Message ID | 20230517142955.1519572-1-azeemshaikh38@gmail.com (mailing list archive) |
---|---|
State | Mainlined |
Commit | 7afbe5defb52f721fe7b04c7e36e0c60cecdeea8 |
Headers | show |
Series | scsi: 3w-9xxx: Replace all non-returning strlcpy with strscpy | expand |
On Wed, May 17, 2023 at 02:29:55PM +0000, Azeem Shaikh wrote: > strlcpy() reads the entire source buffer first. > This read may exceed the destination size limit. > This is both inefficient and can lead to linear read > overflows if a source string is not NUL-terminated [1]. > In an effort to remove strlcpy() completely [2], replace > strlcpy() here with strscpy(). > No return values were used, so direct replacement is safe. > > [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy > [2] https://github.com/KSPP/linux/issues/89 > > Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com> Reviewed-by: Kees Cook <keescook@chromium.org>
On Wed, 17 May 2023 14:29:55 +0000, Azeem Shaikh wrote: > strlcpy() reads the entire source buffer first. > This read may exceed the destination size limit. > This is both inefficient and can lead to linear read > overflows if a source string is not NUL-terminated [1]. > In an effort to remove strlcpy() completely [2], replace > strlcpy() here with strscpy(). > No return values were used, so direct replacement is safe. > > [...] Applied to for-next/hardening, thanks! [1/1] scsi: 3w-9xxx: Replace all non-returning strlcpy with strscpy https://git.kernel.org/kees/c/fa36c95739ab
Kees, > On Wed, 17 May 2023 14:29:55 +0000, Azeem Shaikh wrote: >> strlcpy() reads the entire source buffer first. >> This read may exceed the destination size limit. >> This is both inefficient and can lead to linear read >> overflows if a source string is not NUL-terminated [1]. >> In an effort to remove strlcpy() completely [2], replace >> strlcpy() here with strscpy(). >> No return values were used, so direct replacement is safe. >> >> [...] > > Applied to for-next/hardening, thanks! > > [1/1] scsi: 3w-9xxx: Replace all non-returning strlcpy with strscpy > https://git.kernel.org/kees/c/fa36c95739ab Are you planning on sending these? That's fine with me, just need to know if I should close them in patchwork...
On May 22, 2023 3:41:58 PM PDT, "Martin K. Petersen" <martin.petersen@oracle.com> wrote: > >Kees, > >> On Wed, 17 May 2023 14:29:55 +0000, Azeem Shaikh wrote: >>> strlcpy() reads the entire source buffer first. >>> This read may exceed the destination size limit. >>> This is both inefficient and can lead to linear read >>> overflows if a source string is not NUL-terminated [1]. >>> In an effort to remove strlcpy() completely [2], replace >>> strlcpy() here with strscpy(). >>> No return values were used, so direct replacement is safe. >>> >>> [...] >> >> Applied to for-next/hardening, thanks! >> >> [1/1] scsi: 3w-9xxx: Replace all non-returning strlcpy with strscpy >> https://git.kernel.org/kees/c/fa36c95739ab > >Are you planning on sending these? That's fine with me, just need to >know if I should close them in patchwork... Yeah, I took a bunch that hadn't been picked up yet: https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=for-next/hardening Thanks!
diff --git a/drivers/scsi/3w-9xxx.c b/drivers/scsi/3w-9xxx.c index 38d20a69ee12..f925f8664c2c 100644 --- a/drivers/scsi/3w-9xxx.c +++ b/drivers/scsi/3w-9xxx.c @@ -617,7 +617,7 @@ static int twa_check_srl(TW_Device_Extension *tw_dev, int *flashed) } /* Load rest of compatibility struct */ - strlcpy(tw_dev->tw_compat_info.driver_version, TW_DRIVER_VERSION, + strscpy(tw_dev->tw_compat_info.driver_version, TW_DRIVER_VERSION, sizeof(tw_dev->tw_compat_info.driver_version)); tw_dev->tw_compat_info.driver_srl_high = TW_CURRENT_DRIVER_SRL; tw_dev->tw_compat_info.driver_branch_high = TW_CURRENT_DRIVER_BRANCH;
strlcpy() reads the entire source buffer first. This read may exceed the destination size limit. This is both inefficient and can lead to linear read overflows if a source string is not NUL-terminated [1]. In an effort to remove strlcpy() completely [2], replace strlcpy() here with strscpy(). No return values were used, so direct replacement is safe. [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy [2] https://github.com/KSPP/linux/issues/89 Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com> --- drivers/scsi/3w-9xxx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)