lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 18 Mar 2024 14:52:20 -0700
From: Kees Cook <keescook@...omium.org>
To: Justin Stitt <justinstitt@...gle.com>
Cc: Bjorn Andersson <andersson@...nel.org>,
	Konrad Dybcio <konrad.dybcio@...aro.org>,
	linux-arm-msm@...r.kernel.org, linux-kernel@...r.kernel.org,
	linux-hardening@...r.kernel.org
Subject: Re: [PATCH] soc: qcom: cmd-db: replace deprecated strncpy with memcpy

On Thu, Mar 14, 2024 at 10:29:37PM +0000, Justin Stitt wrote:
> strncpy() is deprecated for use on NUL-terminated destination strings
> [1] and as such we should prefer more robust and less ambiguous string
> interfaces.
> 
> @query is already marked as __nonstring and doesn't need to be
> NUL-terminated. Due to this, we don't need to use a string API here
> (especially a deprecated one). Let's have our stack allocation also
> zero-initialize so that we can just perform a standard memcpy. Since the
> code now speaks for itself we can drop the comment. A memcpy on a
> __nonstring buffer explains everything that this comment talks about.
> 
> Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
> Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2]
> Link: https://github.com/KSPP/linux/issues/90
> Cc: linux-hardening@...r.kernel.org
> Signed-off-by: Justin Stitt <justinstitt@...gle.com>
> ---
> Note: build-tested only.
> 
> Found with: $ rg "strncpy\("
> ---
>  drivers/soc/qcom/cmd-db.c | 9 ++-------
>  1 file changed, 2 insertions(+), 7 deletions(-)
> 
> diff --git a/drivers/soc/qcom/cmd-db.c b/drivers/soc/qcom/cmd-db.c
> index a5fd68411bed..512556366a3e 100644
> --- a/drivers/soc/qcom/cmd-db.c
> +++ b/drivers/soc/qcom/cmd-db.c
> @@ -141,18 +141,13 @@ static int cmd_db_get_header(const char *id, const struct entry_header **eh,
>  	const struct rsc_hdr *rsc_hdr;
>  	const struct entry_header *ent;
>  	int ret, i, j;
> -	u8 query[sizeof(ent->id)] __nonstring;
> +	u8 query[sizeof(ent->id)] __nonstring = { 0 };
>  
>  	ret = cmd_db_ready();
>  	if (ret)
>  		return ret;
>  
> -	/*
> -	 * Pad out query string to same length as in DB. NOTE: the output
> -	 * query string is not necessarily '\0' terminated if it bumps up
> -	 * against the max size. That's OK and expected.
> -	 */
> -	strncpy(query, id, sizeof(query));
> +	memcpy(query, id, sizeof(query));

Hm, no, this isn't right. We do want to stop copying at the first NUL
character, but we don't care about truncation. e.g. imagine if "id" was
a 3 character string followed by other bytes in memory. We'd copy beyond
the end of "id" into query, and the later memcmp()s would start failing.
I think what you want here is:

	strtomem(query, id);

-Kees

>  
>  	for (i = 0; i < MAX_SLV_ID; i++) {
>  		rsc_hdr = &cmd_db_header->header[i];
> 
> ---
> base-commit: fe46a7dd189e25604716c03576d05ac8a5209743
> change-id: 20240314-strncpy-drivers-soc-qcom-cmd-db-c-284f3abaabb8
> 
> Best regards,
> --
> Justin Stitt <justinstitt@...gle.com>
> 
> 

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ