[PATCH net-next] net/devlink: Use strscpy() to copy strings into arrays

[PATCH net-next] net/devlink: Use strscpy() to copy strings into arrays

[david.laight.linux]

From: David Laight <david.laight.linux@gmail.com>

Replacing strcpy() with strscpy() ensures that overflow of the target
buffer cannot happen.

Signed-off-by: David Laight <david.laight.linux@gmail.com>
---
This is one of a group of patches that remove potentially unbounded
strcpy() calls.

They are mostly replaced by strscpy() or, when strlen() has just been
called, with memcpy() (usually including the '\0').

Calls with copy string literals into arrays are left unchanged.
They are safe and easily detected as such.

The changes were made by getting the compiler to detect the calls and
then fixing the code by hand.

Note that all the changes are only compile tested.

Some Makefiles were changed to allow files to contain strcpy().
As well as 'difficult to fix' files, this included 'show' functions
as they really need to use sysfs_emit() or seq_printf().

All the patches are being sent individually to avoid very long cc lists.
Apologies for the terse commit messages and likely unexpected tags.
(There are about 100 patches in total.)

 net/devlink/param.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/devlink/param.c b/net/devlink/param.c
index cf95268da5b0..dba0a0431052 100644
--- a/net/devlink/param.c
+++ b/net/devlink/param.c
@@ -540,7 +540,7 @@ devlink_param_value_get_from_info(const struct devlink_param *param,
 		if (len == nla_len(param_data) ||
 		    len >= __DEVLINK_PARAM_MAX_STRING_VALUE)
 			return -EINVAL;
-		strcpy(value->vstr, nla_data(param_data));
+		strscpy(value->vstr, nla_data(param_data));
 		break;
 	case DEVLINK_PARAM_TYPE_BOOL:
 		if (param_data && nla_len(param_data))
-- 
2.39.5

[PATCH net-next] net/devlink: Use strscpy() to copy strings into arrays

[david.laight.linux]

From: David Laight <david.laight.linux@gmail.com>

Replacing strcpy() with strscpy() ensures that overflow of the target
buffer cannot happen.

Signed-off-by: David Laight <david.laight.linux@gmail.com>
---
This is one of a group of patches that remove potentially unbounded
strcpy() calls.

They are mostly replaced by strscpy() or, when strlen() has just been
called, with memcpy() (usually including the '\0').

Calls with copy string literals into arrays are left unchanged.
They are safe and easily detected as such.

The changes were made by getting the compiler to detect the calls and
then fixing the code by hand.

Note that all the changes are only compile tested.

Some Makefiles were changed to allow files to contain strcpy().
As well as 'difficult to fix' files, this included 'show' functions
as they really need to use sysfs_emit() or seq_printf().

All the patches are being sent individually to avoid very long cc lists.
Apologies for the terse commit messages and likely unexpected tags.
(There are about 100 patches in total.)

 net/devlink/port.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/devlink/port.c b/net/devlink/port.c
index 485029d43428..108926d3f899 100644
--- a/net/devlink/port.c
+++ b/net/devlink/port.c
@@ -1222,7 +1222,7 @@ static void __devlink_port_type_set(struct devlink_port *devlink_port,
 			devlink_port->type_eth.ifindex = netdev->ifindex;
 			BUILD_BUG_ON(sizeof(devlink_port->type_eth.ifname) !=
 				     sizeof(netdev->name));
-			strcpy(devlink_port->type_eth.ifname, netdev->name);
+			strscpy(devlink_port->type_eth.ifname, netdev->name);
 		}
 		break;
 	case DEVLINK_PORT_TYPE_IB:
-- 
2.39.5

Re: [PATCH net-next] net/devlink: Use strscpy() to copy strings into arrays

[Paolo Abeni]

On 6/8/26 11:54 AM, david.laight.linux@gmail.com wrote:
> From: David Laight <david.laight.linux@gmail.com>
> 
> Replacing strcpy() with strscpy() ensures that overflow of the target
> buffer cannot happen.
> 
> Signed-off-by: David Laight <david.laight.linux@gmail.com>
> ---
> This is one of a group of patches that remove potentially unbounded
> strcpy() calls.
> 
> They are mostly replaced by strscpy() or, when strlen() has just been
> called, with memcpy() (usually including the '\0').
> 
> Calls with copy string literals into arrays are left unchanged.
> They are safe and easily detected as such.
> 
> The changes were made by getting the compiler to detect the calls and
> then fixing the code by hand.
> 
> Note that all the changes are only compile tested.
> 
> Some Makefiles were changed to allow files to contain strcpy().
> As well as 'difficult to fix' files, this included 'show' functions
> as they really need to use sysfs_emit() or seq_printf().
> 
> All the patches are being sent individually to avoid very long cc lists.
> Apologies for the terse commit messages and likely unexpected tags.
> (There are about 100 patches in total.)
> 
>  net/devlink/port.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/devlink/port.c b/net/devlink/port.c
> index 485029d43428..108926d3f899 100644
> --- a/net/devlink/port.c
> +++ b/net/devlink/port.c
> @@ -1222,7 +1222,7 @@ static void __devlink_port_type_set(struct devlink_port *devlink_port,
>  			devlink_port->type_eth.ifindex = netdev->ifindex;
>  			BUILD_BUG_ON(sizeof(devlink_port->type_eth.ifname) !=
>  				     sizeof(netdev->name));
> -			strcpy(devlink_port->type_eth.ifname, netdev->name);
> +			strscpy(devlink_port->type_eth.ifname, netdev->name);

Given the above BUILD_BUG, I don't see how this change can help?!?

Generally speaking, I suggest restricting this kind of tool-assisted
changes to real problems (if any).

Thanks,

Paolo

Re: [PATCH net-next] net/devlink: Use strscpy() to copy strings into arrays

[David Laight]

On Tue, 9 Jun 2026 15:39:35 +0200
Paolo Abeni <pabeni@redhat.com> wrote:

> On 6/8/26 11:54 AM, david.laight.linux@gmail.com wrote:
> > From: David Laight <david.laight.linux@gmail.com>
> > 
> > Replacing strcpy() with strscpy() ensures that overflow of the target
> > buffer cannot happen.
> > 
> > Signed-off-by: David Laight <david.laight.linux@gmail.com>
> > ---
> > This is one of a group of patches that remove potentially unbounded
> > strcpy() calls.
> > 
> > They are mostly replaced by strscpy() or, when strlen() has just been
> > called, with memcpy() (usually including the '\0').
> > 
> > Calls with copy string literals into arrays are left unchanged.
> > They are safe and easily detected as such.
> > 
> > The changes were made by getting the compiler to detect the calls and
> > then fixing the code by hand.
> > 
> > Note that all the changes are only compile tested.
> > 
> > Some Makefiles were changed to allow files to contain strcpy().
> > As well as 'difficult to fix' files, this included 'show' functions
> > as they really need to use sysfs_emit() or seq_printf().
> > 
> > All the patches are being sent individually to avoid very long cc lists.
> > Apologies for the terse commit messages and likely unexpected tags.
> > (There are about 100 patches in total.)
> > 
> >  net/devlink/port.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/net/devlink/port.c b/net/devlink/port.c
> > index 485029d43428..108926d3f899 100644
> > --- a/net/devlink/port.c
> > +++ b/net/devlink/port.c
> > @@ -1222,7 +1222,7 @@ static void __devlink_port_type_set(struct devlink_port *devlink_port,
> >  			devlink_port->type_eth.ifindex = netdev->ifindex;
> >  			BUILD_BUG_ON(sizeof(devlink_port->type_eth.ifname) !=
> >  				     sizeof(netdev->name));
> > -			strcpy(devlink_port->type_eth.ifname, netdev->name);
> > +			strscpy(devlink_port->type_eth.ifname, netdev->name);  
> 
> Given the above BUILD_BUG, I don't see how this change can help?!?
> 
> Generally speaking, I suggest restricting this kind of tool-assisted
> changes to real problems (if any).

My aim is to get to the point where the calling strcpy() is invalid
unless it is used to copy a string literal into an array.
If/when all the .c files are changed the .h file change can be committed
to stop any new potential unbounded copies being added.

I do want to look at the 'fortify' version of strspcy().
The current version can call strnlen() and then real_strscpy(), so
ends up doing the length scan twice.
(Never mind how much gets inlined.)
strscpy() between arrays could be implemented as a memcpy() of the
shorter length and an explicit zero of the final byte.

With the BUILD_BUG_ON() (which I didn't notice) the above could
be e memcpy().

-- David

> 
> Thanks,
> 
> Paolo
> 

Re: [PATCH net-next] net/devlink: Use strscpy() to copy strings into arrays

[Kees Cook]

On Tue, Jun 09, 2026 at 03:39:35PM +0200, Paolo Abeni wrote:
> On 6/8/26 11:54 AM, david.laight.linux@gmail.com wrote:
> > From: David Laight <david.laight.linux@gmail.com>
> > 
> > Replacing strcpy() with strscpy() ensures that overflow of the target
> > buffer cannot happen.
> > 
> > Signed-off-by: David Laight <david.laight.linux@gmail.com>
> > ---
> > This is one of a group of patches that remove potentially unbounded
> > strcpy() calls.
> > 
> > They are mostly replaced by strscpy() or, when strlen() has just been
> > called, with memcpy() (usually including the '\0').
> > 
> > Calls with copy string literals into arrays are left unchanged.
> > They are safe and easily detected as such.
> > 
> > The changes were made by getting the compiler to detect the calls and
> > then fixing the code by hand.
> > 
> > Note that all the changes are only compile tested.
> > 
> > Some Makefiles were changed to allow files to contain strcpy().
> > As well as 'difficult to fix' files, this included 'show' functions
> > as they really need to use sysfs_emit() or seq_printf().
> > 
> > All the patches are being sent individually to avoid very long cc lists.
> > Apologies for the terse commit messages and likely unexpected tags.
> > (There are about 100 patches in total.)
> > 
> >  net/devlink/port.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/net/devlink/port.c b/net/devlink/port.c
> > index 485029d43428..108926d3f899 100644
> > --- a/net/devlink/port.c
> > +++ b/net/devlink/port.c
> > @@ -1222,7 +1222,7 @@ static void __devlink_port_type_set(struct devlink_port *devlink_port,
> >  			devlink_port->type_eth.ifindex = netdev->ifindex;
> >  			BUILD_BUG_ON(sizeof(devlink_port->type_eth.ifname) !=
> >  				     sizeof(netdev->name));
> > -			strcpy(devlink_port->type_eth.ifname, netdev->name);
> > +			strscpy(devlink_port->type_eth.ifname, netdev->name);
> 
> Given the above BUILD_BUG, I don't see how this change can help?!?
> 
> Generally speaking, I suggest restricting this kind of tool-assisted
> changes to real problems (if any).

How did this patch get generated? This isn't an "unbounded" case: both
devlink_port->type_eth.ifname and netdev->name have known sizes. I think
a way to focus these kinds of refactors would be to replace strcpy()
with a macro wrapper that fails a build when the sizes aren't known, but
then otherwise calls strscpy instead. With that in place, you can find
all the actually unbounded cases and work through each of them, and once
they have all been purged from the kernel, that strcpy macro can land,
which will keep new unbounded instances from showing up.

-- 
Kees Cook

Re: [PATCH net-next] net/devlink: Use strscpy() to copy strings into arrays

[Kees Cook]

On Tue, Jun 09, 2026 at 04:13:38PM +0100, David Laight wrote:
> My aim is to get to the point where the calling strcpy() is invalid
> unless it is used to copy a string literal into an array.
> If/when all the .c files are changed the .h file change can be committed
> to stop any new potential unbounded copies being added.

Here's what I did a while ago in a test tree of mine, but for strlcat:

---
From d09759b1e51dbf784b503c9b9f5136b81b58560c Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook@chromium.org>
Date: Fri, 5 Apr 2024 11:08:41 -0700
Subject: [PATCH] fortify: Refuse to use strcat() on dynamically sized strings

Limit the use of strcat() to things we can determine at compile time to
be safe.

Signed-off-by: Kees Cook <keescook@chromium.org>
---
 include/linux/fortify-string.h | 6 ++++++
 lib/string_helpers.c           | 2 ++
 2 files changed, 8 insertions(+)

diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
index 171982e53c9a..8797c06b46e1 100644
--- a/include/linux/fortify-string.h
+++ b/include/linux/fortify-string.h
@@ -57,6 +57,7 @@ void __read_overflow2(void) __compiletime_error("detected read beyond size of ob
 void __read_overflow2_field(size_t avail, size_t wanted) __compiletime_warning("detected read beyond size of field (2nd parameter); maybe use struct_group()?");
 void __write_overflow(void) __compiletime_error("detected write beyond size of object (1st parameter)");
 void __write_overflow_field(size_t avail, size_t wanted) __compiletime_warning("detected write beyond size of field (1st parameter); maybe use struct_group()?");
+void __fortify_refuse_strcat(void) __compiletime_warning("Do not use strcat() on dynamically sized destination or source strings");
 
 #define __compiletime_strlen(p)					\
 ({								\
@@ -411,8 +412,13 @@ __FORTIFY_INLINE __diagnose_as(__builtin_strcat, 1, 2)
 char *strcat(char * const POS p, const char *q)
 {
 	const size_t p_size = __member_size(p);
+	const size_t q_size = __member_size(q);
 	const size_t wanted = strlcat(p, q, p_size);
 
+	if (!__builtin_constant_p(p_size) || !__builtin_constant_p(q_size) ||
+	    p_size == SIZE_MAX || q_size == SIZE_MAX)
+		__fortify_refuse_strcat();
+
 	if (p_size <= wanted)
 		fortify_panic(FORTIFY_FUNC_strcat, FORTIFY_WRITE, p_size, wanted + 1, p);
 	return p;
diff --git a/lib/string_helpers.c b/lib/string_helpers.c
index 169eaf583494..27b9d97c60c5 100644
--- a/lib/string_helpers.c
+++ b/lib/string_helpers.c
@@ -1019,6 +1019,8 @@ void __read_overflow2_field(size_t avail, size_t wanted) { }
 EXPORT_SYMBOL(__read_overflow2_field);
 void __write_overflow_field(size_t avail, size_t wanted) { }
 EXPORT_SYMBOL(__write_overflow_field);
+void __fortify_refuse_strcat(void) { }
+EXPORT_SYMBOL(__fortify_refuse_strcat);
 
 static const char * const fortify_func_name[] = {
 #define MAKE_FORTIFY_FUNC_NAME(func)	[MAKE_FORTIFY_FUNC(func)] = #func
-- 
2.34.1


-- 
Kees Cook

Re: [PATCH net-next] net/devlink: Use strscpy() to copy strings into arrays

[David Laight]

On Wed, 10 Jun 2026 13:58:51 -0700
Kees Cook <kees@kernel.org> wrote:

> On Tue, Jun 09, 2026 at 03:39:35PM +0200, Paolo Abeni wrote:
> > On 6/8/26 11:54 AM, david.laight.linux@gmail.com wrote:  
> > > From: David Laight <david.laight.linux@gmail.com>
> > > 
> > > Replacing strcpy() with strscpy() ensures that overflow of the target
> > > buffer cannot happen.
> > > 
> > > Signed-off-by: David Laight <david.laight.linux@gmail.com>
> > > ---
> > > This is one of a group of patches that remove potentially unbounded
> > > strcpy() calls.
> > > 
> > > They are mostly replaced by strscpy() or, when strlen() has just been
> > > called, with memcpy() (usually including the '\0').
> > > 
> > > Calls with copy string literals into arrays are left unchanged.
> > > They are safe and easily detected as such.
> > > 
> > > The changes were made by getting the compiler to detect the calls and
> > > then fixing the code by hand.
> > > 
> > > Note that all the changes are only compile tested.
> > > 
> > > Some Makefiles were changed to allow files to contain strcpy().
> > > As well as 'difficult to fix' files, this included 'show' functions
> > > as they really need to use sysfs_emit() or seq_printf().
> > > 
> > > All the patches are being sent individually to avoid very long cc lists.
> > > Apologies for the terse commit messages and likely unexpected tags.
> > > (There are about 100 patches in total.)
> > > 
> > >  net/devlink/port.c | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > 
> > > diff --git a/net/devlink/port.c b/net/devlink/port.c
> > > index 485029d43428..108926d3f899 100644
> > > --- a/net/devlink/port.c
> > > +++ b/net/devlink/port.c
> > > @@ -1222,7 +1222,7 @@ static void __devlink_port_type_set(struct devlink_port *devlink_port,
> > >  			devlink_port->type_eth.ifindex = netdev->ifindex;
> > >  			BUILD_BUG_ON(sizeof(devlink_port->type_eth.ifname) !=
> > >  				     sizeof(netdev->name));
> > > -			strcpy(devlink_port->type_eth.ifname, netdev->name);
> > > +			strscpy(devlink_port->type_eth.ifname, netdev->name);  
> > 
> > Given the above BUILD_BUG, I don't see how this change can help?!?
> > 
> > Generally speaking, I suggest restricting this kind of tool-assisted
> > changes to real problems (if any).  
> 
> How did this patch get generated? This isn't an "unbounded" case: both
> devlink_port->type_eth.ifname and netdev->name have known sizes. I think
> a way to focus these kinds of refactors would be to replace strcpy()
> with a macro wrapper that fails a build when the sizes aren't known, but
> then otherwise calls strscpy instead. With that in place, you can find
> all the actually unbounded cases and work through each of them, and once
> they have all been purged from the kernel, that strcpy macro can land,
> which will keep new unbounded instances from showing up.
> 

My current wrapper (which will allow the above is):
#if !defined(ALLOW_STRCPY)
#define strcpy(dst, src) ({ \ 
        size_t _dst_size, _src_size; \
        char *const _dst = dst; \
        const char *_src = src; \
        bool _use_memcpy = true; \
\
        _dst_size = __is_array(dst) ? sizeof(dst) : __builtin_object_size(dst, 1); \
        BUILD_BUG_ON_MSG(!_dst_size, "strcpy() dst size zero"); \
        BUILD_BUG_ON_MSG(_dst_size == SIZE_MAX, "strcpy() dst size unknown"); \
\
        if (__builtin_constant_p(_src && _src[0])) \
                _src_size = __builtin_strlen(_src) + 1; \
        else { \
                BUILD_BUG_ON_MSG(!__is_array(src), "strcpy() src unbounded"); \
                _src_size = sizeof(src); \
                BUILD_BUG_ON_MSG(!_src_size, "strcpy() src is zero length array"); \
                _use_memcpy = _src_size <= 32; \
        } \
        BUILD_BUG_ON_MSG(!statically_true(_src_size <= _dst_size), "strcpy() src too big"); \
        if (_use_memcpy) \
                __underlying_memcpy(_dst, _src, _src_size); \
        else \
                __underlying_strcpy(_dst, _src); \
        _dst; \
})

__FORTIFY_INLINE __diagnose_as(__builtin_strcpy, 1, 2)
char *(strcpy)(char * const POS p, const char * const POS q)
{
        BUILD_BUG_ON_MSG(1, "Direct call to strcpy");
        return p;
}
#else
...
#endif

The one I was using before required the source be a constant string.

Note that this is just intended to find the unbounded copies at compile time,
rather than being a suggested patch.
The ALLOW_STRCPY is needed for things like the acpi code which are out of tree
(and other files I didn't want to fix).

The acpi code is stunningly bad, it saves the string lengths for the kmalloc()
calls and then uses strcpy() to copy the data.
If anyone manages to gen them out of sync it will overwrite memory.

	David