lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20231026-strncpy-drivers-scsi-hpsa-c-v1-1-75519d7a191b@google.com> Date: Thu, 26 Oct 2023 01:47:32 +0000 From: Justin Stitt <justinstitt@...gle.com> To: Don Brace <don.brace@...rochip.com>, "James E.J. Bottomley" <jejb@...ux.ibm.com>, "Martin K. Petersen" <martin.petersen@...cle.com> Cc: storagedev@...rochip.com, linux-scsi@...r.kernel.org, linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org, Kees Cook <keescook@...omium.org>, Justin Stitt <justinstitt@...gle.com> Subject: [PATCH] scsi: hpsa: replace deprecated strncpy with strscpy/kmemdup_nul strncpy() is deprecated for use on NUL-terminated destination strings [1] and as such we should prefer more robust and less ambiguous string interfaces. This whole process of 1) determining smaller length so we don't overread the buffer and 2) manually NUL-terminating our buffer so we can use in string APIs is handled implicitly by strscpy(). Therefore, a suitable replacement is `strscpy` [2] due to the fact that it guarantees NUL-termination on the destination buffer without unnecessarily NUL-padding. For the last two strncpy() use cases in init_driver_version(), we can actually drop this function entirely. Firstly, we are kmalloc()'ing driver_version. Then, we are calling init_driver_version() which memset's it to 0 followed by a strncpy(). This pattern of 1) allocating memory for a string, 2) setting all bytes to NUL, 3) copy bytes from another string + ensure NUL-padded destination is just an open-coded kmemdup_nul(). The last case involves swapping kmalloc_array() for kcalloc() to give us a zero-filled two-element array for both old_driver_version and driver_version without needing the memset from init_driver_version(). Now this code is easier to read and less fragile (no more ... - 1's) or min length checks and now we have guaranteed NUL-termination everywhere! Although perhaps there should be a macro for: Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1] Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2] Link: https://github.com/KSPP/linux/issues/90 Cc: linux-hardening@...r.kernel.org Cc: Kees Cook <keescook@...omium.org> Signed-off-by: Justin Stitt <justinstitt@...gle.com> --- Note: build-tested only. Found with: $ rg "strncpy\(" --- drivers/scsi/hpsa.c | 29 +++++++++++------------------ 1 file changed, 11 insertions(+), 18 deletions(-) diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c index af18d20f3079..3376d4614fe5 100644 --- a/drivers/scsi/hpsa.c +++ b/drivers/scsi/hpsa.c @@ -452,16 +452,15 @@ static ssize_t host_store_hp_ssd_smart_path_status(struct device *dev, struct device_attribute *attr, const char *buf, size_t count) { - int status, len; + int status; struct ctlr_info *h; struct Scsi_Host *shost = class_to_shost(dev); char tmpbuf[10]; if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RAWIO)) return -EACCES; - len = count > sizeof(tmpbuf) - 1 ? sizeof(tmpbuf) - 1 : count; - strncpy(tmpbuf, buf, len); - tmpbuf[len] = '\0'; + strscpy(tmpbuf, buf, count); + if (sscanf(tmpbuf, "%d", &status) != 1) return -EINVAL; h = shost_to_hba(shost); @@ -476,16 +475,15 @@ static ssize_t host_store_raid_offload_debug(struct device *dev, struct device_attribute *attr, const char *buf, size_t count) { - int debug_level, len; + int debug_level; struct ctlr_info *h; struct Scsi_Host *shost = class_to_shost(dev); char tmpbuf[10]; if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RAWIO)) return -EACCES; - len = count > sizeof(tmpbuf) - 1 ? sizeof(tmpbuf) - 1 : count; - strncpy(tmpbuf, buf, len); - tmpbuf[len] = '\0'; + strscpy(tmpbuf, buf, count); + if (sscanf(tmpbuf, "%d", &debug_level) != 1) return -EINVAL; if (debug_level < 0) @@ -7234,24 +7232,19 @@ static int hpsa_controller_hard_reset(struct pci_dev *pdev, return 0; } -static void init_driver_version(char *driver_version, int len) -{ - memset(driver_version, 0, len); - strncpy(driver_version, HPSA " " HPSA_DRIVER_VERSION, len - 1); -} - static int write_driver_ver_to_cfgtable(struct CfgTable __iomem *cfgtable) { char *driver_version; int i, size = sizeof(cfgtable->driver_version); - driver_version = kmalloc(size, GFP_KERNEL); + driver_version = kmemdup_nul(HPSA " " HPSA_DRIVER_VERSION, size, + GFP_KERNEL); if (!driver_version) return -ENOMEM; - init_driver_version(driver_version, size); for (i = 0; i < size; i++) writeb(driver_version[i], &cfgtable->driver_version[i]); + kfree(driver_version); return 0; } @@ -7271,7 +7264,7 @@ static int controller_reset_failed(struct CfgTable __iomem *cfgtable) char *driver_ver, *old_driver_ver; int rc, size = sizeof(cfgtable->driver_version); - old_driver_ver = kmalloc_array(2, size, GFP_KERNEL); + old_driver_ver = kcalloc(2, size, GFP_KERNEL); if (!old_driver_ver) return -ENOMEM; driver_ver = old_driver_ver + size; @@ -7279,7 +7272,7 @@ static int controller_reset_failed(struct CfgTable __iomem *cfgtable) /* After a reset, the 32 bytes of "driver version" in the cfgtable * should have been changed, otherwise we know the reset failed. */ - init_driver_version(old_driver_ver, size); + strscpy(old_driver_ver, HPSA " " HPSA_DRIVER_VERSION, size); read_driver_ver_from_cfgtable(cfgtable, driver_ver); rc = !memcmp(driver_ver, old_driver_ver, size); kfree(old_driver_ver); --- base-commit: d88520ad73b79e71e3ddf08de335b8520ae41c5c change-id: 20231026-strncpy-drivers-scsi-hpsa-c-4cb7bd4e9b7f Best regards, -- Justin Stitt <justinstitt@...gle.com>
Powered by blists - more mailing lists