[PATCH] init/version.c: Replace strlcpy with strscpy

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] init/version.c: Replace strlcpy with strscpy
@ 2023-08-30 16:08 Azeem Shaikh
  2023-08-30 20:08 ` Justin Stitt
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Azeem Shaikh @ 2023-08-30 16:08 UTC (permalink / raw)
  To: Kees Cook
  Cc: linux-hardening, Azeem Shaikh, linux-kernel, Masahiro Yamada,
	Thomas Weißschuh

strlcpy() reads the entire source buffer first.
This read may exceed the destination size limit.
This is both inefficient and can lead to linear read
overflows if a source string is not NUL-terminated [1].
In an effort to remove strlcpy() completely [2], replace
strlcpy() here with strscpy().

Direct replacement is safe here since return value of -errno
is used to check for truncation instead of sizeof(dest).

[1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy
[2] https://github.com/KSPP/linux/issues/89

Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com>
---
 init/version.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/init/version.c b/init/version.c
index f117921811b4..94c96f6fbfe6 100644
--- a/init/version.c
+++ b/init/version.c
@@ -21,10 +21,10 @@ static int __init early_hostname(char *arg)
 {
 	size_t bufsize = sizeof(init_uts_ns.name.nodename);
 	size_t maxlen  = bufsize - 1;
-	size_t arglen;
+	ssize_t arglen;

-	arglen = strlcpy(init_uts_ns.name.nodename, arg, bufsize);
-	if (arglen > maxlen) {
+	arglen = strscpy(init_uts_ns.name.nodename, arg, bufsize);
+	if (arglen < 0) {
 		pr_warn("hostname parameter exceeds %zd characters and will be truncated",
 			maxlen);
 	}
--
2.41.0.255.g8b1d071c50-goog



^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] init/version.c: Replace strlcpy with strscpy
  2023-08-30 16:08 [PATCH] init/version.c: Replace strlcpy with strscpy Azeem Shaikh
@ 2023-08-30 20:08 ` Justin Stitt
  2023-08-30 21:17 ` Kees Cook
  2023-09-15  5:31 ` Kees Cook
  2 siblings, 0 replies; 4+ messages in thread
From: Justin Stitt @ 2023-08-30 20:08 UTC (permalink / raw)
  To: Azeem Shaikh
  Cc: Kees Cook, linux-hardening, linux-kernel, Masahiro Yamada,
	Thomas Weißschuh

On Wed, Aug 30, 2023 at 12:29 PM Azeem Shaikh <azeemshaikh38@gmail.com> wrote:
>
> strlcpy() reads the entire source buffer first.
> This read may exceed the destination size limit.
> This is both inefficient and can lead to linear read
> overflows if a source string is not NUL-terminated [1].
> In an effort to remove strlcpy() completely [2], replace
> strlcpy() here with strscpy().
>
> Direct replacement is safe here since return value of -errno
> is used to check for truncation instead of sizeof(dest).

Great patch! This is similar to [1] which aims to eradicate strncpy.

>
> [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy
> [2] https://github.com/KSPP/linux/issues/89
>
> Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com>
Reviewed-by: Justin Stitt <justinstitt@google.com>

> ---
>  init/version.c |    6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/init/version.c b/init/version.c
> index f117921811b4..94c96f6fbfe6 100644
> --- a/init/version.c
> +++ b/init/version.c
> @@ -21,10 +21,10 @@ static int __init early_hostname(char *arg)
>  {
>         size_t bufsize = sizeof(init_uts_ns.name.nodename);
>         size_t maxlen  = bufsize - 1;
> -       size_t arglen;
> +       ssize_t arglen;
>
> -       arglen = strlcpy(init_uts_ns.name.nodename, arg, bufsize);
> -       if (arglen > maxlen) {
> +       arglen = strscpy(init_uts_ns.name.nodename, arg, bufsize);
> +       if (arglen < 0) {
>                 pr_warn("hostname parameter exceeds %zd characters and will be truncated",
>                         maxlen);
>         }
> --
> 2.41.0.255.g8b1d071c50-goog
>
>

[1]: https://github.com/KSPP/linux/issues/90

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] init/version.c: Replace strlcpy with strscpy
  2023-08-30 16:08 [PATCH] init/version.c: Replace strlcpy with strscpy Azeem Shaikh
  2023-08-30 20:08 ` Justin Stitt
@ 2023-08-30 21:17 ` Kees Cook
  2023-09-15  5:31 ` Kees Cook
  2 siblings, 0 replies; 4+ messages in thread
From: Kees Cook @ 2023-08-30 21:17 UTC (permalink / raw)
  To: Azeem Shaikh
  Cc: linux-hardening, linux-kernel, Masahiro Yamada,
	Thomas Weißschuh

On Wed, Aug 30, 2023 at 04:08:06PM +0000, Azeem Shaikh wrote:
> strlcpy() reads the entire source buffer first.
> This read may exceed the destination size limit.
> This is both inefficient and can lead to linear read
> overflows if a source string is not NUL-terminated [1].
> In an effort to remove strlcpy() completely [2], replace
> strlcpy() here with strscpy().
> 
> Direct replacement is safe here since return value of -errno
> is used to check for truncation instead of sizeof(dest).
> 
> [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy
> [2] https://github.com/KSPP/linux/issues/89
> 
> Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com>
> ---
>  init/version.c |    6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/init/version.c b/init/version.c
> index f117921811b4..94c96f6fbfe6 100644
> --- a/init/version.c
> +++ b/init/version.c
> @@ -21,10 +21,10 @@ static int __init early_hostname(char *arg)
>  {
>  	size_t bufsize = sizeof(init_uts_ns.name.nodename);
>  	size_t maxlen  = bufsize - 1;
> -	size_t arglen;
> +	ssize_t arglen;
> 
> -	arglen = strlcpy(init_uts_ns.name.nodename, arg, bufsize);
> -	if (arglen > maxlen) {
> +	arglen = strscpy(init_uts_ns.name.nodename, arg, bufsize);
> +	if (arglen < 0) {

nitpick: this is no longer "length of arg", it's the length of the
destination string. Regardless:

Reviewed-by: Kees Cook <keescook@chromium.org>

>  		pr_warn("hostname parameter exceeds %zd characters and will be truncated",
>  			maxlen);
>  	}
> --
> 2.41.0.255.g8b1d071c50-goog
> 
> 

-- 
Kees Cook

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] init/version.c: Replace strlcpy with strscpy
  2023-08-30 16:08 [PATCH] init/version.c: Replace strlcpy with strscpy Azeem Shaikh
  2023-08-30 20:08 ` Justin Stitt
  2023-08-30 21:17 ` Kees Cook
@ 2023-09-15  5:31 ` Kees Cook
  2 siblings, 0 replies; 4+ messages in thread
From: Kees Cook @ 2023-09-15  5:31 UTC (permalink / raw)
  To: Azeem Shaikh
  Cc: Kees Cook, linux-hardening, linux-kernel, Masahiro Yamada,
	Thomas Weißschuh

On Wed, 30 Aug 2023 16:08:06 +0000, Azeem Shaikh wrote:
> strlcpy() reads the entire source buffer first.
> This read may exceed the destination size limit.
> This is both inefficient and can lead to linear read
> overflows if a source string is not NUL-terminated [1].
> In an effort to remove strlcpy() completely [2], replace
> strlcpy() here with strscpy().
> 
> [...]

Applied to for-next/hardening, thanks!

[1/1] init/version.c: Replace strlcpy with strscpy
      https://git.kernel.org/kees/c/ec23bc09c1c0

Take care,

-- 
Kees Cook


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2023-09-15  5:31 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-08-30 16:08 [PATCH] init/version.c: Replace strlcpy with strscpy Azeem Shaikh
2023-08-30 20:08 ` Justin Stitt
2023-08-30 21:17 ` Kees Cook
2023-09-15  5:31 ` Kees Cook

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox