| Message ID | 20210916122649.12691-1-tim.gardner@canonical.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v2] drm/i915: use strscpy() to avoid buffer overrun | expand |
On 16/09/2021 13:26, Tim Gardner wrote: > In capture_vma() Coverity complains of a possible buffer overrun. Even > though this is a static function where all call sites can be checked, > limiting the copy length could save some future grief. > > CID 93300 (#1 of 1): Copy into fixed size buffer (STRING_OVERFLOW) > 4. fixed_size_dest: You might overrun the 16-character fixed-size string c->name > by copying name without checking the length. > 5. parameter_as_source: Note: This defect has an elevated risk because the > source argument is a parameter of the current function. > 1326 strcpy(c->name, name); > > Fix any possible overflows by using strscpy() which guarantees NULL termination. > > Also correct 2 other strcpy() call sites with the same potential for Coverity > warnings or overruns. > > v2 - Change $SUBJECT from "drm/i915: zero fill vma name buffer" > Use strscpy() instead of strncpy(). Its a much simpler change. > > Cc: Jani Nikula <jani.nikula@linux.intel.com> > Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com> > Cc: Rodrigo Vivi <rodrigo.vivi@intel.com> > Cc: David Airlie <airlied@linux.ie> > Cc: Daniel Vetter <daniel@ffwll.ch> > Cc: intel-gfx@lists.freedesktop.org > Cc: dri-devel@lists.freedesktop.org > Cc: linux-kernel@vger.kernel.org > Signed-off-by: Tim Gardner <tim.gardner@canonical.com> > --- > drivers/gpu/drm/i915/i915_gpu_error.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c b/drivers/gpu/drm/i915/i915_gpu_error.c > index 9cf6ac575de1..7f246f51959d 100644 > --- a/drivers/gpu/drm/i915/i915_gpu_error.c > +++ b/drivers/gpu/drm/i915/i915_gpu_error.c > @@ -1015,7 +1015,7 @@ i915_vma_coredump_create(const struct intel_gt *gt, > return NULL; > } > > - strcpy(dst->name, name); > + strscpy(dst->name, name, sizeof(dst->name)); > dst->next = NULL; > > dst->gtt_offset = vma->node.start; > @@ -1279,7 +1279,7 @@ static bool record_context(struct i915_gem_context_coredump *e, > rcu_read_lock(); > task = pid_task(ctx->pid, PIDTYPE_PID); > if (task) { > - strcpy(e->comm, task->comm); > + strscpy(e->comm, task->comm, sizeof(e->comm)); > e->pid = task->pid; > } > rcu_read_unlock(); > @@ -1323,7 +1323,7 @@ capture_vma(struct intel_engine_capture_vma *next, > return next; > } > > - strcpy(c->name, name); > + strscpy(c->name, name, sizeof(c->name)); > c->vma = vma; /* reference held while active */ > > c->next = next; > Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com> Regards, Tvrtko
diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c b/drivers/gpu/drm/i915/i915_gpu_error.c index 9cf6ac575de1..7f246f51959d 100644 --- a/drivers/gpu/drm/i915/i915_gpu_error.c +++ b/drivers/gpu/drm/i915/i915_gpu_error.c @@ -1015,7 +1015,7 @@ i915_vma_coredump_create(const struct intel_gt *gt, return NULL; } - strcpy(dst->name, name); + strscpy(dst->name, name, sizeof(dst->name)); dst->next = NULL; dst->gtt_offset = vma->node.start; @@ -1279,7 +1279,7 @@ static bool record_context(struct i915_gem_context_coredump *e, rcu_read_lock(); task = pid_task(ctx->pid, PIDTYPE_PID); if (task) { - strcpy(e->comm, task->comm); + strscpy(e->comm, task->comm, sizeof(e->comm)); e->pid = task->pid; } rcu_read_unlock(); @@ -1323,7 +1323,7 @@ capture_vma(struct intel_engine_capture_vma *next, return next; } - strcpy(c->name, name); + strscpy(c->name, name, sizeof(c->name)); c->vma = vma; /* reference held while active */ c->next = next;
In capture_vma() Coverity complains of a possible buffer overrun. Even though this is a static function where all call sites can be checked, limiting the copy length could save some future grief. CID 93300 (#1 of 1): Copy into fixed size buffer (STRING_OVERFLOW) 4. fixed_size_dest: You might overrun the 16-character fixed-size string c->name by copying name without checking the length. 5. parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function. 1326 strcpy(c->name, name); Fix any possible overflows by using strscpy() which guarantees NULL termination. Also correct 2 other strcpy() call sites with the same potential for Coverity warnings or overruns. v2 - Change $SUBJECT from "drm/i915: zero fill vma name buffer" Use strscpy() instead of strncpy(). Its a much simpler change. Cc: Jani Nikula <jani.nikula@linux.intel.com> Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com> Cc: Rodrigo Vivi <rodrigo.vivi@intel.com> Cc: David Airlie <airlied@linux.ie> Cc: Daniel Vetter <daniel@ffwll.ch> Cc: intel-gfx@lists.freedesktop.org Cc: dri-devel@lists.freedesktop.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Tim Gardner <tim.gardner@canonical.com> --- drivers/gpu/drm/i915/i915_gpu_error.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)