| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20240328140512.4148825-4-arnd@kernel.org>
Date: Thu, 28 Mar 2024 15:04:47 +0100
From: Arnd Bergmann <arnd@...nel.org>
To: linux-kernel@...r.kernel.org,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Kees Cook <keescook@...omium.org>,
Daniel Micay <danielmicay@...il.com>
Cc: Arnd Bergmann <arnd@...db.de>,
linux-staging@...ts.linux.dev
Subject: [PATCH 03/11] staging: replace weird strncpy() with memcpy()
From: Arnd Bergmann <arnd@...db.de>
When -Wstringop-truncation is enabled, gcc finds a function that
always does a short copy:
In function 'inquiry',
inlined from 'rtsx_scsi_handler' at drivers/staging/rts5208/rtsx_scsi.c:3210:12:
drivers/staging/rts5208/rtsx_scsi.c:526:17: error: 'strncpy' output truncated copying between 1 and 28 bytes from a string of length 28 [-Werror=stringop-truncation]
526 | strncpy(buf + 8, inquiry_string, sendbytes - 8);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Since the actual size of the copy is already known at this point, just
copy the bytes directly and skip the length check and zero-padding.
This partially reverts an earlier bugfix that replaced the original
incorrect memcpy() with a less bad strncpy(), but it now also avoids
the original overflow.
Fixes: 88a5b39b69ab ("staging/rts5208: Fix read overflow in memcpy")
Signed-off-by: Arnd Bergmann <arnd@...db.de>
---
drivers/staging/rts5208/rtsx_scsi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/rts5208/rtsx_scsi.c b/drivers/staging/rts5208/rtsx_scsi.c
index 08bd768ad34d..a73b0959f5a9 100644
--- a/drivers/staging/rts5208/rtsx_scsi.c
+++ b/drivers/staging/rts5208/rtsx_scsi.c
@@ -523,7 +523,7 @@ static int inquiry(struct scsi_cmnd *srb, struct rtsx_chip *chip)
if (sendbytes > 8) {
memcpy(buf, inquiry_buf, 8);
- strncpy(buf + 8, inquiry_string, sendbytes - 8);
+ memcpy(buf + 8, inquiry_string, min(sendbytes, 36) - 8);
if (pro_formatter_flag) {
/* Additional Length */
buf[4] = 0x33;
--
2.39.2
Powered by blists - more mailing lists