Message ID | 20230831140104.207019-1-azeemshaikh38@gmail.com (mailing list archive) |
---|---|
State | Mainlined |
Commit | 6cd59324c69a8d30956c70a870dcd0cb14977914 |
Headers | show |
Series | [v4] kobject: Replace strlcpy with strscpy | expand |
On Thu, Aug 31, 2023 at 02:01:04PM +0000, Azeem Shaikh wrote: > strlcpy() reads the entire source buffer first. > This read may exceed the destination size limit. > This is both inefficient and can lead to linear read > overflows if a source string is not NUL-terminated [1]. > In an effort to remove strlcpy() completely [2], replace > strlcpy() here with strscpy(). > > Direct replacement is safe here since return value of -errno > is used to check for truncation instead of sizeof(dest). > > [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy > [2] https://github.com/KSPP/linux/issues/89 > > Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com> Reviewed-by: Kees Cook <keescook@chromium.org>
On Thu, 31 Aug 2023 14:01:04 +0000, Azeem Shaikh wrote: > strlcpy() reads the entire source buffer first. > This read may exceed the destination size limit. > This is both inefficient and can lead to linear read > overflows if a source string is not NUL-terminated [1]. > In an effort to remove strlcpy() completely [2], replace > strlcpy() here with strscpy(). > > [...] Applied to for-next/hardening, thanks! [1/1] kobject: Replace strlcpy with strscpy https://git.kernel.org/kees/c/68a39dfd6f94 Take care,
diff --git a/lib/kobject_uevent.c b/lib/kobject_uevent.c index 7c44b7ae4c5c..fb9a2f06dd1e 100644 --- a/lib/kobject_uevent.c +++ b/lib/kobject_uevent.c @@ -254,10 +254,10 @@ static int init_uevent_argv(struct kobj_uevent_env *env, const char *subsystem) int buffer_size = sizeof(env->buf) - env->buflen; int len; - len = strlcpy(&env->buf[env->buflen], subsystem, buffer_size); - if (len >= buffer_size) { - pr_warn("init_uevent_argv: buffer size of %d too small, needed %d\n", - buffer_size, len); + len = strscpy(&env->buf[env->buflen], subsystem, buffer_size); + if (len < 0) { + pr_warn("%s: insufficient buffer space (%u left) for %s\n", + __func__, buffer_size, subsystem); return -ENOMEM; }
strlcpy() reads the entire source buffer first. This read may exceed the destination size limit. This is both inefficient and can lead to linear read overflows if a source string is not NUL-terminated [1]. In an effort to remove strlcpy() completely [2], replace strlcpy() here with strscpy(). Direct replacement is safe here since return value of -errno is used to check for truncation instead of sizeof(dest). [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy [2] https://github.com/KSPP/linux/issues/89 Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com> --- v4: * Fixes errors reported by checkpatch.pl v3: * Fixed weird indentation. * https://lore.kernel.org/all/20230830202021.4134348-1-azeemshaikh38@gmail.com/ v2: * Updated error message to remove @len which is errno now. * https://lore.kernel.org/all/20230830150136.3798414-1-azeemshaikh38@gmail.com/ v1: * https://lore.kernel.org/all/20230703180528.3709258-1-azeemshaikh38@gmail.com/ lib/kobject_uevent.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) -- 2.42.0.283.g2d96d420d3-goog