Re: [PATCH] drivers/soc: Remove all strcpy() uses in favor of strscpy()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2021-07-28 09:36, David Laight wrote:
From: Geert Uytterhoeven
Sent: 26 July 2021 09:03

Hi Len,

On Sun, Jul 25, 2021 at 5:15 PM Len Baker <len.baker@xxxxxxx> wrote:
strcpy() performs no bounds checking on the destination buffer. This
could result in linear overflows beyond the end of the buffer, leading
to all kinds of misbehaviors. The safe replacement is strscpy().

Signed-off-by: Len Baker <len.baker@xxxxxxx>

Thanks for your patch!

---
This is a task of the KSPP [1]

[1] https://github.com/KSPP/linux/issues/88

Any chance the almost one year old question in that ticket can be
answered?

  drivers/soc/renesas/rcar-sysc.c     |  6 ++++--

Reviewed-by: Geert Uytterhoeven <geert+renesas@xxxxxxxxx>

But please see my comments below...

--- a/drivers/soc/renesas/r8a779a0-sysc.c
+++ b/drivers/soc/renesas/r8a779a0-sysc.c
@@ -404,19 +404,21 @@ static int __init r8a779a0_sysc_pd_init(void)
         for (i = 0; i < info->num_areas; i++) {
                 const struct r8a779a0_sysc_area *area = &info->areas[i];
                 struct r8a779a0_sysc_pd *pd;
+               size_t area_name_size;

I wouldn't mind a shorter name, like "n".


                 if (!area->name) {
                         /* Skip NULLified area */
                         continue;
                 }

-               pd = kzalloc(sizeof(*pd) + strlen(area->name) + 1, GFP_KERNEL);
+               area_name_size = strlen(area->name) + 1;
+               pd = kzalloc(sizeof(*pd) + area_name_size, GFP_KERNEL);
                 if (!pd) {
                         error = -ENOMEM;
                         goto out_put;
                 }

-               strcpy(pd->name, area->name);
+               strscpy(pd->name, area->name, area_name_size);

You can just use memcpy().

Indeed. In fact I'd go as far as saying that it might be worth teaching static checkers to recognise patterns that boil down to strscpy(dst, src, strlen(src) + 1) and flag them as suspect, because AFAICS that would always represent either an unnecessarily elaborate memcpy(), or far worse just an obfuscated strcpy().

Robin.



[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [Linux for Sparc]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux