Em Mon, 10 Sep 2018 09:16:35 -0700
Kees Cook <keescook@xxxxxxxxxxxx> escreveu:
> On Mon, Sep 10, 2018 at 5:19 AM, Mauro Carvalho Chehab
> <mchehab+samsung@xxxxxxxxxx> wrote:
> > The strcpy() function is being deprecated upstream. Replace
> > it by the safer strscpy().
>
> Did you verify that all the destination buffers here are arrays and
> not pointers? For example:
>
> struct thing {
> char buffer[64];
> char *ptr;
> }
>
> strscpy(instance->buffer, source, sizeof(instance->buffer));
>
> is correct.
>
> But:
>
> strscpy(instance->ptr, source, sizeof(instance->ptr));
>
> will not be and will truncate strings to sizeof(char *).
>
> If you _did_ verify this, I'd love to know more about your tooling. :)
I ended by implementing a simple tooling to test... it found just
one place where it was wrong. I'll send the correct patch.
The tooling is actually a hack... see enclosed.
Basically, it defines a __strscpy() that will try to create a negative
array if the size is equal to a pointer size.
Then, I replaced all occurrences of strscpy with __strcpy() with:
$ for i in $(git grep -l strscpy drivers/media drivers/staging/media); do sed s,strscpy,__strscpy,g -i $i; done
and compiled on 32 bits (that's my usual build). As all strings at
the media API are bigger than 4 bytes, it will only complain if it
tries to do a sizeof(*).
Thanks,
Mauro
TEST hack
diff --git a/include/linux/string.h b/include/linux/string.h
index 4a5a0eb7df51..06a87e328293 100644
--- a/include/linux/string.h
+++ b/include/linux/string.h
@@ -66,6 +66,15 @@ extern char * strrchr(const char *,int);
#endif
extern char * __must_check skip_spaces(const char *);
+
+#define __strscpy(origin, dest, size) \
+({ \
+ char zzz[1 - 2*(size == sizeof(char *))]; \
+ zzz[0] = 1; \
+ if (zzz[0] >2) zzz[0]++; \
+ strscpy(origin, dest, size); \
+})
+
extern char *strim(char *);
static inline __must_check char *strstrip(char *str)
