From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com [209.85.221.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C278C39A7FB for ; Mon, 23 Mar 2026 20:19:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.41 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774297157; cv=none; b=TXDcWqIxmbYbAU7p5KFgoEY1zo4QB5xAGiHG+SmRcdAbZ04xMrlGoc6IWOCzKo07MZCRu/E2UVpwfBsQ9E2Xcn5Vw8wwJ1uuw0IeoFtbcZMpq+YNFEie1mJZOFDwQcupZ3MgKwEO/qDJr4skUn0Dx6LWXmGmQUHLVpmczHhjRGA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774297157; c=relaxed/simple; bh=Ps82ZXqOu0VF4EUBaCiYeI6G3LGOYrbRYcJ4p/zhW1c=; h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=rZ1afd/xhpxM+kUfyMVUA/kM0+w5wR9dbDzWn1trQofJQGj7tiU7Bebzs1PnTAwuift+BieZm+VDO7CgNwKKzslDv6GbbxFo0CUJdyagbJ1s+6X6YgWRCafMVlOp5rJbh/cyfrgVOmaZBEPMEGlIA+5twwhXZsyEd3PvN13Rs9Y= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=O8ocNCV2; arc=none smtp.client-ip=209.85.221.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="O8ocNCV2" Received: by mail-wr1-f41.google.com with SMTP id ffacd0b85a97d-439d8df7620so2977024f8f.0 for ; Mon, 23 Mar 2026 13:19:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1774297154; x=1774901954; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date:from:to:cc:subject:date :message-id:reply-to; bh=cr1t9sjlplOUkX17+4RyR0lC0VfTKhvSiQURz0qF41I=; b=O8ocNCV2o0UeNDNiciQQ3TuxdasXCMrAQhT/qfdGF/Df3T4K145yYpl+qLK2fI55z0 z+CI/ODShyyRSakDjG6DUxuT3wAVHtpB5DxNgeLUY0FFRcotOzYFt3hRXJ1yEh8MKj6J fa8nM7SegPU2m+4yfApTXZVZ1Wukn/Vb41nHUkXamxsQChi/XdsXGQbGHA1Hur7Yaedt MguWiYEgXS8IBQzheRk3j/JSAtMZleU5tW1tHAG5oFqLvl0N/ulkm8Ey8aochaQC6cfW wXrhhZ6cNwqwAr6HrZeNh/FZR/WmwwyruYVFVdl+owpmqQzeXbMaeOYuaDbNMNQ13w/E ErSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774297154; x=1774901954; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=cr1t9sjlplOUkX17+4RyR0lC0VfTKhvSiQURz0qF41I=; b=krvd59nv7DP9KVdDkfaTUeuKbh55QMyd6112g1aqw3AUI4yOkWT5bPcjXMiZDS8j7y OIQ3ew4DP/cFCckO45hsNn9AO/2HXaGxsGEmSP8f4EVq5rMlOu4ku8vctQ9abbeAP0fs Tppw3oEPXmNlvMt77eS5kH4DPnqdlDyE0nvFodEY8jEUDWZEx1oMy/QHweQvKb3FaV0+ YnDD6JQAsgZroDSLloT5xE+C/9xWGpFqRjXS8kmAyXTKPjUgSDIlDLoJXTPrBO+K2hSS t4fTSxPQ/dSTSX9AyP8s9+bfAMmOKRWj2iU/XmHI6Nf+zTy5wsSpIX0uSDa0cDO+y2F8 Gx2A== X-Forwarded-Encrypted: i=1; AJvYcCWFPfQn0uJ3lPubIt1xF4/6d+rICgvn48WGe1vy5dgtdu1Y1b1uDEEZp0ZvA5laMdJVPqmsOH3/HlHu0r4=@vger.kernel.org X-Gm-Message-State: AOJu0YxPjOp+PSdqROhe0AYHWcbWsuNGz4F4bWeYScvXPj+fY1rCVLYp FdxeR5HmoAgpobueKPKVFUfR57R2PrRUKtw+ARjhS7MuQNajm7KtAbII X-Gm-Gg: ATEYQzxE6AVZVXW8+UtZSy0p+P3GaODndEVTFXySHq8J9V1OrDwpSuzRqMEsrDFaZBl loRFwjifF3AdOaTEJmFJWC/ulN6gxSKnNxWw0eFLQYeJqbdyOF5I/hPhE28ikvH/1Mmq3uPyp5W OIarqImXwXzWyp1JIXkO2nPhtb6soGEEm0GKQ4843jaNI2mRlHCNtPycJM54zmd8dFvTOjR7al4 i+wGFarV7E9ueGQPAhsOPswTB1okcJ1ONfUWGiPwj5D+vSSTxRnXYR0cDuyGJPXdqWWKDCXFc3j 4yiMKBoVS8jvgYYrs7bmezUOPJVuXMqS4BgLPSnbkYW6lmZ4hGbe9GrvYzIuUNUpudTBwvaH6wR /vJsTntZmcfNXvBGdJ/EhJsqr5pYoGjDdgwwXR+z1oJEbThTLZrQ73Di5Udu+WY6544v86GHf2e kMZlOTbis4h9klSHZG7XMsrHyUg22pu/laFbkxrQabhRnQekSAE+OAYPX13i/abshw X-Received: by 2002:a05:6000:2303:b0:437:8fd6:d849 with SMTP id ffacd0b85a97d-43b6428ab6bmr20344375f8f.54.1774297154043; Mon, 23 Mar 2026 13:19:14 -0700 (PDT) Received: from pumpkin (82-69-66-36.dsl.in-addr.zen.co.uk. [82.69.66.36]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43b6cdfdfa9sm22985479f8f.9.2026.03.23.13.19.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Mar 2026 13:19:13 -0700 (PDT) Date: Mon, 23 Mar 2026 20:19:12 +0000 From: David Laight To: Kees Cook Cc: Carlos Maiolino , "Darrick J. Wong" , Andrey Albershteyn , Steven Rostedt , linux-kernel@vger.kernel.org, linux-xfs@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH] xfs: Replace strncpy() with strscpy_pad() in tracepoint error paths Message-ID: <20260323201912.2cb99938@pumpkin> In-Reply-To: <20260323172204.work.979-kees@kernel.org> References: <20260323172204.work.979-kees@kernel.org> X-Mailer: Claws Mail 4.1.1 (GTK 3.24.38; arm-unknown-linux-gnueabihf) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Mon, 23 Mar 2026 10:22:09 -0700 Kees Cook wrote: > Replace the deprecated[1] strncpy() with strscpy_pad() in the > xfile_create and xmbuf_create tracepoints. > > Both tracepoints use file_path() to resolve a pathname into > __entry->pathname (a char[MAXNAMELEN] trace ring buffer field). On > failure, the error path overwrites the buffer with the string literal > "(unknown)" via strncpy(). The original strncpy() zero-pads the > remaining 246 bytes (MAXNAMELEN is 256, "(unknown)" is 10 bytes > including NUL). > > strscpy_pad() preserves this zero-padding, which matters because the > destination is a trace ring buffer entry: ring buffer slots are not > zeroed on allocation, and the raw buffer is readable by userspace via > tracefs. The zero-padding ensures no stale data remains in the > buffer after the error path overwrites it. Eh? AFAICT file_path() doesn't zero pad on success. Not only that is calls d_path() to do the work and that has the comment: * Returns a pointer into the buffer or an error code if the path was * too long. Note: Callers should use the returned pointer, not the passed * in buffer, to use the name! The implementation often starts at an offset * into the buffer, and may leave 0 bytes at the start. So the code actually looks entirely broken. David > > The source is a 10-byte string literal into a 256-byte destination, > so there is no behavioral change. > > Link: https://github.com/KSPP/linux/issues/90 [1] > Signed-off-by: Kees Cook > --- > fs/xfs/scrub/trace.h | 3 +-- > fs/xfs/xfs_trace.h | 3 +-- > 2 files changed, 2 insertions(+), 4 deletions(-) > > diff --git a/fs/xfs/scrub/trace.h b/fs/xfs/scrub/trace.h > index 39ea651cbb75..46c420f51129 100644 > --- a/fs/xfs/scrub/trace.h > +++ b/fs/xfs/scrub/trace.h > @@ -980,8 +980,7 @@ TRACE_EVENT(xfile_create, > __entry->ino = file_inode(xf->file)->i_ino; > path = file_path(xf->file, __entry->pathname, MAXNAMELEN); > if (IS_ERR(path)) > - strncpy(__entry->pathname, "(unknown)", > - sizeof(__entry->pathname)); > + strscpy_pad(__entry->pathname, "(unknown)"); > ), > TP_printk("xfino 0x%lx path '%s'", > __entry->ino, > diff --git a/fs/xfs/xfs_trace.h b/fs/xfs/xfs_trace.h > index 813e5a9f57eb..9f9fb86097ed 100644 > --- a/fs/xfs/xfs_trace.h > +++ b/fs/xfs/xfs_trace.h > @@ -5101,8 +5101,7 @@ TRACE_EVENT(xmbuf_create, > __entry->ino = file_inode(file)->i_ino; > path = file_path(file, __entry->pathname, MAXNAMELEN); > if (IS_ERR(path)) > - strncpy(__entry->pathname, "(unknown)", > - sizeof(__entry->pathname)); > + strscpy_pad(__entry->pathname, "(unknown)"); > ), > TP_printk("dev %d:%d xmino 0x%lx path '%s'", > MAJOR(__entry->dev), MINOR(__entry->dev),