Re: [PATCH] drivers/soc: Remove all strcpy() uses in favor of strscpy()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Len,

On Sun, Jul 25, 2021 at 5:15 PM Len Baker <len.baker@xxxxxxx> wrote:
> strcpy() performs no bounds checking on the destination buffer. This
> could result in linear overflows beyond the end of the buffer, leading
> to all kinds of misbehaviors. The safe replacement is strscpy().
>
> Signed-off-by: Len Baker <len.baker@xxxxxxx>

Thanks for your patch!

> ---
> This is a task of the KSPP [1]
>
> [1] https://github.com/KSPP/linux/issues/88

Any chance the almost one year old question in that ticket can be
answered?

>  drivers/soc/renesas/rcar-sysc.c     |  6 ++++--

Reviewed-by: Geert Uytterhoeven <geert+renesas@xxxxxxxxx>

But please see my comments below...

> --- a/drivers/soc/renesas/r8a779a0-sysc.c
> +++ b/drivers/soc/renesas/r8a779a0-sysc.c
> @@ -404,19 +404,21 @@ static int __init r8a779a0_sysc_pd_init(void)
>         for (i = 0; i < info->num_areas; i++) {
>                 const struct r8a779a0_sysc_area *area = &info->areas[i];
>                 struct r8a779a0_sysc_pd *pd;
> +               size_t area_name_size;

I wouldn't mind a shorter name, like "n".

>
>                 if (!area->name) {
>                         /* Skip NULLified area */
>                         continue;
>                 }
>
> -               pd = kzalloc(sizeof(*pd) + strlen(area->name) + 1, GFP_KERNEL);
> +               area_name_size = strlen(area->name) + 1;
> +               pd = kzalloc(sizeof(*pd) + area_name_size, GFP_KERNEL);
>                 if (!pd) {
>                         error = -ENOMEM;
>                         goto out_put;
>                 }
>
> -               strcpy(pd->name, area->name);
> +               strscpy(pd->name, area->name, area_name_size);
>                 pd->genpd.name = pd->name;
>                 pd->pdr = area->pdr;
>                 pd->flags = area->flags;
> diff --git a/drivers/soc/renesas/rcar-sysc.c b/drivers/soc/renesas/rcar-sysc.c
> index 53387a72ca00..0eae5ce0eeb0 100644
> --- a/drivers/soc/renesas/rcar-sysc.c
> +++ b/drivers/soc/renesas/rcar-sysc.c
> @@ -396,19 +396,21 @@ static int __init rcar_sysc_pd_init(void)
>         for (i = 0; i < info->num_areas; i++) {
>                 const struct rcar_sysc_area *area = &info->areas[i];
>                 struct rcar_sysc_pd *pd;
> +               size_t area_name_size;

Likewise.

>
>                 if (!area->name) {
>                         /* Skip NULLified area */
>                         continue;
>                 }
>
> -               pd = kzalloc(sizeof(*pd) + strlen(area->name) + 1, GFP_KERNEL);
> +               area_name_size = strlen(area->name) + 1;
> +               pd = kzalloc(sizeof(*pd) + area_name_size, GFP_KERNEL);
>                 if (!pd) {
>                         error = -ENOMEM;
>                         goto out_put;
>                 }
>
> -               strcpy(pd->name, area->name);
> +               strscpy(pd->name, area->name, area_name_size);
>                 pd->genpd.name = pd->name;
>                 pd->ch.chan_offs = area->chan_offs;
>                 pd->ch.chan_bit = area->chan_bit;

Gr{oetje,eeting}s,

                        Geert

-- 
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@xxxxxxxxxxxxxx

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds



[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [Linux for Sparc]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux