| Message ID | 20190412090552.26925-1-colin.king@canonical.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | scsi: qedf: replace memset/memcpy with safer strscpy | expand |
I send a similar fix earlier, but it seems not be picked. https://patchwork.kernel.org/patch/10874565/ On 2019/4/12 17:05, Colin King wrote: > From: Colin Ian King <colin.king@canonical.com> > > Currently the qedf_dbg_* family of functions can overrun the end > of the source string if it is less than the destination buffer > length because of the use of a fixed sized memcpy. Replace the > memset/memcpy calls with the safer strscpy as this won't overrun > the end of the source string and it ensures the destination > string is always terminated with NUL. > > Addresses-Coverity: ("Out-of-bounds access") > Fixes: 61d8658b4a43 ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.") > Signed-off-by: Colin Ian King <colin.king@canonical.com> > --- > drivers/scsi/qedf/qedf_dbg.c | 12 ++++-------- > 1 file changed, 4 insertions(+), 8 deletions(-) > > diff --git a/drivers/scsi/qedf/qedf_dbg.c b/drivers/scsi/qedf/qedf_dbg.c > index f2397ee9ba69..b491bebeaca9 100644 > --- a/drivers/scsi/qedf/qedf_dbg.c > +++ b/drivers/scsi/qedf/qedf_dbg.c > @@ -17,8 +17,7 @@ qedf_dbg_err(struct qedf_dbg_ctx *qedf, const char *func, u32 line, > struct va_format vaf; > char nfunc[32]; > > - memset(nfunc, 0, sizeof(nfunc)); > - memcpy(nfunc, func, sizeof(nfunc) - 1); > + strscpy(nfunc, func, sizeof(nfunc)); > > va_start(va, fmt); > > @@ -42,8 +41,7 @@ qedf_dbg_warn(struct qedf_dbg_ctx *qedf, const char *func, u32 line, > struct va_format vaf; > char nfunc[32]; > > - memset(nfunc, 0, sizeof(nfunc)); > - memcpy(nfunc, func, sizeof(nfunc) - 1); > + strscpy(nfunc, func, sizeof(nfunc)); > > va_start(va, fmt); > > @@ -71,8 +69,7 @@ qedf_dbg_notice(struct qedf_dbg_ctx *qedf, const char *func, u32 line, > struct va_format vaf; > char nfunc[32]; > > - memset(nfunc, 0, sizeof(nfunc)); > - memcpy(nfunc, func, sizeof(nfunc) - 1); > + strscpy(nfunc, func, sizeof(nfunc)); > > va_start(va, fmt); > > @@ -101,8 +98,7 @@ qedf_dbg_info(struct qedf_dbg_ctx *qedf, const char *func, u32 line, > struct va_format vaf; > char nfunc[32]; > > - memset(nfunc, 0, sizeof(nfunc)); > - memcpy(nfunc, func, sizeof(nfunc) - 1); > + strscpy(nfunc, func, sizeof(nfunc)); > > va_start(va, fmt); > >
On 12/04/2019 10:20, YueHaibing wrote: > > I send a similar fix earlier, but it seems not be picked. It would be useful to get a fix for this applied as I'm seeing many multiple of reports of this issue with Coverity and it is a relatively simple fix. Colin > > https://patchwork.kernel.org/patch/10874565/ > > On 2019/4/12 17:05, Colin King wrote: >> From: Colin Ian King <colin.king@canonical.com> >> >> Currently the qedf_dbg_* family of functions can overrun the end >> of the source string if it is less than the destination buffer >> length because of the use of a fixed sized memcpy. Replace the >> memset/memcpy calls with the safer strscpy as this won't overrun >> the end of the source string and it ensures the destination >> string is always terminated with NUL. >> >> Addresses-Coverity: ("Out-of-bounds access") >> Fixes: 61d8658b4a43 ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.") >> Signed-off-by: Colin Ian King <colin.king@canonical.com> >> --- >> drivers/scsi/qedf/qedf_dbg.c | 12 ++++-------- >> 1 file changed, 4 insertions(+), 8 deletions(-) >> >> diff --git a/drivers/scsi/qedf/qedf_dbg.c b/drivers/scsi/qedf/qedf_dbg.c >> index f2397ee9ba69..b491bebeaca9 100644 >> --- a/drivers/scsi/qedf/qedf_dbg.c >> +++ b/drivers/scsi/qedf/qedf_dbg.c >> @@ -17,8 +17,7 @@ qedf_dbg_err(struct qedf_dbg_ctx *qedf, const char *func, u32 line, >> struct va_format vaf; >> char nfunc[32]; >> >> - memset(nfunc, 0, sizeof(nfunc)); >> - memcpy(nfunc, func, sizeof(nfunc) - 1); >> + strscpy(nfunc, func, sizeof(nfunc)); >> >> va_start(va, fmt); >> >> @@ -42,8 +41,7 @@ qedf_dbg_warn(struct qedf_dbg_ctx *qedf, const char *func, u32 line, >> struct va_format vaf; >> char nfunc[32]; >> >> - memset(nfunc, 0, sizeof(nfunc)); >> - memcpy(nfunc, func, sizeof(nfunc) - 1); >> + strscpy(nfunc, func, sizeof(nfunc)); >> >> va_start(va, fmt); >> >> @@ -71,8 +69,7 @@ qedf_dbg_notice(struct qedf_dbg_ctx *qedf, const char *func, u32 line, >> struct va_format vaf; >> char nfunc[32]; >> >> - memset(nfunc, 0, sizeof(nfunc)); >> - memcpy(nfunc, func, sizeof(nfunc) - 1); >> + strscpy(nfunc, func, sizeof(nfunc)); >> >> va_start(va, fmt); >> >> @@ -101,8 +98,7 @@ qedf_dbg_info(struct qedf_dbg_ctx *qedf, const char *func, u32 line, >> struct va_format vaf; >> char nfunc[32]; >> >> - memset(nfunc, 0, sizeof(nfunc)); >> - memcpy(nfunc, func, sizeof(nfunc) - 1); >> + strscpy(nfunc, func, sizeof(nfunc)); >> >> va_start(va, fmt); >> >> >
On 12/04/2019 11.05, Colin King wrote: > From: Colin Ian King <colin.king@canonical.com> > > Currently the qedf_dbg_* family of functions can overrun the end > of the source string if it is less than the destination buffer > length because of the use of a fixed sized memcpy. Replace the > memset/memcpy calls with the safer strscpy as this won't overrun > the end of the source string and it ensures the destination > string is always terminated with NUL. > > Addresses-Coverity: ("Out-of-bounds access") > Fixes: 61d8658b4a43 ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.") > Signed-off-by: Colin Ian King <colin.king@canonical.com> > --- > drivers/scsi/qedf/qedf_dbg.c | 12 ++++-------- > 1 file changed, 4 insertions(+), 8 deletions(-) > > diff --git a/drivers/scsi/qedf/qedf_dbg.c b/drivers/scsi/qedf/qedf_dbg.c > index f2397ee9ba69..b491bebeaca9 100644 > --- a/drivers/scsi/qedf/qedf_dbg.c > +++ b/drivers/scsi/qedf/qedf_dbg.c > @@ -17,8 +17,7 @@ qedf_dbg_err(struct qedf_dbg_ctx *qedf, const char *func, u32 line, > struct va_format vaf; > char nfunc[32]; > > - memset(nfunc, 0, sizeof(nfunc)); > - memcpy(nfunc, func, sizeof(nfunc) - 1); > + strscpy(nfunc, func, sizeof(nfunc)); Why not drop the pointless nfunc and stack copying and just pass func as the %s parameter; these are only called via macros that pass __func__ as the func argument, and that is always a proper nul-terminated string. Rasmus
diff --git a/drivers/scsi/qedf/qedf_dbg.c b/drivers/scsi/qedf/qedf_dbg.c index f2397ee9ba69..b491bebeaca9 100644 --- a/drivers/scsi/qedf/qedf_dbg.c +++ b/drivers/scsi/qedf/qedf_dbg.c @@ -17,8 +17,7 @@ qedf_dbg_err(struct qedf_dbg_ctx *qedf, const char *func, u32 line, struct va_format vaf; char nfunc[32]; - memset(nfunc, 0, sizeof(nfunc)); - memcpy(nfunc, func, sizeof(nfunc) - 1); + strscpy(nfunc, func, sizeof(nfunc)); va_start(va, fmt); @@ -42,8 +41,7 @@ qedf_dbg_warn(struct qedf_dbg_ctx *qedf, const char *func, u32 line, struct va_format vaf; char nfunc[32]; - memset(nfunc, 0, sizeof(nfunc)); - memcpy(nfunc, func, sizeof(nfunc) - 1); + strscpy(nfunc, func, sizeof(nfunc)); va_start(va, fmt); @@ -71,8 +69,7 @@ qedf_dbg_notice(struct qedf_dbg_ctx *qedf, const char *func, u32 line, struct va_format vaf; char nfunc[32]; - memset(nfunc, 0, sizeof(nfunc)); - memcpy(nfunc, func, sizeof(nfunc) - 1); + strscpy(nfunc, func, sizeof(nfunc)); va_start(va, fmt); @@ -101,8 +98,7 @@ qedf_dbg_info(struct qedf_dbg_ctx *qedf, const char *func, u32 line, struct va_format vaf; char nfunc[32]; - memset(nfunc, 0, sizeof(nfunc)); - memcpy(nfunc, func, sizeof(nfunc) - 1); + strscpy(nfunc, func, sizeof(nfunc)); va_start(va, fmt);