcm80211: replace deprecated strncpy Justin Stitt 2023-10-17 20:11 ` [PATCH v3 1/2] wifi: brcm80211: replace deprecated strncpy with strscpy Justin Stitt 2023-10-26 17:20 ` Kees Cook 2023-10-30 17:20 ` Kalle Valo 2023-10-17 20:11 ` [PATCH v3 2/2] wifi: brcmsmac: replace deprecated strncpy with memcpy Justin Stitt 2023-10-19 0:03 ` Kees Cook 2023-10-19 17:37 ` Justin Stitt 2023-10-26 17:21 ` Kees Cook 2023-10-17 21:27 ` [PATCH v3 0/2] wifi: brcm80211: replace deprecated strncpy Franky Lin 2023-10-18 9:33 ` Arend van Spriel
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).