[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4EF40BD8-9FBA-4D01-B2F4-154D32A503EB@kernel.org>
Date: Thu, 10 Aug 2023 17:42:26 -0700
From: Kees Cook <kees@...nel.org>
To: Justin Stitt <justinstitt@...gle.com>,
Kees Cook <keescook@...omium.org>
CC: Catalin Marinas <catalin.marinas@....com>,
Will Deacon <will@...nel.org>,
linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org,
linux-hardening@...r.kernel.org
Subject: Re: [PATCH] arm64/sysreg: refactor deprecated strncpy
On August 10, 2023 2:17:41 PM PDT, Justin Stitt <justinstitt@...gle.com> wrote:
>On Thu, Aug 10, 2023 at 12:58 PM Kees Cook <keescook@...omium.org> wrote:
>>
>> On Thu, Aug 10, 2023 at 12:25:37PM -0700, Justin Stitt wrote:
>> > On Thu, Aug 10, 2023 at 12:00 PM Kees Cook <keescook@...omium.org> wrote:
>> > >
>> > > On Thu, Aug 10, 2023 at 06:39:03PM +0000, Justin Stitt wrote:
>> > > > `strncpy` is deprecated for use on NUL-terminated destination strings
>> > > > [1]. Which seems to be the case here due to the forceful setting of `buf`'s
>> > > > tail to 0.
>> > >
>> > > Another note to include in these evaluations would be "does the
>> > > destination expect to be %NUL padded?". Here, it looks like no, as all
>> > > the routines "buf" is passed to expect a regular C string (padding
>> > > doesn't matter).
>> > >
>> > > >
>> > > > A suitable replacement is `strscpy` [2] due to the fact that it
>> > > > guarantees NUL-termination on its destination buffer argument which is
>> > > > _not_ the case for `strncpy`!
>> > > >
>> > > > In this case, there is some behavior being used in conjunction with
>> > > > `strncpy` that `strscpy` already implements. This means we can drop some
>> > > > of the extra stuff like `... -1` and `buf[len] = 0`
>> > > >
>> > > > This should have no functional change and yet uses a more robust and
>> > > > less ambiguous interface whilst reducing code complexity.
>> > > >
>> > > > Link: www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings[1]
>> > > > Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2]
>> > > > Link: https://github.com/KSPP/linux/issues/90
>> > > > Cc: linux-hardening@...r.kernel.org
>> > > >
>> > > > Signed-off-by: Justin Stitt <justinstitt@...gle.com>
>> > > > ---
>> > > > For reference, see a part of `strscpy`'s implementation here:
>> > > >
>> > > > | /* Hit buffer length without finding a NUL; force NUL-termination. */
>> > > > | if (res)
>> > > > | dest[res-1] = '\0';
>> > > >
>> > > > Note: compile tested
>> > > > ---
>> > > > arch/arm64/kernel/idreg-override.c | 5 ++---
>> > > > 1 file changed, 2 insertions(+), 3 deletions(-)
>> > > >
>> > > > diff --git a/arch/arm64/kernel/idreg-override.c b/arch/arm64/kernel/idreg-override.c
>> > > > index 2fe2491b692c..482dc5c71e90 100644
>> > > > --- a/arch/arm64/kernel/idreg-override.c
>> > > > +++ b/arch/arm64/kernel/idreg-override.c
>> > > > @@ -262,9 +262,8 @@ static __init void __parse_cmdline(const char *cmdline, bool parse_aliases)
>> > > > if (!len)
>> > > > return;
>> > > >
>> > > > - len = min(len, ARRAY_SIZE(buf) - 1);
>> > > > - strncpy(buf, cmdline, len);
>> > > > - buf[len] = 0;
>> > > > + len = min(len, ARRAY_SIZE(buf));
>> > > > + strscpy(buf, cmdline, len);
>Perhaps keeping the `... - 1` is good because we then don't have to
>check strlen immediately after. This does still silently truncate but
>didn't the previous `strncpy` also do that?
Ah, actually there's no need to get too tricky here. This should be behaviorally identical:
len = strscpy(buf, cmdline, ARRAY_SIZE(buf));
if (len == -E2BIG)
len = ARRAY_SIZE(buf) - 1;
-Kees
--
Kees Cook
Powered by blists - more mailing lists