lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 5 Oct 2023 16:09:23 -0700
From: Kees Cook <keescook@...omium.org>
To: Justin Stitt <justinstitt@...gle.com>
Cc: Rasesh Mody <rmody@...vell.com>,
	Sudarsana Kalluru <skalluru@...vell.com>,
	GR-Linux-NIC-Dev@...vell.com,
	"David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>,
	Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
	netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
	linux-hardening@...r.kernel.org
Subject: Re: [PATCH] bna: replace deprecated strncpy with strscpy

On Thu, Oct 05, 2023 at 09:05:42PM +0000, Justin Stitt wrote:
> `strncpy` is deprecated for use on NUL-terminated destination strings
> [1] and as such we should prefer more robust and less ambiguous string
> interfaces.
> 
> bfa_ioc_get_adapter_manufacturer() simply copies a string literal into
> `manufacturer`.
> 
> NUL-padding is not needed because bfa_ioc_get_adapter_manufacturer()'s
> only caller passes `ad_attr` (which is from ioc_attr) which is then
> memset to 0.
>  bfa_nw_ioc_get_attr() ->
>    bfa_ioc_get_adapter_attr() ->
>      bfa_nw_ioc_get_attr() ->
>        memset((void *)ioc_attr, 0, sizeof(struct bfa_ioc_attr));
> 
> Considering the above, a suitable replacement is `strscpy` [2] due to
> the fact that it guarantees NUL-termination on the destination buffer
> without unnecessarily NUL-padding.
> 
> Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
> Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2]
> Link: https://github.com/KSPP/linux/issues/90
> Cc: linux-hardening@...r.kernel.org
> Signed-off-by: Justin Stitt <justinstitt@...gle.com>
> ---
> Note: build-tested only.
> ---
>  drivers/net/ethernet/brocade/bna/bfa_ioc.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/ethernet/brocade/bna/bfa_ioc.c b/drivers/net/ethernet/brocade/bna/bfa_ioc.c
> index b07522ac3e74..497cb65f2d06 100644
> --- a/drivers/net/ethernet/brocade/bna/bfa_ioc.c
> +++ b/drivers/net/ethernet/brocade/bna/bfa_ioc.c
> @@ -2839,7 +2839,7 @@ bfa_ioc_get_adapter_optrom_ver(struct bfa_ioc *ioc, char *optrom_ver)
>  static void
>  bfa_ioc_get_adapter_manufacturer(struct bfa_ioc *ioc, char *manufacturer)
>  {
> -	strncpy(manufacturer, BFA_MFG_NAME, BFA_ADAPTER_MFG_NAME_LEN);
> +	strscpy(manufacturer, BFA_MFG_NAME, sizeof(manufacturer));
>  }

tl;dr: please use:

	strscpy_pad(manufacturer, BFA_MFG_NAME, BFA_ADAPTER_MFG_NAME_LEN);

sizeof() will not work correctly here -- manufacturer is a char *,
so this will always be sizeof(unsigned long). Which begs the question,
why is an unbounded string being passed here? Yay fragile API.

I notice bfa_ioc_get_adapter_manufacturer() in drivers/scsi/bfa/bfa_ioc.c
does this:

        memset((void *)manufacturer, 0, BFA_ADAPTER_MFG_NAME_LEN);
        strscpy(manufacturer, BFA_MFG_NAME, BFA_ADAPTER_MFG_NAME_LEN);

So, I think we should follow suit (but use strscpy_pad() instead to
avoid the partially redundant memset).

I also note that the "manufacturer" argument comes from many possible
structs, not just struct bfa_adapter_attr:

drivers/net/ethernet/brocade/bna/bfa_ioc.c:2761:        bfa_ioc_get_adapter_manufacturer(ioc, ad_attr->manufacturer);

	struct bfa_adapter_attr {
	        char            manufacturer[BFA_ADAPTER_MFG_NAME_LEN];

drivers/scsi/bfa/bfa_ioc.c:2698:        bfa_ioc_get_adapter_manufacturer(ioc, ad_attr->manufacturer);

	struct bfa_adapter_attr_s {
	        char            manufacturer[BFA_ADAPTER_MFG_NAME_LEN];

drivers/scsi/bfa/bfa_fcs_lport.c:2630:  bfa_ioc_get_adapter_manufacturer(&port->fcs->bfa->ioc,

	struct bfa_fcs_fdmi_hba_attr_s {
		...
	        u8         manufacturer[64];

This is unexpectedly large... I was expecting either 8 or
BFA_ADAPTER_MFG_NAME_LEN:

drivers/net/ethernet/brocade/bna/bfa_defs.h:31: BFA_ADAPTER_MFG_NAME_LEN    = 8,   /*!< manufacturer name length */
drivers/scsi/bfa/bfa_defs.h:259:        BFA_ADAPTER_MFG_NAME_LEN    = 8,   /*  manufacturer name length */

(But it seems not a problem, since it's memset() before...)

And there are more that I've check, since I also found this macro:

#define bfa_get_adapter_manufacturer(__bfa, __manufacturer)             \
        bfa_ioc_get_adapter_manufacturer(&(__bfa)->ioc, __manufacturer)

And there are multiple implementations of bfa_ioc_get_adapter_manufacturer(), it seems.

-- 
Kees Cook

Powered by blists - more mailing lists