| Message ID | 20240402-strncpy-kernel-bpf-core-c-v1-1-7cb07a426e78@google.com (mailing list archive) |
|---|---|
| State | Mainlined |
| Commit | 2e114248e086fb376405ed3f89b220f8586a2541 |
| Headers | show |
| Series | bpf: replace deprecated strncpy with strscpy | expand |
On 2024-04-03 at 05:22:50, Justin Stitt (justinstitt@google.com) wrote: > strncpy() is deprecated for use on NUL-terminated destination strings > [1] and as such we should prefer more robust and less ambiguous string > interfaces. > > bpf sym names get looked up and compared/cleaned with various string > apis. This suggests they need to be NUL-terminated (strncpy() suggests > this but does not guarantee it). > > | static int compare_symbol_name(const char *name, char *namebuf) > | { > | cleanup_symbol_name(namebuf); > | return strcmp(name, namebuf); > | } > > | static void cleanup_symbol_name(char *s) > | { > | ... > | res = strstr(s, ".llvm."); > | ... > | } > > Use strscpy() as this method guarantees NUL-termination on the > destination buffer. > > This patch also replaces two uses of strncpy() used in log.c. These are > simple replacements as postfix has been zero-initialized on the stack > and has source arguments with a size less than the destination's size. > > Note that this patch uses the new 2-argument version of strscpy > introduced in Commit e6584c3964f2f ("string: Allow 2-argument > strscpy()"). > > Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1] > Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2] > Link: https://github.com/KSPP/linux/issues/90 > Cc: linux-hardening@vger.kernel.org > Signed-off-by: Justin Stitt <justinstitt@google.com> > --- > Note: build-tested only. > > Found with: $ rg "strncpy\(" > --- > kernel/bpf/core.c | 4 ++-- > kernel/bpf/log.c | 4 ++-- > 2 files changed, 4 insertions(+), 4 deletions(-) > > diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c > index 696bc55de8e8..8c9078f4549c 100644 > --- a/kernel/bpf/core.c > +++ b/kernel/bpf/core.c > @@ -747,7 +747,7 @@ const char *__bpf_address_lookup(unsigned long addr, unsigned long *size, > unsigned long symbol_start = ksym->start; > unsigned long symbol_end = ksym->end; > > - strncpy(sym, ksym->name, KSYM_NAME_LEN); > + strscpy(sym, ksym->name, KSYM_NAME_LEN); You dont have to check return value of strscpy for errors ? > > ret = sym; > if (size) > @@ -813,7 +813,7 @@ int bpf_get_kallsym(unsigned int symnum, unsigned long *value, char *type, > if (it++ != symnum) > continue; > > - strncpy(sym, ksym->name, KSYM_NAME_LEN); > + strscpy(sym, ksym->name, KSYM_NAME_LEN); > > *value = ksym->start; > *type = BPF_SYM_ELF_TYPE; > diff --git a/kernel/bpf/log.c b/kernel/bpf/log.c > index 2a243cf37c60..4bd8f17a9f24 100644 > --- a/kernel/bpf/log.c > +++ b/kernel/bpf/log.c > @@ -467,9 +467,9 @@ const char *reg_type_str(struct bpf_verifier_env *env, enum bpf_reg_type type) > > if (type & PTR_MAYBE_NULL) { > if (base_type(type) == PTR_TO_BTF_ID) > - strncpy(postfix, "or_null_", 16); > + strscpy(postfix, "or_null_"); > else > - strncpy(postfix, "_or_null", 16); > + strscpy(postfix, "_or_null"); > } > > snprintf(prefix, sizeof(prefix), "%s%s%s%s%s%s%s", > > --- > base-commit: 026e680b0a08a62b1d948e5a8ca78700bfac0e6e > change-id: 20240402-strncpy-kernel-bpf-core-c-4d8297f95e18 > > Best regards, > -- > Justin Stitt <justinstitt@google.com> >
On 4/3/24 5:06 AM, Ratheesh Kannoth wrote: > On 2024-04-03 at 05:22:50, Justin Stitt (justinstitt@google.com) wrote: >> strncpy() is deprecated for use on NUL-terminated destination strings >> [1] and as such we should prefer more robust and less ambiguous string >> interfaces. >> >> bpf sym names get looked up and compared/cleaned with various string >> apis. This suggests they need to be NUL-terminated (strncpy() suggests >> this but does not guarantee it). >> >> | static int compare_symbol_name(const char *name, char *namebuf) >> | { >> | cleanup_symbol_name(namebuf); >> | return strcmp(name, namebuf); >> | } >> >> | static void cleanup_symbol_name(char *s) >> | { >> | ... >> | res = strstr(s, ".llvm."); >> | ... >> | } >> >> Use strscpy() as this method guarantees NUL-termination on the >> destination buffer. >> >> This patch also replaces two uses of strncpy() used in log.c. These are >> simple replacements as postfix has been zero-initialized on the stack >> and has source arguments with a size less than the destination's size. >> >> Note that this patch uses the new 2-argument version of strscpy >> introduced in Commit e6584c3964f2f ("string: Allow 2-argument >> strscpy()"). >> >> Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1] >> Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2] >> Link: https://github.com/KSPP/linux/issues/90 >> Cc: linux-hardening@vger.kernel.org >> Signed-off-by: Justin Stitt <justinstitt@google.com> >> --- >> Note: build-tested only. >> >> Found with: $ rg "strncpy\(" >> --- >> kernel/bpf/core.c | 4 ++-- >> kernel/bpf/log.c | 4 ++-- >> 2 files changed, 4 insertions(+), 4 deletions(-) >> >> diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c >> index 696bc55de8e8..8c9078f4549c 100644 >> --- a/kernel/bpf/core.c >> +++ b/kernel/bpf/core.c >> @@ -747,7 +747,7 @@ const char *__bpf_address_lookup(unsigned long addr, unsigned long *size, >> unsigned long symbol_start = ksym->start; >> unsigned long symbol_end = ksym->end; >> >> - strncpy(sym, ksym->name, KSYM_NAME_LEN); >> + strscpy(sym, ksym->name, KSYM_NAME_LEN); > You dont have to check return value of strscpy for errors ? That would be overkill, it can be easily audited that both pointers are of size KSYM_NAME_LEN, as is the count arg. Thanks, Daniel
Hello: This patch was applied to bpf/bpf-next.git (master) by Daniel Borkmann <daniel@iogearbox.net>: On Tue, 02 Apr 2024 23:52:50 +0000 you wrote: > strncpy() is deprecated for use on NUL-terminated destination strings > [1] and as such we should prefer more robust and less ambiguous string > interfaces. > > bpf sym names get looked up and compared/cleaned with various string > apis. This suggests they need to be NUL-terminated (strncpy() suggests > this but does not guarantee it). > > [...] Here is the summary with links: - bpf: replace deprecated strncpy with strscpy https://git.kernel.org/bpf/bpf-next/c/2e114248e086 You are awesome, thank you!
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c index 696bc55de8e8..8c9078f4549c 100644 --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -747,7 +747,7 @@ const char *__bpf_address_lookup(unsigned long addr, unsigned long *size, unsigned long symbol_start = ksym->start; unsigned long symbol_end = ksym->end; - strncpy(sym, ksym->name, KSYM_NAME_LEN); + strscpy(sym, ksym->name, KSYM_NAME_LEN); ret = sym; if (size) @@ -813,7 +813,7 @@ int bpf_get_kallsym(unsigned int symnum, unsigned long *value, char *type, if (it++ != symnum) continue; - strncpy(sym, ksym->name, KSYM_NAME_LEN); + strscpy(sym, ksym->name, KSYM_NAME_LEN); *value = ksym->start; *type = BPF_SYM_ELF_TYPE; diff --git a/kernel/bpf/log.c b/kernel/bpf/log.c index 2a243cf37c60..4bd8f17a9f24 100644 --- a/kernel/bpf/log.c +++ b/kernel/bpf/log.c @@ -467,9 +467,9 @@ const char *reg_type_str(struct bpf_verifier_env *env, enum bpf_reg_type type) if (type & PTR_MAYBE_NULL) { if (base_type(type) == PTR_TO_BTF_ID) - strncpy(postfix, "or_null_", 16); + strscpy(postfix, "or_null_"); else - strncpy(postfix, "_or_null", 16); + strscpy(postfix, "_or_null"); } snprintf(prefix, sizeof(prefix), "%s%s%s%s%s%s%s",
strncpy() is deprecated for use on NUL-terminated destination strings [1] and as such we should prefer more robust and less ambiguous string interfaces. bpf sym names get looked up and compared/cleaned with various string apis. This suggests they need to be NUL-terminated (strncpy() suggests this but does not guarantee it). | static int compare_symbol_name(const char *name, char *namebuf) | { | cleanup_symbol_name(namebuf); | return strcmp(name, namebuf); | } | static void cleanup_symbol_name(char *s) | { | ... | res = strstr(s, ".llvm."); | ... | } Use strscpy() as this method guarantees NUL-termination on the destination buffer. This patch also replaces two uses of strncpy() used in log.c. These are simple replacements as postfix has been zero-initialized on the stack and has source arguments with a size less than the destination's size. Note that this patch uses the new 2-argument version of strscpy introduced in Commit e6584c3964f2f ("string: Allow 2-argument strscpy()"). Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1] Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2] Link: https://github.com/KSPP/linux/issues/90 Cc: linux-hardening@vger.kernel.org Signed-off-by: Justin Stitt <justinstitt@google.com> --- Note: build-tested only. Found with: $ rg "strncpy\(" --- kernel/bpf/core.c | 4 ++-- kernel/bpf/log.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) --- base-commit: 026e680b0a08a62b1d948e5a8ca78700bfac0e6e change-id: 20240402-strncpy-kernel-bpf-core-c-4d8297f95e18 Best regards, -- Justin Stitt <justinstitt@google.com>