| Message ID | 20240318-strncpy-drivers-soc-qcom-cmd-db-c-v2-1-8f6ebf1bd891@google.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [v2] soc: qcom: cmd-db: replace deprecated strncpy with strtomem | expand |
On Mon, Mar 18, 2024 at 10:49:23PM +0000, Justin Stitt wrote: > strncpy() is deprecated for use on NUL-terminated destination strings > [1] and as such we should prefer more robust and less ambiguous string > interfaces. > > @query is already marked as __nonstring and doesn't need to be > NUL-terminated. Since @id is a string, we can use the self-describing > string API strtomem(). > > Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1] > Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2] > Link: https://github.com/KSPP/linux/issues/90 > Cc: linux-hardening@vger.kernel.org > Signed-off-by: Justin Stitt <justinstitt@google.com> Nice! A textbook use for strtomem(). :) Reviewed-by: Kees Cook <keescook@chromium.org>
On Mon, Mar 18, 2024 at 10:49:23PM +0000, Justin Stitt wrote: > strncpy() is deprecated for use on NUL-terminated destination strings > [1] and as such we should prefer more robust and less ambiguous string > interfaces. > I don't mind changing the strncpy() in this function, but I don't think this problem description adequately describes the problem you're solving. If the motivation is that we want 0 users of strncpy() in the kernel, then say so. > @query is already marked as __nonstring and doesn't need to be > NUL-terminated. You're not wrong, but in the event that strlen(id) < sizeof(ent->id) the destination should be NUL-padded - exactly one of the well known, normally unwanted, effects of strncpy(). strtomem() does explicitly not do this. > Since @id is a string, we can use the self-describing > string API strtomem(). "self-describing"? > > Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1] > Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2] > Link: https://github.com/KSPP/linux/issues/90 > Cc: linux-hardening@vger.kernel.org > Signed-off-by: Justin Stitt <justinstitt@google.com> > --- > Changes in v2: > - use strtomem instead of memcpy (thanks Kees) > - Link to v1: https://lore.kernel.org/r/20240314-strncpy-drivers-soc-qcom-cmd-db-c-v1-1-70f5d5e70732@google.com > --- > Note: build-tested only. > > Found with: $ rg "strncpy\(" > --- > drivers/soc/qcom/cmd-db.c | 9 ++------- > 1 file changed, 2 insertions(+), 7 deletions(-) > > diff --git a/drivers/soc/qcom/cmd-db.c b/drivers/soc/qcom/cmd-db.c > index a5fd68411bed..d05f35d175bd 100644 > --- a/drivers/soc/qcom/cmd-db.c > +++ b/drivers/soc/qcom/cmd-db.c > @@ -141,18 +141,13 @@ static int cmd_db_get_header(const char *id, const struct entry_header **eh, > const struct rsc_hdr *rsc_hdr; > const struct entry_header *ent; > int ret, i, j; > - u8 query[sizeof(ent->id)] __nonstring; > + u8 query[sizeof(ent->id)] __nonstring = { 0 }; > > ret = cmd_db_ready(); > if (ret) > return ret; > > - /* > - * Pad out query string to same length as in DB. NOTE: the output > - * query string is not necessarily '\0' terminated if it bumps up > - * against the max size. That's OK and expected. > - */ > - strncpy(query, id, sizeof(query)); > + strtomem(query, id); query needs to be NUL-padded to sizeof(ent->id) bytes (like strncpy does), something you recognized by adding the zero-initialization above. But why split this requirement across two non-adjacent lines? Isn't this what strtomem_pad() is supposed to do? Regards, Bjorn > > for (i = 0; i < MAX_SLV_ID; i++) { > rsc_hdr = &cmd_db_header->header[i]; > > --- > base-commit: fe46a7dd189e25604716c03576d05ac8a5209743 > change-id: 20240314-strncpy-drivers-soc-qcom-cmd-db-c-284f3abaabb8 > > Best regards, > -- > Justin Stitt <justinstitt@google.com> >
Hi, On Mon, Mar 18, 2024 at 8:37 PM Bjorn Andersson <andersson@kernel.org> wrote: > > On Mon, Mar 18, 2024 at 10:49:23PM +0000, Justin Stitt wrote: > > strncpy() is deprecated for use on NUL-terminated destination strings > > [1] and as such we should prefer more robust and less ambiguous string > > interfaces. > > > > I don't mind changing the strncpy() in this function, but I don't think > this problem description adequately describes the problem you're > solving. > > If the motivation is that we want 0 users of strncpy() in the kernel, > then say so. Fair. You caught me in a bad case of "copy pasting this blurb into all my patches". You are right though, the true motivation here is to rid the kernel of strncpy. > > > @query is already marked as __nonstring and doesn't need to be > > NUL-terminated. > > You're not wrong, but in the event that strlen(id) < sizeof(ent->id) the > destination should be NUL-padded - exactly one of the well known, > normally unwanted, effects of strncpy(). strtomem() does explicitly not > do this. > > > Since @id is a string, we can use the self-describing > > string API strtomem(). > > "self-describing"? > In the sense that its name matches its functionality: strncpy === string to string copy, bounded by n strtomem === string to memory buffer strncpy technically does the latter functionality as well but it may not be obvious in all cases that the destination buffer is not a string. Granted, in this case, it is extremely obvious what the behavior is because query is marked nonstring. > > > > Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1] > > Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2] > > Link: https://github.com/KSPP/linux/issues/90 > > Cc: linux-hardening@vger.kernel.org > > Signed-off-by: Justin Stitt <justinstitt@google.com> > > --- > > Changes in v2: > > - use strtomem instead of memcpy (thanks Kees) > > - Link to v1: https://lore.kernel.org/r/20240314-strncpy-drivers-soc-qcom-cmd-db-c-v1-1-70f5d5e70732@google.com > > --- > > Note: build-tested only. > > > > Found with: $ rg "strncpy\(" > > --- > > drivers/soc/qcom/cmd-db.c | 9 ++------- > > 1 file changed, 2 insertions(+), 7 deletions(-) > > > > diff --git a/drivers/soc/qcom/cmd-db.c b/drivers/soc/qcom/cmd-db.c > > index a5fd68411bed..d05f35d175bd 100644 > > --- a/drivers/soc/qcom/cmd-db.c > > +++ b/drivers/soc/qcom/cmd-db.c > > @@ -141,18 +141,13 @@ static int cmd_db_get_header(const char *id, const struct entry_header **eh, > > const struct rsc_hdr *rsc_hdr; > > const struct entry_header *ent; > > int ret, i, j; > > - u8 query[sizeof(ent->id)] __nonstring; > > + u8 query[sizeof(ent->id)] __nonstring = { 0 }; > > > > ret = cmd_db_ready(); > > if (ret) > > return ret; > > > > - /* > > - * Pad out query string to same length as in DB. NOTE: the output > > - * query string is not necessarily '\0' terminated if it bumps up > > - * against the max size. That's OK and expected. > > - */ > > - strncpy(query, id, sizeof(query)); > > + strtomem(query, id); > > query needs to be NUL-padded to sizeof(ent->id) bytes (like strncpy > does), something you recognized by adding the zero-initialization above. > But why split this requirement across two non-adjacent lines? Isn't this > what strtomem_pad() is supposed to do? Yes, strtomem_pad() will accomplish this task. I'll send a v3 fixing up the commit log and use the pad version. > > Regards, > Bjorn > > > > > for (i = 0; i < MAX_SLV_ID; i++) { > > rsc_hdr = &cmd_db_header->header[i]; > > > > --- > > base-commit: fe46a7dd189e25604716c03576d05ac8a5209743 > > change-id: 20240314-strncpy-drivers-soc-qcom-cmd-db-c-284f3abaabb8 > > > > Best regards, > > -- > > Justin Stitt <justinstitt@google.com> > > Thanks Justin
diff --git a/drivers/soc/qcom/cmd-db.c b/drivers/soc/qcom/cmd-db.c index a5fd68411bed..d05f35d175bd 100644 --- a/drivers/soc/qcom/cmd-db.c +++ b/drivers/soc/qcom/cmd-db.c @@ -141,18 +141,13 @@ static int cmd_db_get_header(const char *id, const struct entry_header **eh, const struct rsc_hdr *rsc_hdr; const struct entry_header *ent; int ret, i, j; - u8 query[sizeof(ent->id)] __nonstring; + u8 query[sizeof(ent->id)] __nonstring = { 0 }; ret = cmd_db_ready(); if (ret) return ret; - /* - * Pad out query string to same length as in DB. NOTE: the output - * query string is not necessarily '\0' terminated if it bumps up - * against the max size. That's OK and expected. - */ - strncpy(query, id, sizeof(query)); + strtomem(query, id); for (i = 0; i < MAX_SLV_ID; i++) { rsc_hdr = &cmd_db_header->header[i];
strncpy() is deprecated for use on NUL-terminated destination strings [1] and as such we should prefer more robust and less ambiguous string interfaces. @query is already marked as __nonstring and doesn't need to be NUL-terminated. Since @id is a string, we can use the self-describing string API strtomem(). Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1] Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2] Link: https://github.com/KSPP/linux/issues/90 Cc: linux-hardening@vger.kernel.org Signed-off-by: Justin Stitt <justinstitt@google.com> --- Changes in v2: - use strtomem instead of memcpy (thanks Kees) - Link to v1: https://lore.kernel.org/r/20240314-strncpy-drivers-soc-qcom-cmd-db-c-v1-1-70f5d5e70732@google.com --- Note: build-tested only. Found with: $ rg "strncpy\(" --- drivers/soc/qcom/cmd-db.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) --- base-commit: fe46a7dd189e25604716c03576d05ac8a5209743 change-id: 20240314-strncpy-drivers-soc-qcom-cmd-db-c-284f3abaabb8 Best regards, -- Justin Stitt <justinstitt@google.com>