lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1614253132-21793-1-git-send-email-luojiaxing@huawei.com>
Date:   Thu, 25 Feb 2021 19:38:52 +0800
From:   Luo Jiaxing <luojiaxing@...wei.com>
To:     <nouveau@...ts.freedesktop.org>, <dri-devel@...ts.freedesktop.org>,
        <bskeggs@...hat.com>
CC:     <linux-kernel@...r.kernel.org>, <linuxarm@...neuler.org>,
        <luojiaxing@...wei.com>
Subject: [PATCH v1] drm/nouveau/device: append a NUL-terminated character for the string which filled by strncpy()

Following warning is found when using W=1 to build kernel:

In function ‘nvkm_udevice_info’,
    inlined from ‘nvkm_udevice_mthd’ at drivers/gpu/drm/nouveau/nvkm/engine/device/user.c:195:10:
drivers/gpu/drm/nouveau/nvkm/engine/device/user.c:164:2: warning: ‘strncpy’ specified bound 16 equals destination size [-Wstringop-truncation]
  164 |  strncpy(args->v0.chip, device->chip->name, sizeof(args->v0.chip));
drivers/gpu/drm/nouveau/nvkm/engine/device/user.c:165:2: warning: ‘strncpy’ specified bound 64 equals destination size [-Wstringop-truncation]
  165 |  strncpy(args->v0.name, device->name, sizeof(args->v0.name));

The reason of this warning is strncpy() does not guarantee that the
destination buffer will be NUL terminated. If the length of source string
is bigger than number we set by third input parameter, only first [number]
of characters is copied to the destination, and no NUL-terminated is
automatically added. There are some potential risks.

Signed-off-by: Luo Jiaxing <luojiaxing@...wei.com>
---
 drivers/gpu/drm/nouveau/nvkm/engine/device/user.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/device/user.c b/drivers/gpu/drm/nouveau/nvkm/engine/device/user.c
index fea9d8f..2a32fe0 100644
--- a/drivers/gpu/drm/nouveau/nvkm/engine/device/user.c
+++ b/drivers/gpu/drm/nouveau/nvkm/engine/device/user.c
@@ -161,8 +161,10 @@ nvkm_udevice_info(struct nvkm_udevice *udev, void *data, u32 size)
 	if (imem && args->v0.ram_size > 0)
 		args->v0.ram_user = args->v0.ram_user - imem->reserved;
 
-	strncpy(args->v0.chip, device->chip->name, sizeof(args->v0.chip));
-	strncpy(args->v0.name, device->name, sizeof(args->v0.name));
+	strncpy(args->v0.chip, device->chip->name, sizeof(args->v0.chip) - 1);
+	args->v0.chip[sizeof(args->v0.chip) - 1] = '\0';
+	strncpy(args->v0.name, device->name, sizeof(args->v0.name) - 1);
+	args->v0.name[sizeof(args->v0.name) - 1] = '\0';
 	return 0;
 }
 
-- 
2.7.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ