On Mon, Sep 10, 2018 at 11:34 AM, Mauro Carvalho Chehab <mchehab+samsung@xxxxxxxxxx> wrote: > Em Mon, 10 Sep 2018 09:18:05 -0700 > Kees Cook <keescook@xxxxxxxxxxxx> escreveu: > >> On Mon, Sep 10, 2018 at 5:19 AM, Mauro Carvalho Chehab >> <mchehab+samsung@xxxxxxxxxx> wrote: >> > The strncpy() function is being deprecated upstream. Replace >> > it by the safer strscpy(). >> >> This one I'm quite concerned about. This could lead to kernel memory >> exposures if any of the callers depend on strncpy()'s trailing >> NUL-padding to clear a buffer of prior contents. >> >> How did you validate that for these changes? > > That's actually easy for those familiar with the V4L2 API. There are > several fields at either uAPI or kAPI (or both) that have strings. > > For example, a video input has a name. > > So, for one familiar with the V4L2 API, it is clear that something > like: > > + strscpy(inp->name, zr->card.input[inp->index].name, > + sizeof(inp->name)); > > Is just filling the uAPI with the name of Input, with is, typically, > something like: > S-Video > Television > Radio > Composite > > A visual inspection of the patch shows that, on almost all cases, it is > either filling a device driver's name (used mainly for debug routines), > a video Input, a format description string, or the video caps fields > name and driver. It looks like the ioctl path also pre-clears the output buffer before handing it over to the per-driver routines, so I think this looks okay. It's a large patch, but if you're comfortable with it, go for it. :) -Kees -- Kees Cook Pixel Security
