Re: [PATCH] Fix possible strscpy() buffer overflows

The Linux Kernel Mailing List
 help / color / mirror / Atom feed

From: David Laight <david.laight.linux@gmail.com>
To: Borislav Petkov <bp@alien8.de>
Cc: Andrei Purdea <andrei@purdea.ro>,
	Shubhrajyoti Datta <shubhrajyoti.datta@amd.com>,
	Geraldo Nascimento <geraldogabriel@gmail.com>,
	"Alexander A. Klimov" <grandmaster@al2klimov.de>,
	Tony Luck <tony.luck@intel.com>, Kees Cook <kees@kernel.org>,
	Arnd Bergmann <arnd@arndb.de>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Nick Li <nick.li@foursemi.com>,
	Liam Girdwood <lgirdwood@gmail.com>,
	Mark Brown <broonie@kernel.org>, Jaroslav Kysela <perex@perex.cz>,
	Takashi Iwai <tiwai@suse.com>,
	linux-edac@vger.kernel.org,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	linux-sound@vger.kernel.org
Subject: Re: [PATCH] Fix possible strscpy() buffer overflows
Date: Mon, 11 May 2026 12:58:56 +0100	[thread overview]
Message-ID: <20260511125856.3ff4cdfb@pumpkin> (raw)
In-Reply-To: <20260511103854.GCagGxvmZvHL8sV_8e@fat_crate.local>

On Mon, 11 May 2026 12:38:54 +0200
Borislav Petkov <bp@alien8.de> wrote:

> On Mon, May 11, 2026 at 09:46:53AM +0300, Andrei Purdea wrote:
> > Hi all,  
> 
> Hi,
> 
> first of all, please do not top-post when replying to a public mailing list.
> 
> > Furthermore the one in versalnet_edac.c looks like beyond fixing a
> > buffer overflow risk and code smell, it also introduces a behavior
> > change (bugfix?), because the old code I believe cuts off the last
> > character from the copied string. (Because it was using just strlen()
> > and not using strlen() + 1)  
> 
> The versalnet_edac is innocuous because, AFAICT, that silly code is copying
> "error_ipc" into
> 
> struct rpmsg_channel_info {
>         char name[RPMSG_NAME_SIZE];
> 
> with that buffer size being 32.
> 
> So no overflow here.

So just strcpy(chinfo.name, "error_ipc") will be absolutely fine.
If you extend the string to 32+ characters you'll get a compile error.
It degenerates to memcpy() and is likely to further degenerate to writes
of constant values.

> 
> However, just to make this safer, we should min the size.
> 
> Also, Shubhrajyoti, why aren't you padding the rest of the name string with \0
> *especially* since you're allocating it on the stack?!
> 
> IOW, this (totally untested ofc):
> 
>         strscpy_pad(chinfo.name,
>                     amd_rpmsg_id_table[0].name,
>                     min_t(size_t, strlen(amd_rpmsg_id_table[0].name), RPMSG_NAME_SIZE));

Why isn't that just:
	strscpy_pad(chinfo.name, amd_rpmsg_id_table[0].name, sizeof (chinfo.name));

I'm trying to remove all the unbounded strlen(), getting fed up of code
that does strlen() and strcpy() of the same string.
If you want the length, get it first, use it for the size checks, then
copy with memcpy().

-- David

> 
> I still don't like it because we're noodling with this string as if it is
> super special and copying it back'n'forth just because this rpmsg is
> MODULE_DEVICE_TABLE and apparently is used to autoload the driver or so...
> 
> Why do we need it?
> 
> Can we simplify that gunk there?
> 
> Please have a look.
> 
> Thx.
>

next prev parent reply	other threads:[~2026-05-11 11:59 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-10 18:24 [PATCH] Fix possible strscpy() buffer overflows Alexander A. Klimov
2026-05-10 22:08 ` David Laight
2026-05-11  1:30   ` Geraldo Nascimento
2026-05-11  6:46     ` Andrei Purdea
2026-05-11 10:38       ` Borislav Petkov
2026-05-11 11:58         ` David Laight [this message]
2026-05-11 11:59         ` Andrei Purdea
2026-05-11 12:51           ` Borislav Petkov
2026-05-11 13:13             ` Andrei Purdea
2026-05-11 13:39               ` Borislav Petkov
2026-05-11 15:06                 ` Andrei Purdea
2026-05-11 19:15             ` David Laight

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260511125856.3ff4cdfb@pumpkin \
    --to=david.laight.linux@gmail.com \
    --cc=andrei@purdea.ro \
    --cc=arnd@arndb.de \
    --cc=bp@alien8.de \
    --cc=broonie@kernel.org \
    --cc=geraldogabriel@gmail.com \
    --cc=grandmaster@al2klimov.de \
    --cc=gregkh@linuxfoundation.org \
    --cc=kees@kernel.org \
    --cc=lgirdwood@gmail.com \
    --cc=linux-edac@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-sound@vger.kernel.org \
    --cc=nick.li@foursemi.com \
    --cc=perex@perex.cz \
    --cc=shubhrajyoti.datta@amd.com \
    --cc=tiwai@suse.com \
    --cc=tony.luck@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox