lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <202309232039.979F3B4@keescook>
Date: Sat, 23 Sep 2023 20:43:07 -0700
From: Kees Cook <keescook@...omium.org>
To: Justin Stitt <justinstitt@...gle.com>
Cc: Pavel Machek <pavel@....cz>, Lee Jones <lee@...nel.org>,
	linux-leds@...r.kernel.org, linux-kernel@...r.kernel.org,
	linux-hardening@...r.kernel.org
Subject: Re: [PATCH] leds: lp3952: replace deprecated strncpy with strscpy

On Fri, Sep 22, 2023 at 03:27:17PM +0000, Justin Stitt wrote:
> `strncpy` is deprecated for use on NUL-terminated destination strings
> [1] and as such we should prefer more robust and less ambiguous string
> interfaces.
> 
> We expect `dest` to be NUL-terminated due to its use with dev_err.
> 
> lp3952_get_label()'s  dest argument is priv->leds[i].name:
> |    acpi_ret = lp3952_get_label(&priv->client->dev, led_name_hdl[i],
> |                                priv->leds[i].name);
> ... which is then assigned to:
> |    priv->leds[i].cdev.name = priv->leds[i].name;
> ... which is used with a format string
> |    dev_err(&priv->client->dev,
> |            "couldn't register LED %s\n",
> |            priv->leds[i].cdev.name);
> 
> There is no indication that NUL-padding is required but if it is let's
> opt for strscpy_pad.
> 
> Considering the above, a suitable replacement is `strscpy` [2] due to
> the fact that it guarantees NUL-termination on the destination buffer
> without unnecessarily NUL-padding.
> 
> Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
> Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2]
> Link: https://github.com/KSPP/linux/issues/90
> Cc: linux-hardening@...r.kernel.org
> Signed-off-by: Justin Stitt <justinstitt@...gle.com>
> ---
> Note: build-tested only.
> ---
>  drivers/leds/leds-lp3952.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/leds/leds-lp3952.c b/drivers/leds/leds-lp3952.c
> index 3bd55652a706..62ade3f05a87 100644
> --- a/drivers/leds/leds-lp3952.c
> +++ b/drivers/leds/leds-lp3952.c
> @@ -101,7 +101,7 @@ static int lp3952_get_label(struct device *dev, const char *label, char *dest)
>  	if (ret)
>  		return ret;
>  
> -	strncpy(dest, str, LP3952_LABEL_MAX_LEN);
> +	strscpy(dest, str, LP3952_LABEL_MAX_LEN);

Given my desire to use sizeof(dest) for these things, I wonder if it'd
be nicer to pass more context here for the compiler as the only user of
this function is the immediately next function. Instead of passing in
"char *dest", it could pass "struct lp3952_led_array *priv", and
suddenly sizeof() would be possible.

But, since it's technically correct as-is:

struct lp3952_ctrl_hdl {
        struct led_classdev cdev;
        char name[LP3952_LABEL_MAX_LEN];

There's no pressing need to actually do the priv refactor. It's just a
comment on the coding style of the original code. :)

Reviewed-by: Kees Cook <keescook@...omium.org>

-Kees

>  	return 0;
>  }
>  
> 
> ---
> base-commit: 2cf0f715623872823a72e451243bbf555d10d032
> change-id: 20230922-strncpy-drivers-leds-leds-lp3952-c-666fcfabeebd
> 
> Best regards,
> --
> Justin Stitt <justinstitt@...gle.com>
> 

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ