| Message ID | 202301091939219689840@zte.com.cn (mailing list archive) |
|---|---|
| State | Rejected |
| Headers | show |
| Series | [linux-next] tracing: use strscpy() to instead of strncpy() | expand |
On Mon, 9 Jan 2023 19:39:21 +0800 (CST) <yang.yang29@zte.com.cn> wrote: > From: Xu Panda <xu.panda@zte.com.cn> > > The implementation of strscpy() is more robust and safer. > That's now the recommended way to copy NUL-terminated strings. This looks good to me. Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org> Thank you, > > Signed-off-by: Xu Panda <xu.panda@zte.com.cn> > Signed-off-by: Yang Yang <yang.yang29@zte.com.cn> > --- > kernel/trace/trace_events_synth.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/kernel/trace/trace_events_synth.c b/kernel/trace/trace_events_synth.c > index 67592eed0be8..cd636edd045e 100644 > --- a/kernel/trace/trace_events_synth.c > +++ b/kernel/trace/trace_events_synth.c > @@ -195,8 +195,7 @@ static int synth_field_string_size(char *type) > if (len == 0) > return 0; /* variable-length string */ > > - strncpy(buf, start, len); > - buf[len] = '\0'; > + strscpy(buf, start, len + 1); > > err = kstrtouint(buf, 0, &size); > if (err) > -- > 2.15.2
On Mon, 9 Jan 2023 19:39:21 +0800 (CST) <yang.yang29@zte.com.cn> wrote: > From: Xu Panda <xu.panda@zte.com.cn> > > The implementation of strscpy() is more robust and safer. > That's now the recommended way to copy NUL-terminated strings. But the string being copied is *not* NUL-terminated! And this change causes a bug. This is the 3rd patch I've seen that blindly converts strncpy() to strscpy() and causes a bug in doing so. Not very safe if you ask me. > > Signed-off-by: Xu Panda <xu.panda@zte.com.cn> > Signed-off-by: Yang Yang <yang.yang29@zte.com.cn> > --- > kernel/trace/trace_events_synth.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/kernel/trace/trace_events_synth.c b/kernel/trace/trace_events_synth.c > index 67592eed0be8..cd636edd045e 100644 > --- a/kernel/trace/trace_events_synth.c > +++ b/kernel/trace/trace_events_synth.c > @@ -195,8 +195,7 @@ static int synth_field_string_size(char *type) > if (len == 0) > return 0; /* variable-length string */ > > - strncpy(buf, start, len); > - buf[len] = '\0'; > + strscpy(buf, start, len + 1); > > err = kstrtouint(buf, 0, &size); > if (err) Here's the code being affected: static int synth_field_string_size(char *type) { char buf[4], *end, *start; unsigned int len; int size, err; start = strstr(type, "char["); if (start == NULL) return -EINVAL; start += sizeof("char[") - 1; end = strchr(type, ']'); if (!end || end < start || type + strlen(type) > end + 1) return -EINVAL; len = end - start; if (len > 3) return -EINVAL; if (len == 0) return 0; /* variable-length string */ strncpy(buf, start, len); buf[len] = '\0'; And you are replacing the above two lines with just: strscpy(buf, start, len + 1); If you noticed, the string being placed into buf is: "char[123]" Where we want to copy that "123" into buf. strscpy() expects the source to be nul terminated, or it will return -E2BIG. So the above will *always* return -E2BIG *and* not end buf[] with '\0' as if strscpy() returns -E2BIG, then buf[] is not guaranteed to be NUL-terminated. NACK! -- Steve
Hi Steve, Can we revisit this patch? see below. On Tue, Jan 24, 2023 at 12:17:03PM GMT, Steven Rostedt wrote: > On Mon, 9 Jan 2023 19:39:21 +0800 (CST) > <yang.yang29@zte.com.cn> wrote: > > > From: Xu Panda <xu.panda@zte.com.cn> > > > > The implementation of strscpy() is more robust and safer. > > That's now the recommended way to copy NUL-terminated strings. > > But the string being copied is *not* NUL-terminated! And this change causes > a bug. > > This is the 3rd patch I've seen that blindly converts strncpy() to > strscpy() and causes a bug in doing so. Not very safe if you ask me. > > > > > Signed-off-by: Xu Panda <xu.panda@zte.com.cn> > > Signed-off-by: Yang Yang <yang.yang29@zte.com.cn> > > --- > > kernel/trace/trace_events_synth.c | 3 +-- > > 1 file changed, 1 insertion(+), 2 deletions(-) > > > > diff --git a/kernel/trace/trace_events_synth.c b/kernel/trace/trace_events_synth.c > > index 67592eed0be8..cd636edd045e 100644 > > --- a/kernel/trace/trace_events_synth.c > > +++ b/kernel/trace/trace_events_synth.c > > @@ -195,8 +195,7 @@ static int synth_field_string_size(char *type) > > if (len == 0) > > return 0; /* variable-length string */ > > > > - strncpy(buf, start, len); > > - buf[len] = '\0'; > > + strscpy(buf, start, len + 1); > > > > err = kstrtouint(buf, 0, &size); > > if (err) > > > Here's the code being affected: > > static int synth_field_string_size(char *type) > { > char buf[4], *end, *start; > unsigned int len; > int size, err; > > start = strstr(type, "char["); > if (start == NULL) > return -EINVAL; > start += sizeof("char[") - 1; > > end = strchr(type, ']'); > if (!end || end < start || type + strlen(type) > end + 1) > return -EINVAL; > > len = end - start; > if (len > 3) > return -EINVAL; > > if (len == 0) > return 0; /* variable-length string */ > > strncpy(buf, start, len); > buf[len] = '\0'; > > And you are replacing the above two lines with just: > > strscpy(buf, start, len + 1); > > > If you noticed, the string being placed into buf is: > > "char[123]" > > Where we want to copy that "123" into buf. > > strscpy() expects the source to be nul terminated, or it will return -E2BIG. > > So the above will *always* return -E2BIG *and* not end buf[] with '\0' as > if strscpy() returns -E2BIG, then buf[] is not guaranteed to be > NUL-terminated. @buf should still be NUL-terminated while returning -E2BIG in this instance. For context, here's the implementation of strscpy(): ... /* Hit buffer length without finding a NUL; force NUL-termination. */ if (res) dest[res-1] = '\0'; return -E2BIG; ... and the only other spot where we can return E2BIG is way earlier in the function where we check the count. if (count == 0 || WARN_ON_ONCE(count > INT_MAX)) return -E2BIG; So it seems we should be NUL-terminating @buf in all cases, considering count is greater than 0 and certainly not larger than INT_MAX. And, with the `len + 1` we shouldn't be seeing any data loss either. > > NACK! > > -- Steve > I'm keen on replacing this instance of strncpy towards the goal of [1]. If we don't want to use strscpy() I think memcpy() is another viable alternative (of course leaving the manual NUL-byte assignment as-is). [1]: https://github.com/KSPP/linux/issues/90 Thanks Justin
diff --git a/kernel/trace/trace_events_synth.c b/kernel/trace/trace_events_synth.c index 67592eed0be8..cd636edd045e 100644 --- a/kernel/trace/trace_events_synth.c +++ b/kernel/trace/trace_events_synth.c @@ -195,8 +195,7 @@ static int synth_field_string_size(char *type) if (len == 0) return 0; /* variable-length string */ - strncpy(buf, start, len); - buf[len] = '\0'; + strscpy(buf, start, len + 1); err = kstrtouint(buf, 0, &size); if (err)