On Mon, Jun 27, 2022 at 11:38 AM Yangxi Xiang <xyangxi5@xxxxxxxxx> wrote:
>
> > Which architectures do you mean? I don't see any architecture using
> > asm-generic/uaccess.h without setting GENERIC_STRNCPY_FROM_USER
> > before commit 98b861a30431 or the prior release.
>
> I am a user of LibOS, which uses this __strncpy_from_user.
Ok, got it. This should be part of the changelog then when you send a
patch for stable kernels. You should also indicate that the code was
removed in mainline kernels and what the fix was there, as well as
which of the older kernels need the fix.
> > Also, I think the implementation relied on strncpy() setting a zero pad
> > at the end of the string, so the ckeck would only be needed for a count
> > value that starts out negative? Is there another way this can actually
> > cause problems?
>
> In kernel there is a common calling pattern is strncpy_from_user(buf,
> user_ptr, sizeof(buf)), as I mentioned before. If the size of
> user_ptr is greater than the buffer in the kernel, no zero attaches
> to the end of copied string (see the implementation in lib/string.c).
> So the checking of the count variable in this boolean condition does
> not protect the tmp buffer in the last iteration of this loop in the
> __strncpy_from_user.
Ah right, of course.
Arnd
