| Message ID | 20230510221119.3508930-1-azeemshaikh38@gmail.com (mailing list archive) |
|---|---|
| State | Mainlined |
| Commit | c642256b91770e201519d037a91f255a617a4602 |
| Headers | show |
| Series | vfs: Replace all non-returning strlcpy with strscpy | expand |
On Wed, May 10, 2023 at 10:11:19PM +0000, Azeem Shaikh wrote: > strlcpy() reads the entire source buffer first. > This read may exceed the destination size limit. > This is both inefficient and can lead to linear read > overflows if a source string is not NUL-terminated [1]. > In an effort to remove strlcpy() completely [2], replace > strlcpy() here with strscpy(). > No return values were used, so direct replacement is safe. > > [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy > [2] https://github.com/KSPP/linux/issues/89 > > Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com> Reviewed-by: Kees Cook <keescook@chromium.org>
On Wed, 10 May 2023 22:11:19 +0000, Azeem Shaikh wrote: > strlcpy() reads the entire source buffer first. > This read may exceed the destination size limit. > This is both inefficient and can lead to linear read > overflows if a source string is not NUL-terminated [1]. > In an effort to remove strlcpy() completely [2], replace > strlcpy() here with strscpy(). > No return values were used, so direct replacement is safe. > > [...] I sincerely hope we'll be done with swapping out various string functions for one another at some point. Such patches always seems benign and straightforward but the potential for subtle bugs is feels rather high... Applied to the vfs.misc branch of the vfs/vfs.git tree. Patches in the vfs.misc branch should appear in linux-next soon. Please report any outstanding bugs that were missed during review in a new review to the original patch series allowing us to drop it. tree: https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git branch: vfs.misc [1/1] vfs: Replace all non-returning strlcpy with strscpy https://git.kernel.org/vfs/vfs/c/3c5d4d803c60
On Mon, May 15, 2023 at 09:50:25AM +0200, Christian Brauner wrote: > On Wed, 10 May 2023 22:11:19 +0000, Azeem Shaikh wrote: > > strlcpy() reads the entire source buffer first. > > This read may exceed the destination size limit. > > This is both inefficient and can lead to linear read > > overflows if a source string is not NUL-terminated [1]. > > In an effort to remove strlcpy() completely [2], replace > > strlcpy() here with strscpy(). > > No return values were used, so direct replacement is safe. > > > > [...] > > I sincerely hope we'll be done with swapping out various string > functions for one another at some point. Such patches always seems > benign and straightforward but the potential for subtle bugs is > feels rather high... Agreed. The long-term goal is to remove "strlcpy"[1] and "strncpy"[2] completely from the kernel, leaving only "strscpy". From there, I hope to do a treewide change to scrub the kernel of the pattern: strscpy(fixed-sized-dest, fixed-sized-source, sizeof(fixed-size-dest)) and replace it with a much stricter "strcpy" that refuses to work on dynamically sized arguments. This will get us away from the pointless exercise of duplicating sizeof() arguments when the compiler can very happily do it itself. But doing the return value transitions (and padding checks) for strlcpy and strncpy need to happen first. It's a long road. > Applied to the vfs.misc branch of the vfs/vfs.git tree. > Patches in the vfs.misc branch should appear in linux-next soon. Thanks! -Kees [1] https://github.com/KSPP/linux/issues/89 [2] https://github.com/KSPP/linux/issues/90
diff --git a/fs/char_dev.c b/fs/char_dev.c index 13deb45f1ec6..950b6919fb87 100644 --- a/fs/char_dev.c +++ b/fs/char_dev.c @@ -150,7 +150,7 @@ __register_chrdev_region(unsigned int major, unsigned int baseminor, cd->major = major; cd->baseminor = baseminor; cd->minorct = minorct; - strlcpy(cd->name, name, sizeof(cd->name)); + strscpy(cd->name, name, sizeof(cd->name)); if (!prev) { cd->next = curr; diff --git a/fs/super.c b/fs/super.c index 34afe411cf2b..8d8d68799b34 100644 --- a/fs/super.c +++ b/fs/super.c @@ -595,7 +595,7 @@ struct super_block *sget_fc(struct fs_context *fc, fc->s_fs_info = NULL; s->s_type = fc->fs_type; s->s_iflags |= fc->s_iflags; - strlcpy(s->s_id, s->s_type->name, sizeof(s->s_id)); + strscpy(s->s_id, s->s_type->name, sizeof(s->s_id)); list_add_tail(&s->s_list, &super_blocks); hlist_add_head(&s->s_instances, &s->s_type->fs_supers); spin_unlock(&sb_lock); @@ -674,7 +674,7 @@ struct super_block *sget(struct file_system_type *type, return ERR_PTR(err); } s->s_type = type; - strlcpy(s->s_id, type->name, sizeof(s->s_id)); + strscpy(s->s_id, type->name, sizeof(s->s_id)); list_add_tail(&s->s_list, &super_blocks); hlist_add_head(&s->s_instances, &type->fs_supers); spin_unlock(&sb_lock);
strlcpy() reads the entire source buffer first. This read may exceed the destination size limit. This is both inefficient and can lead to linear read overflows if a source string is not NUL-terminated [1]. In an effort to remove strlcpy() completely [2], replace strlcpy() here with strscpy(). No return values were used, so direct replacement is safe. [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy [2] https://github.com/KSPP/linux/issues/89 Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com> --- fs/char_dev.c | 2 +- fs/super.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-)