| Message ID | 20230523021640.2406585-1-azeemshaikh38@gmail.com (mailing list archive) |
|---|---|
| State | Mainlined |
| Commit | 2af4aa3be58802cf00f834eeaad1243290bb1d4a |
| Headers | show |
| Series | staging: most: Replace all non-returning strlcpy with strscpy | expand |
On Tue, May 23, 2023 at 02:16:40AM +0000, Azeem Shaikh wrote: > strlcpy() reads the entire source buffer first. > This read may exceed the destination size limit. > This is both inefficient and can lead to linear read > overflows if a source string is not NUL-terminated [1]. > In an effort to remove strlcpy() completely [2], replace > strlcpy() here with strscpy(). > No return values were used, so direct replacement is safe. > > [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy > [2] https://github.com/KSPP/linux/issues/89 > > Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com> Reviewed-by: Kees Cook <keescook@chromium.org>
On Tue, 23 May 2023 02:16:40 +0000, Azeem Shaikh wrote: > strlcpy() reads the entire source buffer first. > This read may exceed the destination size limit. > This is both inefficient and can lead to linear read > overflows if a source string is not NUL-terminated [1]. > In an effort to remove strlcpy() completely [2], replace > strlcpy() here with strscpy(). > No return values were used, so direct replacement is safe. > > [...] Applied to for-next/hardening, thanks! [1/1] staging: most: Replace all non-returning strlcpy with strscpy https://git.kernel.org/kees/c/32c7fb186c1b
diff --git a/drivers/most/configfs.c b/drivers/most/configfs.c index 27b0c923597f..36d8c917f65f 100644 --- a/drivers/most/configfs.c +++ b/drivers/most/configfs.c @@ -204,7 +204,7 @@ static ssize_t mdev_link_device_store(struct config_item *item, { struct mdev_link *mdev_link = to_mdev_link(item); - strlcpy(mdev_link->device, page, sizeof(mdev_link->device)); + strscpy(mdev_link->device, page, sizeof(mdev_link->device)); strim(mdev_link->device); return count; } @@ -219,7 +219,7 @@ static ssize_t mdev_link_channel_store(struct config_item *item, { struct mdev_link *mdev_link = to_mdev_link(item); - strlcpy(mdev_link->channel, page, sizeof(mdev_link->channel)); + strscpy(mdev_link->channel, page, sizeof(mdev_link->channel)); strim(mdev_link->channel); return count; } @@ -234,7 +234,7 @@ static ssize_t mdev_link_comp_store(struct config_item *item, { struct mdev_link *mdev_link = to_mdev_link(item); - strlcpy(mdev_link->comp, page, sizeof(mdev_link->comp)); + strscpy(mdev_link->comp, page, sizeof(mdev_link->comp)); strim(mdev_link->comp); return count; } @@ -250,7 +250,7 @@ static ssize_t mdev_link_comp_params_store(struct config_item *item, { struct mdev_link *mdev_link = to_mdev_link(item); - strlcpy(mdev_link->comp_params, page, sizeof(mdev_link->comp_params)); + strscpy(mdev_link->comp_params, page, sizeof(mdev_link->comp_params)); strim(mdev_link->comp_params); return count; }
strlcpy() reads the entire source buffer first. This read may exceed the destination size limit. This is both inefficient and can lead to linear read overflows if a source string is not NUL-terminated [1]. In an effort to remove strlcpy() completely [2], replace strlcpy() here with strscpy(). No return values were used, so direct replacement is safe. [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy [2] https://github.com/KSPP/linux/issues/89 Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com> --- drivers/most/configfs.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)