[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240403112336.GD25200@aspen.lan>
Date: Wed, 3 Apr 2024 12:23:36 +0100
From: Daniel Thompson <daniel.thompson@...aro.org>
To: Justin Stitt <justinstitt@...gle.com>
Cc: Jason Wessel <jason.wessel@...driver.com>,
Douglas Anderson <dianders@...omium.org>,
kgdb-bugreport@...ts.sourceforge.net, linux-kernel@...r.kernel.org,
linux-hardening@...r.kernel.org
Subject: Re: [PATCH] kdb: replace deprecated strncpy
On Wed, Apr 03, 2024 at 12:52:36AM +0000, Justin Stitt wrote:
> All the other cases in this big switch statement use memcpy or other
> methods for copying string data. Since the lengths are handled manually
> and carefully, using strncpy() is may be misleading. It doesn't
> guarantee any sort of NUL-termination on its destination buffer. At any
> rate, it's deprecated [1] and we want to remove all its uses [2].
>
> Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
> Link: https://github.com/KSPP/linux/issues/90 [2]
> Cc: linux-hardening@...r.kernel.org
> Signed-off-by: Justin Stitt <justinstitt@...gle.com>
> ---
> Note: build-tested only.
>
> Found with: $ rg "strncpy\("
> ---
> kernel/debug/kdb/kdb_io.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c
> index 9443bc63c5a2..8bba77b4a39c 100644
> --- a/kernel/debug/kdb/kdb_io.c
> +++ b/kernel/debug/kdb/kdb_io.c
> @@ -368,9 +368,9 @@ static char *kdb_read(char *buffer, size_t bufsize)
> kdb_printf("%s", buffer);
> } else if (tab != 2 && count > 0) {
> len_tmp = strlen(p_tmp);
> - strncpy(p_tmp+len_tmp, cp, lastchar-cp+1);
> + memcpy(p_tmp+len_tmp, cp, lastchar-cp+1);
The strncpy() here is obviously wrong because it passes the size of the
source not the destination.
For that reason I'm not clear that memcpy() is the correct approach
here. It's probably not more wrong than what was there before but,
as mentioned, what was there before is already obviously wrong that
should provoke a bit of code review ;-) .
In particular are you sure lastchar-cp+1 can never larger than
buf_size-len_tmp (which is what I think is the remaining space
at p_tmp+len_tmp)?
> len_tmp = strlen(p_tmp);
> - strncpy(cp, p_tmp+len, len_tmp-len + 1);
> + memcpy(cp, p_tmp+len, len_tmp-len + 1);
Roughly the same question here. The original coded is obviously wrong
so trusting it did the boundary checks properly seems unwise.
Are you sure it is OK to make this copy with checking against bufend?
Daniel.
Powered by blists - more mailing lists