s390/cio: replace deprecated strncpy with strscpy

Message ID	20231023-strncpy-drivers-s390-cio-chsc-c-v1-1-8b76a7b83260@google.com (mailing list archive)
State	Mainlined
Commit	991a211aa99f468cd291a97b8dcb448ebc77f6c4
Headers	show Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E5DB7224C6 for <linux-hardening@vger.kernel.org>; Mon, 23 Oct 2023 19:25:17 +0000 (UTC) Date: Mon, 23 Oct 2023 19:24:38 +0000 Precedence: bulk Mime-Version: 1.0 Message-ID: <20231023-strncpy-drivers-s390-cio-chsc-c-v1-1-8b76a7b83260@google.com> Subject: [PATCH] s390/cio: replace deprecated strncpy with strscpy From: Justin Stitt <justinstitt@google.com> To: Vineeth Vijayan <vneethv@linux.ibm.com>, Peter Oberparleiter <oberpar@linux.ibm.com>, Heiko Carstens <hca@linux.ibm.com>, Vasily Gorbik <gor@linux.ibm.com>, Alexander Gordeev <agordeev@linux.ibm.com>, Christian Borntraeger <borntraeger@linux.ibm.com>, Sven Schnelle <svens@linux.ibm.com> Cc: linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, Justin Stitt <justinstitt@google.com> Content-Type: text/plain; charset="utf-8"
Series	s390/cio: replace deprecated strncpy with strscpy \| expand s390/cio: replace deprecated strncpy with strscpy

Message ID

20231023-strncpy-drivers-s390-cio-chsc-c-v1-1-8b76a7b83260@google.com (mailing list archive)

State

Mainlined

Commit

991a211aa99f468cd291a97b8dcb448ebc77f6c4

Headers

Date: Mon, 23 Oct 2023 19:24:38 +0000
Precedence: bulk
Mime-Version: 1.0
Message-ID: 
 <20231023-strncpy-drivers-s390-cio-chsc-c-v1-1-8b76a7b83260@google.com>
Subject: [PATCH] s390/cio: replace deprecated strncpy with strscpy
From: Justin Stitt <justinstitt@google.com>
To: Vineeth Vijayan <vneethv@linux.ibm.com>,
 Peter Oberparleiter <oberpar@linux.ibm.com>,
	Heiko Carstens <hca@linux.ibm.com>, Vasily Gorbik <gor@linux.ibm.com>,
	Alexander Gordeev <agordeev@linux.ibm.com>,
 Christian Borntraeger <borntraeger@linux.ibm.com>,
	Sven Schnelle <svens@linux.ibm.com>
Cc: linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-hardening@vger.kernel.org, Justin Stitt <justinstitt@google.com>
Content-Type: text/plain; charset="utf-8"

Series

s390/cio: replace deprecated strncpy with strscpy | expand

Commit Message

Justin Stitt Oct. 23, 2023, 7:24 p.m. UTC

strncpy() is deprecated for use on NUL-terminated destination strings
[1] and as such we should prefer more robust and less ambiguous string
interfaces.

We expect both `params` and `id` to be NUL-terminated based on their
usage with format strings:

	format_node_data(iuparams, iunodeid, &lir->incident_node);
	format_node_data(auparams, aunodeid, &lir->attached_node);

	switch (lir->iq.class) {
	case LIR_IQ_CLASS_DEGRADED:
		pr_warn("Link degraded: RS=%02x RSID=%04x IC=%02x "
			"IUPARAMS=%s IUNODEID=%s AUPARAMS=%s AUNODEID=%s\n",
			sei_area->rs, sei_area->rsid, lir->ic, iuparams,
			iunodeid, auparams, aunodeid);

NUL-padding is not required as both `params` and `id` have been memset
to 0:

	memset(params, 0, PARAMS_LEN);
	memset(id, 0, NODEID_LEN);

Considering the above, a suitable replacement is `strscpy` [2] due to
the fact that it guarantees NUL-termination on the destination buffer
without unnecessarily NUL-padding.

Note that there's no overread bugs in the current implementation as the
string literal "n/a" has a size much smaller than PARAMS_LEN or
NODEID_LEN. Nonetheless, let's favor strscpy().

Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2]
Link: https://github.com/KSPP/linux/issues/90
Cc: linux-hardening@vger.kernel.org
Signed-off-by: Justin Stitt <justinstitt@google.com>
---
Note: build-tested only.

Found with: $ rg "strncpy\("
---
 drivers/s390/cio/chsc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)


---
base-commit: 9c5d00cb7b6bbc5a7965d9ab7d223b5402d1f02c
change-id: 20231023-strncpy-drivers-s390-cio-chsc-c-3bafdc7535b7

Best regards,
--
Justin Stitt <justinstitt@google.com>

Comments

Kees Cook Oct. 24, 2023, 11:58 p.m. UTC | #1

On Mon, Oct 23, 2023 at 07:24:38PM +0000, Justin Stitt wrote:
> strncpy() is deprecated for use on NUL-terminated destination strings
> [1] and as such we should prefer more robust and less ambiguous string
> interfaces.
> 
> We expect both `params` and `id` to be NUL-terminated based on their
> usage with format strings:
> 
> 	format_node_data(iuparams, iunodeid, &lir->incident_node);
> 	format_node_data(auparams, aunodeid, &lir->attached_node);
> 
> 	switch (lir->iq.class) {
> 	case LIR_IQ_CLASS_DEGRADED:
> 		pr_warn("Link degraded: RS=%02x RSID=%04x IC=%02x "
> 			"IUPARAMS=%s IUNODEID=%s AUPARAMS=%s AUNODEID=%s\n",
> 			sei_area->rs, sei_area->rsid, lir->ic, iuparams,
> 			iunodeid, auparams, aunodeid);
> 
> NUL-padding is not required as both `params` and `id` have been memset
> to 0:
> 
> 	memset(params, 0, PARAMS_LEN);
> 	memset(id, 0, NODEID_LEN);
> 
> Considering the above, a suitable replacement is `strscpy` [2] due to
> the fact that it guarantees NUL-termination on the destination buffer
> without unnecessarily NUL-padding.
> 
> Note that there's no overread bugs in the current implementation as the
> string literal "n/a" has a size much smaller than PARAMS_LEN or
> NODEID_LEN. Nonetheless, let's favor strscpy().
> 
> Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
> Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2]
> Link: https://github.com/KSPP/linux/issues/90
> Cc: linux-hardening@vger.kernel.org
> Signed-off-by: Justin Stitt <justinstitt@google.com>

Looks good.

Reviewed-by: Kees Cook <keescook@chromium.org>

Vineeth Vijayan Oct. 25, 2023, 7:32 a.m. UTC | #2

On 10/23/23 21:24, Justin Stitt wrote:
> strncpy() is deprecated for use on NUL-terminated destination strings
> [1] and as such we should prefer more robust and less ambiguous string
> interfaces.
> 
> We expect both `params` and `id` to be NUL-terminated based on their
> usage with format strings:
> 
> 	format_node_data(iuparams, iunodeid, &lir->incident_node);
> 	format_node_data(auparams, aunodeid, &lir->attached_node);
> 
> 	switch (lir->iq.class) {
> 	case LIR_IQ_CLASS_DEGRADED:
> 		pr_warn("Link degraded: RS=%02x RSID=%04x IC=%02x "
> 			"IUPARAMS=%s IUNODEID=%s AUPARAMS=%s AUNODEID=%s\n",
> 			sei_area->rs, sei_area->rsid, lir->ic, iuparams,
> 			iunodeid, auparams, aunodeid);
> 
> NUL-padding is not required as both `params` and `id` have been memset
> to 0:
> 
> 	memset(params, 0, PARAMS_LEN);
> 	memset(id, 0, NODEID_LEN);
> 
> Considering the above, a suitable replacement is `strscpy` [2] due to
> the fact that it guarantees NUL-termination on the destination buffer
> without unnecessarily NUL-padding.
> 
> Note that there's no overread bugs in the current implementation as the
> string literal "n/a" has a size much smaller than PARAMS_LEN or
> NODEID_LEN. Nonetheless, let's favor strscpy().
> 
> Link:https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings  [1]
> Link:https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html  [2]
> Link:https://github.com/KSPP/linux/issues/90
> Cc:linux-hardening@vger.kernel.org
> Signed-off-by: Justin Stitt<justinstitt@google.com>

LGTM. Thank you.

Reviewed-by: Vineeth Vijayan <vneethv@linux.ibm.com>

I can push this to s390-tree and Heiko/Vasily will upstream it.

---snip---

Vasily Gorbik Oct. 25, 2023, 10:25 a.m. UTC | #3

On Mon, Oct 23, 2023 at 07:24:38PM +0000, Justin Stitt wrote:
> strncpy() is deprecated for use on NUL-terminated destination strings
> [1] and as such we should prefer more robust and less ambiguous string
> interfaces.
> 
> We expect both `params` and `id` to be NUL-terminated based on their
> usage with format strings:
> 
> 	format_node_data(iuparams, iunodeid, &lir->incident_node);
> 	format_node_data(auparams, aunodeid, &lir->attached_node);
> 
> 	switch (lir->iq.class) {
> 	case LIR_IQ_CLASS_DEGRADED:
> 		pr_warn("Link degraded: RS=%02x RSID=%04x IC=%02x "
> 			"IUPARAMS=%s IUNODEID=%s AUPARAMS=%s AUNODEID=%s\n",
> 			sei_area->rs, sei_area->rsid, lir->ic, iuparams,
> 			iunodeid, auparams, aunodeid);
> 
> NUL-padding is not required as both `params` and `id` have been memset
> to 0:
> 
> 	memset(params, 0, PARAMS_LEN);
> 	memset(id, 0, NODEID_LEN);
> 
> Considering the above, a suitable replacement is `strscpy` [2] due to
> the fact that it guarantees NUL-termination on the destination buffer
> without unnecessarily NUL-padding.
> 
> Note that there's no overread bugs in the current implementation as the
> string literal "n/a" has a size much smaller than PARAMS_LEN or
> NODEID_LEN. Nonetheless, let's favor strscpy().
> 
> Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
> Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2]
> Link: https://github.com/KSPP/linux/issues/90
> Cc: linux-hardening@vger.kernel.org
> Signed-off-by: Justin Stitt <justinstitt@google.com>
> ---
> Note: build-tested only.
> 
> Found with: $ rg "strncpy\("
> ---
>  drivers/s390/cio/chsc.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)

Applied, thank you!

diff --git a/drivers/s390/cio/chsc.c b/drivers/s390/cio/chsc.c
index 0abd77f4b664..9319f448a6e2 100644
--- a/drivers/s390/cio/chsc.c
+++ b/drivers/s390/cio/chsc.c
@@ -393,8 +393,8 @@  static void format_node_data(char *params, char *id, struct node_descriptor *nd)
 	memset(id, 0, NODEID_LEN);
 
 	if (nd->validity != ND_VALIDITY_VALID) {
-		strncpy(params, "n/a", PARAMS_LEN - 1);
-		strncpy(id, "n/a", NODEID_LEN - 1);
+		strscpy(params, "n/a", PARAMS_LEN);
+		strscpy(id, "n/a", NODEID_LEN);
 		return;
 	}

s390/cio: replace deprecated strncpy with strscpy

Commit Message

Comments

Patch