| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <695be581-548f-4e5e-a211-5f3b95568e77@moroto.mountain>
Date: Thu, 28 Mar 2024 19:35:27 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Arnd Bergmann <arnd@...nel.org>
Cc: linux-kernel@...r.kernel.org,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Kees Cook <keescook@...omium.org>,
Daniel Micay <danielmicay@...il.com>, Arnd Bergmann <arnd@...db.de>,
linux-staging@...ts.linux.dev
Subject: Re: [PATCH 03/11] staging: replace weird strncpy() with memcpy()
On Thu, Mar 28, 2024 at 03:04:47PM +0100, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@...db.de>
>
> When -Wstringop-truncation is enabled, gcc finds a function that
> always does a short copy:
>
> In function 'inquiry',
> inlined from 'rtsx_scsi_handler' at drivers/staging/rts5208/rtsx_scsi.c:3210:12:
> drivers/staging/rts5208/rtsx_scsi.c:526:17: error: 'strncpy' output truncated copying between 1 and 28 bytes from a string of length 28 [-Werror=stringop-truncation]
> 526 | strncpy(buf + 8, inquiry_string, sendbytes - 8);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Since the actual size of the copy is already known at this point, just
> copy the bytes directly and skip the length check and zero-padding.
>
> This partially reverts an earlier bugfix that replaced the original
> incorrect memcpy() with a less bad strncpy(), but it now also avoids
> the original overflow.
>
> Fixes: 88a5b39b69ab ("staging/rts5208: Fix read overflow in memcpy")
I don't see a problem with this commit. The "sendbytes - 8" prevents
a write overflow to buf, and the strncpy() prevents read overflow from
inquiry_string.
> Signed-off-by: Arnd Bergmann <arnd@...db.de>
> ---
> drivers/staging/rts5208/rtsx_scsi.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/staging/rts5208/rtsx_scsi.c b/drivers/staging/rts5208/rtsx_scsi.c
> index 08bd768ad34d..a73b0959f5a9 100644
> --- a/drivers/staging/rts5208/rtsx_scsi.c
> +++ b/drivers/staging/rts5208/rtsx_scsi.c
> @@ -523,7 +523,7 @@ static int inquiry(struct scsi_cmnd *srb, struct rtsx_chip *chip)
>
> if (sendbytes > 8) {
> memcpy(buf, inquiry_buf, 8);
> - strncpy(buf + 8, inquiry_string, sendbytes - 8);
> + memcpy(buf + 8, inquiry_string, min(sendbytes, 36) - 8);
I think your math is off. The string is 29 characters + NUL. So it
should be "min(sendbytes, 38) - 8". You're chopping off the space and
the NUL terminator.
This only affects pro_formatter_flag code...
This code is such a mess. I'm not sure your fix is the complete fix.
When I see code that's clearly buggy like this and it's not sure the fix
is complete then I generally prefer to leave the static checker warning
as is so that we are reminded of the bug occasionally. How close are
you to removing all these -Wstringop-truncation warnings? Maybe we just
add a comment or a TODO item in the drivers/staging/rts5208/TODO file.
regards,
dan carpenter
Powered by blists - more mailing lists