| Message ID | 20200626130525.389469-2-lee.jones@linaro.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Fix a bunch of W=1 warnings in Misc | expand |
On 26/06/2020 15:05, Lee Jones wrote: > We need to ensure there's a place for the NULL terminator. > > Fixes the following W=1 warning(s): > > In file included from include/linux/bitmap.h:9, > from include/linux/nodemask.h:95, > from include/linux/mmzone.h:17, > from include/linux/gfp.h:6, > from include/linux/umh.h:4, > from include/linux/kmod.h:9, > from include/linux/module.h:16, > from drivers/misc/c2port/core.c:9: > In function ‘strncpy’, > inlined from ‘c2port_device_register’ at drivers/misc/c2port/core.c:926:2: > include/linux/string.h:297:30: warning: ‘__builtin_strncpy’ specified bound 32 equals destination size [-Wstringop-truncation] > 297 | #define __underlying_strncpy __builtin_strncpy > | ^ > include/linux/string.h:307:9: note: in expansion of macro ‘__underlying_strncpy’ > 307 | return __underlying_strncpy(p, q, size); > | ^~~~~~~~~~~~~~~~~~~~ > > Cc: Rodolfo Giometti <giometti@linux.it> > Cc: "Eurotech S.p.A" <info@eurotech.it> > Signed-off-by: Lee Jones <lee.jones@linaro.org> > --- > drivers/misc/c2port/core.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/misc/c2port/core.c b/drivers/misc/c2port/core.c > index 33bba18022892..80d87e8a0bea9 100644 > --- a/drivers/misc/c2port/core.c > +++ b/drivers/misc/c2port/core.c > @@ -923,7 +923,7 @@ struct c2port_device *c2port_device_register(char *name, > } > dev_set_drvdata(c2dev->dev, c2dev); > > - strncpy(c2dev->name, name, C2PORT_NAME_LEN); > + strncpy(c2dev->name, name, C2PORT_NAME_LEN - 1); > c2dev->ops = ops; > mutex_init(&c2dev->mutex); > Acked-by: Rodolfo Giometti <giometti@enneenne.com> Note that giometti@linux.it is just an alias. My main e-mail address is giometti@enneenne.com Rodolfo Giometti
Hi Lee, On Fri, Jun 26, 2020 at 3:06 PM Lee Jones <lee.jones@linaro.org> wrote: > We need to ensure there's a place for the NULL terminator. But who's filling that space with a NUL (not NULL) terminator? > Fixes the following W=1 warning(s): > > In file included from include/linux/bitmap.h:9, > from include/linux/nodemask.h:95, > from include/linux/mmzone.h:17, > from include/linux/gfp.h:6, > from include/linux/umh.h:4, > from include/linux/kmod.h:9, > from include/linux/module.h:16, > from drivers/misc/c2port/core.c:9: > In function ‘strncpy’, > inlined from ‘c2port_device_register’ at drivers/misc/c2port/core.c:926:2: > include/linux/string.h:297:30: warning: ‘__builtin_strncpy’ specified bound 32 equals destination size [-Wstringop-truncation] > 297 | #define __underlying_strncpy __builtin_strncpy > | ^ > include/linux/string.h:307:9: note: in expansion of macro ‘__underlying_strncpy’ > 307 | return __underlying_strncpy(p, q, size); > | ^~~~~~~~~~~~~~~~~~~~ > > Cc: Rodolfo Giometti <giometti@linux.it> > Cc: "Eurotech S.p.A" <info@eurotech.it> > Signed-off-by: Lee Jones <lee.jones@linaro.org> > --- > drivers/misc/c2port/core.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/misc/c2port/core.c b/drivers/misc/c2port/core.c > index 33bba18022892..80d87e8a0bea9 100644 > --- a/drivers/misc/c2port/core.c > +++ b/drivers/misc/c2port/core.c > @@ -923,7 +923,7 @@ struct c2port_device *c2port_device_register(char *name, > } > dev_set_drvdata(c2dev->dev, c2dev); c2dev is allocated using: c2dev = kmalloc(sizeof(struct c2port_device), GFP_KERNEL); hence the allocated memory is not zeroed. > > - strncpy(c2dev->name, name, C2PORT_NAME_LEN); > + strncpy(c2dev->name, name, C2PORT_NAME_LEN - 1); strncpy() 1. does not terminate the destination with a NUL if the source length is C2PORT_NAME_LEN - 1, 2. fills all remaining space in the destination buffer with NUL characters. So c2dev.name[C2PORT_NAME_LEN - 1] always contains an uninitialized value. Now, it seems the only caller of c2port_device_register() passes "uc" as the name. Which means in practice c2dev.name[] will be NUL-terminated. However, the last byte will still be uninitialized, and if the buffer is ever copied to userspace, your patch will have introduced a leak. > c2dev->ops = ops; > mutex_init(&c2dev->mutex); Gr{oetje,eeting}s, Geert -- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org In personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say "programmer" or something like that. -- Linus Torvalds
On Mon, 13 Jul 2020, Geert Uytterhoeven wrote: > Hi Lee, > > On Fri, Jun 26, 2020 at 3:06 PM Lee Jones <lee.jones@linaro.org> wrote: > > We need to ensure there's a place for the NULL terminator. > > But who's filling that space with a NUL (not NULL) terminator? > > > Fixes the following W=1 warning(s): > > > > In file included from include/linux/bitmap.h:9, > > from include/linux/nodemask.h:95, > > from include/linux/mmzone.h:17, > > from include/linux/gfp.h:6, > > from include/linux/umh.h:4, > > from include/linux/kmod.h:9, > > from include/linux/module.h:16, > > from drivers/misc/c2port/core.c:9: > > In function ‘strncpy’, > > inlined from ‘c2port_device_register’ at drivers/misc/c2port/core.c:926:2: > > include/linux/string.h:297:30: warning: ‘__builtin_strncpy’ specified bound 32 equals destination size [-Wstringop-truncation] > > 297 | #define __underlying_strncpy __builtin_strncpy > > | ^ > > include/linux/string.h:307:9: note: in expansion of macro ‘__underlying_strncpy’ > > 307 | return __underlying_strncpy(p, q, size); > > | ^~~~~~~~~~~~~~~~~~~~ > > > > Cc: Rodolfo Giometti <giometti@linux.it> > > Cc: "Eurotech S.p.A" <info@eurotech.it> > > Signed-off-by: Lee Jones <lee.jones@linaro.org> > > --- > > drivers/misc/c2port/core.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/drivers/misc/c2port/core.c b/drivers/misc/c2port/core.c > > index 33bba18022892..80d87e8a0bea9 100644 > > --- a/drivers/misc/c2port/core.c > > +++ b/drivers/misc/c2port/core.c > > @@ -923,7 +923,7 @@ struct c2port_device *c2port_device_register(char *name, > > } > > dev_set_drvdata(c2dev->dev, c2dev); > > c2dev is allocated using: > > c2dev = kmalloc(sizeof(struct c2port_device), GFP_KERNEL); > > hence the allocated memory is not zeroed. > > > > > - strncpy(c2dev->name, name, C2PORT_NAME_LEN); > > + strncpy(c2dev->name, name, C2PORT_NAME_LEN - 1); > > strncpy() > 1. does not terminate the destination with a NUL if the source length > is C2PORT_NAME_LEN - 1, > 2. fills all remaining space in the destination buffer with NUL characters. > > So c2dev.name[C2PORT_NAME_LEN - 1] always contains an uninitialized > value. > > Now, it seems the only caller of c2port_device_register() passes > "uc" as the name. Which means in practice c2dev.name[] will be > NUL-terminated. However, the last byte will still be uninitialized, and > if the buffer is ever copied to userspace, your patch will have introduced > a leak. Quite right. Good spot. I must have made the assumption that the destination buffer would be pre-initialised. Not sure why it's not in this case. Seems like an odd practice. So we have a choice. We can either enlarge the destination buffer to *actually* allow a full length (32 byte in this case) naming string, or zero the buffer. Or even both! Do you have a preference?
Hi Lee, On Tue, Jul 14, 2020 at 9:46 AM Lee Jones <lee.jones@linaro.org> wrote: > On Mon, 13 Jul 2020, Geert Uytterhoeven wrote: > > On Fri, Jun 26, 2020 at 3:06 PM Lee Jones <lee.jones@linaro.org> wrote: > > > We need to ensure there's a place for the NULL terminator. > > > > But who's filling that space with a NUL (not NULL) terminator? > > > > > Fixes the following W=1 warning(s): > > > > > > In file included from include/linux/bitmap.h:9, > > > from include/linux/nodemask.h:95, > > > from include/linux/mmzone.h:17, > > > from include/linux/gfp.h:6, > > > from include/linux/umh.h:4, > > > from include/linux/kmod.h:9, > > > from include/linux/module.h:16, > > > from drivers/misc/c2port/core.c:9: > > > In function ‘strncpy’, > > > inlined from ‘c2port_device_register’ at drivers/misc/c2port/core.c:926:2: > > > include/linux/string.h:297:30: warning: ‘__builtin_strncpy’ specified bound 32 equals destination size [-Wstringop-truncation] > > > 297 | #define __underlying_strncpy __builtin_strncpy > > > | ^ > > > include/linux/string.h:307:9: note: in expansion of macro ‘__underlying_strncpy’ > > > 307 | return __underlying_strncpy(p, q, size); > > > | ^~~~~~~~~~~~~~~~~~~~ > > > > > > Cc: Rodolfo Giometti <giometti@linux.it> > > > Cc: "Eurotech S.p.A" <info@eurotech.it> > > > Signed-off-by: Lee Jones <lee.jones@linaro.org> > > > --- > > > drivers/misc/c2port/core.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/drivers/misc/c2port/core.c b/drivers/misc/c2port/core.c > > > index 33bba18022892..80d87e8a0bea9 100644 > > > --- a/drivers/misc/c2port/core.c > > > +++ b/drivers/misc/c2port/core.c > > > @@ -923,7 +923,7 @@ struct c2port_device *c2port_device_register(char *name, > > > } > > > dev_set_drvdata(c2dev->dev, c2dev); > > > > c2dev is allocated using: > > > > c2dev = kmalloc(sizeof(struct c2port_device), GFP_KERNEL); > > > > hence the allocated memory is not zeroed. > > > > > > > > - strncpy(c2dev->name, name, C2PORT_NAME_LEN); > > > + strncpy(c2dev->name, name, C2PORT_NAME_LEN - 1); > > > > strncpy() > > 1. does not terminate the destination with a NUL if the source length > > is C2PORT_NAME_LEN - 1, > > 2. fills all remaining space in the destination buffer with NUL characters. > > > > So c2dev.name[C2PORT_NAME_LEN - 1] always contains an uninitialized > > value. > > > > Now, it seems the only caller of c2port_device_register() passes > > "uc" as the name. Which means in practice c2dev.name[] will be > > NUL-terminated. However, the last byte will still be uninitialized, and > > if the buffer is ever copied to userspace, your patch will have introduced > > a leak. > > Quite right. Good spot. I must have made the assumption that the > destination buffer would be pre-initialised. Not sure why it's not in > this case. Seems like an odd practice. > > So we have a choice. We can either enlarge the destination buffer to > *actually* allow a full length (32 byte in this case) naming string, > or zero the buffer. > > Or even both! > > Do you have a preference? Do we know if the buffer or full c2dev struct is ever copied to userspace? If it may be copied => kalloc(). If it will never be copied => strlcpy() (no NUL-padding, only NUL-terminator). Oh, and there is a newer one on the block (which I always have to lookup), which is preferred over strlcpy() and strncpy(): strscpy(). And reading lib/string.c, there's strscpy_pad(), too ;-) Gr{oetje,eeting}s, Geert
On Tue, 14 Jul 2020, Geert Uytterhoeven wrote: > Hi Lee, > > On Tue, Jul 14, 2020 at 9:46 AM Lee Jones <lee.jones@linaro.org> wrote: > > On Mon, 13 Jul 2020, Geert Uytterhoeven wrote: > > > On Fri, Jun 26, 2020 at 3:06 PM Lee Jones <lee.jones@linaro.org> wrote: > > > > We need to ensure there's a place for the NULL terminator. > > > > > > But who's filling that space with a NUL (not NULL) terminator? > > > > > > > Fixes the following W=1 warning(s): > > > > > > > > In file included from include/linux/bitmap.h:9, > > > > from include/linux/nodemask.h:95, > > > > from include/linux/mmzone.h:17, > > > > from include/linux/gfp.h:6, > > > > from include/linux/umh.h:4, > > > > from include/linux/kmod.h:9, > > > > from include/linux/module.h:16, > > > > from drivers/misc/c2port/core.c:9: > > > > In function ‘strncpy’, > > > > inlined from ‘c2port_device_register’ at drivers/misc/c2port/core.c:926:2: > > > > include/linux/string.h:297:30: warning: ‘__builtin_strncpy’ specified bound 32 equals destination size [-Wstringop-truncation] > > > > 297 | #define __underlying_strncpy __builtin_strncpy > > > > | ^ > > > > include/linux/string.h:307:9: note: in expansion of macro ‘__underlying_strncpy’ > > > > 307 | return __underlying_strncpy(p, q, size); > > > > | ^~~~~~~~~~~~~~~~~~~~ > > > > > > > > Cc: Rodolfo Giometti <giometti@linux.it> > > > > Cc: "Eurotech S.p.A" <info@eurotech.it> > > > > Signed-off-by: Lee Jones <lee.jones@linaro.org> > > > > --- > > > > drivers/misc/c2port/core.c | 2 +- > > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > > > diff --git a/drivers/misc/c2port/core.c b/drivers/misc/c2port/core.c > > > > index 33bba18022892..80d87e8a0bea9 100644 > > > > --- a/drivers/misc/c2port/core.c > > > > +++ b/drivers/misc/c2port/core.c > > > > @@ -923,7 +923,7 @@ struct c2port_device *c2port_device_register(char *name, > > > > } > > > > dev_set_drvdata(c2dev->dev, c2dev); > > > > > > c2dev is allocated using: > > > > > > c2dev = kmalloc(sizeof(struct c2port_device), GFP_KERNEL); > > > > > > hence the allocated memory is not zeroed. > > > > > > > > > > > - strncpy(c2dev->name, name, C2PORT_NAME_LEN); > > > > + strncpy(c2dev->name, name, C2PORT_NAME_LEN - 1); > > > > > > strncpy() > > > 1. does not terminate the destination with a NUL if the source length > > > is C2PORT_NAME_LEN - 1, > > > 2. fills all remaining space in the destination buffer with NUL characters. > > > > > > So c2dev.name[C2PORT_NAME_LEN - 1] always contains an uninitialized > > > value. > > > > > > Now, it seems the only caller of c2port_device_register() passes > > > "uc" as the name. Which means in practice c2dev.name[] will be > > > NUL-terminated. However, the last byte will still be uninitialized, and > > > if the buffer is ever copied to userspace, your patch will have introduced > > > a leak. > > > > Quite right. Good spot. I must have made the assumption that the > > destination buffer would be pre-initialised. Not sure why it's not in > > this case. Seems like an odd practice. > > > > So we have a choice. We can either enlarge the destination buffer to > > *actually* allow a full length (32 byte in this case) naming string, > > or zero the buffer. > > > > Or even both! > > > > Do you have a preference? > > Do we know if the buffer or full c2dev struct is ever copied to userspace? I don't know that, but I think we should err on the side of caution. > If it may be copied => kalloc(). Do you mean kzalloc()? > If it will never be copied => strlcpy() (no NUL-padding, only NUL-terminator). > > Oh, and there is a newer one on the block (which I always have to lookup), > which is preferred over strlcpy() and strncpy(): strscpy(). > And reading lib/string.c, there's strscpy_pad(), too ;-) Let's not get too crazy. ;)
On Tue, Jul 14, 2020 at 10:01 AM Lee Jones <lee.jones@linaro.org> wrote: > On Tue, 14 Jul 2020, Geert Uytterhoeven wrote: > > On Tue, Jul 14, 2020 at 9:46 AM Lee Jones <lee.jones@linaro.org> wrote: > > > On Mon, 13 Jul 2020, Geert Uytterhoeven wrote: > > > > On Fri, Jun 26, 2020 at 3:06 PM Lee Jones <lee.jones@linaro.org> wrote: > > > > > We need to ensure there's a place for the NULL terminator. > > > > > > > > But who's filling that space with a NUL (not NULL) terminator? > > > > > > > > > Fixes the following W=1 warning(s): > > > > > > > > > > In file included from include/linux/bitmap.h:9, > > > > > from include/linux/nodemask.h:95, > > > > > from include/linux/mmzone.h:17, > > > > > from include/linux/gfp.h:6, > > > > > from include/linux/umh.h:4, > > > > > from include/linux/kmod.h:9, > > > > > from include/linux/module.h:16, > > > > > from drivers/misc/c2port/core.c:9: > > > > > In function ‘strncpy’, > > > > > inlined from ‘c2port_device_register’ at drivers/misc/c2port/core.c:926:2: > > > > > include/linux/string.h:297:30: warning: ‘__builtin_strncpy’ specified bound 32 equals destination size [-Wstringop-truncation] > > > > > 297 | #define __underlying_strncpy __builtin_strncpy > > > > > | ^ > > > > > include/linux/string.h:307:9: note: in expansion of macro ‘__underlying_strncpy’ > > > > > 307 | return __underlying_strncpy(p, q, size); > > > > > | ^~~~~~~~~~~~~~~~~~~~ > > > > > > > > > > Cc: Rodolfo Giometti <giometti@linux.it> > > > > > Cc: "Eurotech S.p.A" <info@eurotech.it> > > > > > Signed-off-by: Lee Jones <lee.jones@linaro.org> > > > > > --- > > > > > drivers/misc/c2port/core.c | 2 +- > > > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > > > > > diff --git a/drivers/misc/c2port/core.c b/drivers/misc/c2port/core.c > > > > > index 33bba18022892..80d87e8a0bea9 100644 > > > > > --- a/drivers/misc/c2port/core.c > > > > > +++ b/drivers/misc/c2port/core.c > > > > > @@ -923,7 +923,7 @@ struct c2port_device *c2port_device_register(char *name, > > > > > } > > > > > dev_set_drvdata(c2dev->dev, c2dev); > > > > > > > > c2dev is allocated using: > > > > > > > > c2dev = kmalloc(sizeof(struct c2port_device), GFP_KERNEL); > > > > > > > > hence the allocated memory is not zeroed. > > > > > > > > > > > > > > - strncpy(c2dev->name, name, C2PORT_NAME_LEN); > > > > > + strncpy(c2dev->name, name, C2PORT_NAME_LEN - 1); > > > > > > > > strncpy() > > > > 1. does not terminate the destination with a NUL if the source length > > > > is C2PORT_NAME_LEN - 1, > > > > 2. fills all remaining space in the destination buffer with NUL characters. > > > > > > > > So c2dev.name[C2PORT_NAME_LEN - 1] always contains an uninitialized > > > > value. > > > > > > > > Now, it seems the only caller of c2port_device_register() passes > > > > "uc" as the name. Which means in practice c2dev.name[] will be > > > > NUL-terminated. However, the last byte will still be uninitialized, and > > > > if the buffer is ever copied to userspace, your patch will have introduced > > > > a leak. > > > > > > Quite right. Good spot. I must have made the assumption that the > > > destination buffer would be pre-initialised. Not sure why it's not in > > > this case. Seems like an odd practice. > > > > > > So we have a choice. We can either enlarge the destination buffer to > > > *actually* allow a full length (32 byte in this case) naming string, > > > or zero the buffer. > > > > > > Or even both! > > > > > > Do you have a preference? > > > > Do we know if the buffer or full c2dev struct is ever copied to userspace? > > I don't know that, but I think we should err on the side of caution. > > > If it may be copied => kalloc(). > > Do you mean kzalloc()? Sorry, kzalloc. > > If it will never be copied => strlcpy() (no NUL-padding, only NUL-terminator). > > > > Oh, and there is a newer one on the block (which I always have to lookup), > > which is preferred over strlcpy() and strncpy(): strscpy(). > > And reading lib/string.c, there's strscpy_pad(), too ;-) > > Let's not get too crazy. ;) The side of caution is kzalloc(), so strscpy() is OK. Gr{oetje,eeting}s, Geert
diff --git a/drivers/misc/c2port/core.c b/drivers/misc/c2port/core.c index 33bba18022892..80d87e8a0bea9 100644 --- a/drivers/misc/c2port/core.c +++ b/drivers/misc/c2port/core.c @@ -923,7 +923,7 @@ struct c2port_device *c2port_device_register(char *name, } dev_set_drvdata(c2dev->dev, c2dev); - strncpy(c2dev->name, name, C2PORT_NAME_LEN); + strncpy(c2dev->name, name, C2PORT_NAME_LEN - 1); c2dev->ops = ops; mutex_init(&c2dev->mutex);
We need to ensure there's a place for the NULL terminator. Fixes the following W=1 warning(s): In file included from include/linux/bitmap.h:9, from include/linux/nodemask.h:95, from include/linux/mmzone.h:17, from include/linux/gfp.h:6, from include/linux/umh.h:4, from include/linux/kmod.h:9, from include/linux/module.h:16, from drivers/misc/c2port/core.c:9: In function ‘strncpy’, inlined from ‘c2port_device_register’ at drivers/misc/c2port/core.c:926:2: include/linux/string.h:297:30: warning: ‘__builtin_strncpy’ specified bound 32 equals destination size [-Wstringop-truncation] 297 | #define __underlying_strncpy __builtin_strncpy | ^ include/linux/string.h:307:9: note: in expansion of macro ‘__underlying_strncpy’ 307 | return __underlying_strncpy(p, q, size); | ^~~~~~~~~~~~~~~~~~~~ Cc: Rodolfo Giometti <giometti@linux.it> Cc: "Eurotech S.p.A" <info@eurotech.it> Signed-off-by: Lee Jones <lee.jones@linaro.org> --- drivers/misc/c2port/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)