| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 3 Sep 2018 12:24:53 -0700
From: Bjorn Andersson <bjorn.andersson@...aro.org>
To: Niklas Cassel <niklas.cassel@...aro.org>
Cc: Andy Gross <andy.gross@...aro.org>,
David Brown <david.brown@...aro.org>,
linux-arm-msm@...r.kernel.org, linux-soc@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v6 8/9] soc: qcom: apr: Avoid string overflow
On Wed 29 Aug 00:57 PDT 2018, Niklas Cassel wrote:
> 'adev->name' is used as a NUL-terminated string, but using strncpy() with the
> length equal to the buffer size may result in lack of the termination:
>
> In function 'apr_add_device',
> inlined from 'of_register_apr_devices' at drivers//soc/qcom/apr.c:264:7,
> inlined from 'apr_probe' at drivers//soc/qcom/apr.c:290:2:
> drivers//soc/qcom/apr.c:222:3: warning: 'strncpy' specified bound 32 equals destination size [-Wstringop-truncation]
> strncpy(adev->name, np->name, APR_NAME_SIZE);
> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> This changes it to use the safer strscpy() instead.
>
> Signed-off-by: Niklas Cassel <niklas.cassel@...aro.org>
Reviewed-by: Bjorn Andersson <bjorn.andersson@...aro.org>
Regards,
Bjorn
> ---
> drivers/soc/qcom/apr.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/soc/qcom/apr.c b/drivers/soc/qcom/apr.c
> index 57af8a537332..ee9197f5aae9 100644
> --- a/drivers/soc/qcom/apr.c
> +++ b/drivers/soc/qcom/apr.c
> @@ -219,9 +219,9 @@ static int apr_add_device(struct device *dev, struct device_node *np,
> adev->domain_id = id->domain_id;
> adev->version = id->svc_version;
> if (np)
> - strncpy(adev->name, np->name, APR_NAME_SIZE);
> + strscpy(adev->name, np->name, APR_NAME_SIZE);
> else
> - strncpy(adev->name, id->name, APR_NAME_SIZE);
> + strscpy(adev->name, id->name, APR_NAME_SIZE);
>
> dev_set_name(&adev->dev, "aprsvc:%s:%x:%x", adev->name,
> id->domain_id, id->svc_id);
> --
> 2.17.1
>
Powered by blists - more mailing lists