Re: [PATCH v2] Updating a vulnerable use of strcpy.

"Rafael J. Wysocki" <rafael@xxxxxxxxxx> · Mon, 1 Jul 2024 20:10:51 +0200

In what way exactly is it vulnerable?

Both ACPI_VIDEO_DEVICE_NAME and ACPI_VIDEO_CLASS are kernel symbols.

On Sun, Jun 30, 2024 at 7:36 PM Muhammad Qasim Abdul Majeed
<qasim.majeed20@xxxxxxxxx> wrote:
>
> Replacing strcpy with strscpy and memory bound the copy.
>
> Signed-off-by: Muhammad Qasim Abdul Majeed <qasim.majeed20@xxxxxxxxx>
> ---
>  drivers/acpi/acpi_video.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c
> index 1fda30388297..6113baffd53f 100644
> --- a/drivers/acpi/acpi_video.c
> +++ b/drivers/acpi/acpi_video.c
> @@ -1128,8 +1128,8 @@ static int acpi_video_bus_get_one_device(struct acpi_device *device, void *arg)
>                 return -ENOMEM;
>         }
>
> -       strcpy(acpi_device_name(device), ACPI_VIDEO_DEVICE_NAME);
> -       strcpy(acpi_device_class(device), ACPI_VIDEO_CLASS);
> +       strscpy(acpi_device_name(device), ACPI_VIDEO_DEVICE_NAME, strlen(ACPI_VIDEO_DEVICE_NAME));
> +       strscpy(acpi_device_class(device), ACPI_VIDEO_CLASS, strlen(ACPI_VIDEO_CLASS));

Why is a runtime check needed here if all of the sizes in question are
known at compile time?

>
>         data->device_id = device_id;
>         data->video = video;
> @@ -2010,8 +2010,8 @@ static int acpi_video_bus_add(struct acpi_device *device)
>         }
>
>         video->device = device;
> -       strcpy(acpi_device_name(device), ACPI_VIDEO_BUS_NAME);
> -       strcpy(acpi_device_class(device), ACPI_VIDEO_CLASS);
> +       strscpy(acpi_device_name(device), ACPI_VIDEO_BUS_NAME, strlen(ACPI_VIDEO_BUS_NAME));
> +       strscpy(acpi_device_class(device), ACPI_VIDEO_CLASS, strlen(ACPI_VIDEO_CLASS));
>         device->driver_data = video;
>
>         acpi_video_bus_find_cap(video);
> --