Hi all!
On 08/08/2021 14:50, Len Baker wrote:
> strcpy() performs no bounds checking on the destination buffer. This
> could result in linear overflows beyond the end of the buffer, leading
> to all kinds of misbehaviors. So, use memcpy() as a safe replacement.
>
> This is a previous step in the path to remove the strcpy() function
> entirely from the kernel.
>
> Signed-off-by: Len Baker <len.baker@xxxxxxx>
> ---
> drivers/soc/renesas/r8a779a0-sysc.c | 6 ++++--
> drivers/soc/renesas/rcar-sysc.c | 6 ++++--
> 2 files changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/soc/renesas/r8a779a0-sysc.c b/drivers/soc/renesas/r8a779a0-sysc.c
> index d464ffa1be33..7410b9fa9846 100644
> --- a/drivers/soc/renesas/r8a779a0-sysc.c
> +++ b/drivers/soc/renesas/r8a779a0-sysc.c
> @@ -404,19 +404,21 @@ static int __init r8a779a0_sysc_pd_init(void)
> for (i = 0; i < info->num_areas; i++) {
> const struct r8a779a0_sysc_area *area = &info->areas[i];
> struct r8a779a0_sysc_pd *pd;
> + size_t n;
>
> if (!area->name) {
> /* Skip NULLified area */
> continue;
> }
>
> - pd = kzalloc(sizeof(*pd) + strlen(area->name) + 1, GFP_KERNEL)> + n = strlen(area->name) + 1;
> + pd = kzalloc(sizeof(*pd) + n, GFP_KERNEL);
Zeroing the allocated bytes is not needed since it's completly
overwritten with the strcpy()/memcpy().
> if (!pd) {
> error = -ENOMEM;
> goto out_put;
> }
>
> - strcpy(pd->name, area->name);
> + memcpy(pd->name, area->name, n);
> pd->genpd.name = pd->name;
> pd->pdr = area->pdr;
> pd->flags = area->flags;
And similar for the second hunk.
MfG,
Bernd
--
Bernd Petrovitsch Email : bernd@xxxxxxxxxxxxxxxxxxx
There is NO CLOUD, just other people's computers. - FSFE
LUGA : http://www.luga.at
