strncpy() is deprecated for use on NUL-terminated destination strings [1] and as such we should prefer more robust and less ambiguous string interfaces. sbp->sb_fname may not be NUL-terminated while label is expected to be. memtostr best describes this behavior, specifically, use the pad variant since we're copying out to userspace. Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1] Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2] Link: https://github.com/KSPP/linux/issues/90 Cc: linux-hardening@xxxxxxxxxxxxxxx Signed-off-by: Justin Stitt <justinstitt@xxxxxxxxxx> --- Changes in v2: - use memtostr_pad (thanks Kees) - Link to v1: https://lore.kernel.org/r/20240405-strncpy-xfs-split1-v1-1-3e3df465adb9@xxxxxxxxxx --- Note: This patch relies on the memtostr{_pad} implementation from Kees' patch: https://lore.kernel.org/all/20240410023155.2100422-1-keescook@xxxxxxxxxxxx/ Split from https://lore.kernel.org/all/20240401-strncpy-fs-xfs-xfs_ioctl-c-v1-1-02b9feb1989b@xxxxxxxxxx/ with feedback from Christoph H. --- fs/xfs/xfs_ioctl.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c index d0e2cec6210d..7ed7a5d57094 100644 --- a/fs/xfs/xfs_ioctl.c +++ b/fs/xfs/xfs_ioctl.c @@ -1750,15 +1750,14 @@ xfs_ioc_getlabel( char __user *user_label) { struct xfs_sb *sbp = &mp->m_sb; + /* 1 larger than sb_fname, for a NULL byte */ char label[XFSLABEL_MAX + 1]; /* Paranoia */ BUILD_BUG_ON(sizeof(sbp->sb_fname) > FSLABEL_MAX); - /* 1 larger than sb_fname, so this ensures a trailing NUL char */ - memset(label, 0, sizeof(label)); spin_lock(&mp->m_sb_lock); - strncpy(label, sbp->sb_fname, XFSLABEL_MAX); + memtostr_pad(label, sbp->sb_fname); spin_unlock(&mp->m_sb_lock); if (copy_to_user(user_label, label, sizeof(label))) --- base-commit: c85af715cac0a951eea97393378e84bb49384734 change-id: 20240405-strncpy-xfs-split1-a2c408b934c6 Best regards, -- Justin Stitt <justinstitt@xxxxxxxxxx>
