[rdma-next] RDMA/iwcm: fix string truncation error

Commit Message

Leon Romanovsky Feb. 19, 2019, 11:09 a.m. UTC

From: Leon Romanovsky <leonro@mellanox.com>

The strlen() check at the beginning of iw_cm_map() ensures that devname
and ifname strings are less than destinations to which they are supposed
to be copied. Change strncpy() call to be strcpy(), because we are
protected from overflow.

This fix the compilation warning below:

In file included from ./include/linux/dma-mapping.h:6,
                 from drivers/infiniband/core/iwcm.c:38:
In function _strncpy_,
    inlined from _iw_cm_map_ at drivers/infiniband/core/iwcm.c:519:2:
./include/linux/string.h:253:9: warning: ___builtin_strncpy_ specified
bound 32 equals destination size [-Wstringop-truncation]
  return __builtin_strncpy(p, q, size);
         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Fixes: d53ec8af56d5 ("RDMA/iwcm: Don't copy past the end of dev_name() string")
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
---
 drivers/infiniband/core/iwcm.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

Comments

Jason Gunthorpe Feb. 19, 2019, 10:18 p.m. UTC | #1

On Tue, Feb 19, 2019 at 01:09:57PM +0200, Leon Romanovsky wrote:
> From: Leon Romanovsky <leonro@mellanox.com>
> 
> The strlen() check at the beginning of iw_cm_map() ensures that devname
> and ifname strings are less than destinations to which they are supposed
> to be copied. Change strncpy() call to be strcpy(), because we are
> protected from overflow.
> 
> This fix the compilation warning below:
> 
> In file included from ./include/linux/dma-mapping.h:6,
>                  from drivers/infiniband/core/iwcm.c:38:
> In function _strncpy_,
>     inlined from _iw_cm_map_ at drivers/infiniband/core/iwcm.c:519:2:
> ./include/linux/string.h:253:9: warning: ___builtin_strncpy_ specified
> bound 32 equals destination size [-Wstringop-truncation]
>   return __builtin_strncpy(p, q, size);
>          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> Fixes: d53ec8af56d5 ("RDMA/iwcm: Don't copy past the end of dev_name() string")
> Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
>  drivers/infiniband/core/iwcm.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c
> index 350ea2bab78a..732637c913d9 100644
> +++ b/drivers/infiniband/core/iwcm.c
> @@ -505,7 +505,7 @@ static int iw_cm_map(struct iw_cm_id *cm_id, bool active)
>  {
>  	const char *devname = dev_name(&cm_id->device->dev);
>  	const char *ifname = cm_id->device->iwcm->ifname;
> -	struct iwpm_dev_data pm_reg_msg;
> +	struct iwpm_dev_data pm_reg_msg = {};

Huh. This looks like a kernel stack data leak fix? The arrays in that
struct are passed to ibl_put_attr at least.

Lets remark about that in the commit message.

Applied to for-next

Jason

Leon Romanovsky Feb. 20, 2019, 6:50 a.m. UTC | #2

On Tue, Feb 19, 2019 at 03:18:37PM -0700, Jason Gunthorpe wrote:
> On Tue, Feb 19, 2019 at 01:09:57PM +0200, Leon Romanovsky wrote:
> > From: Leon Romanovsky <leonro@mellanox.com>
> >
> > The strlen() check at the beginning of iw_cm_map() ensures that devname
> > and ifname strings are less than destinations to which they are supposed
> > to be copied. Change strncpy() call to be strcpy(), because we are
> > protected from overflow.
> >
> > This fix the compilation warning below:
> >
> > In file included from ./include/linux/dma-mapping.h:6,
> >                  from drivers/infiniband/core/iwcm.c:38:
> > In function _strncpy_,
> >     inlined from _iw_cm_map_ at drivers/infiniband/core/iwcm.c:519:2:
> > ./include/linux/string.h:253:9: warning: ___builtin_strncpy_ specified
> > bound 32 equals destination size [-Wstringop-truncation]
> >   return __builtin_strncpy(p, q, size);
> >          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> > Fixes: d53ec8af56d5 ("RDMA/iwcm: Don't copy past the end of dev_name() string")
> > Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
> >  drivers/infiniband/core/iwcm.c | 6 +++---
> >  1 file changed, 3 insertions(+), 3 deletions(-)
> > diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c
> > index 350ea2bab78a..732637c913d9 100644
> > +++ b/drivers/infiniband/core/iwcm.c
> > @@ -505,7 +505,7 @@ static int iw_cm_map(struct iw_cm_id *cm_id, bool active)
> >  {
> >  	const char *devname = dev_name(&cm_id->device->dev);
> >  	const char *ifname = cm_id->device->iwcm->ifname;
> > -	struct iwpm_dev_data pm_reg_msg;
> > +	struct iwpm_dev_data pm_reg_msg = {};
>
> Huh. This looks like a kernel stack data leak fix? The arrays in that
> struct are passed to ibl_put_attr at least.

I'm not sure about that, because those arrays are NULL-terminated, but I
didn't invest time to look it more closely.

>
> Lets remark about that in the commit message.
>
> Applied to for-next
>
> Jason

Patch

diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c
index 350ea2bab78a..732637c913d9 100644
--- a/drivers/infiniband/core/iwcm.c
+++ b/drivers/infiniband/core/iwcm.c
@@ -505,7 +505,7 @@  static int iw_cm_map(struct iw_cm_id *cm_id, bool active)
 {
 	const char *devname = dev_name(&cm_id->device->dev);
 	const char *ifname = cm_id->device->iwcm->ifname;
-	struct iwpm_dev_data pm_reg_msg;
+	struct iwpm_dev_data pm_reg_msg = {};
 	struct iwpm_sa_data pm_msg;
 	int status;
 
@@ -516,8 +516,8 @@  static int iw_cm_map(struct iw_cm_id *cm_id, bool active)
 	cm_id->m_local_addr = cm_id->local_addr;
 	cm_id->m_remote_addr = cm_id->remote_addr;
 
-	strncpy(pm_reg_msg.dev_name, devname, sizeof(pm_reg_msg.dev_name));
-	strncpy(pm_reg_msg.if_name, ifname, sizeof(pm_reg_msg.if_name));
+	strcpy(pm_reg_msg.dev_name, devname);
+	strcpy(pm_reg_msg.if_name, ifname);
 
 	if (iwpm_register_pid(&pm_reg_msg, RDMA_NL_IWCM) ||
 	    !iwpm_valid_pid())