lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20250811120912.144720-1-miguelgarciaroman8@gmail.com>
Date: Mon, 11 Aug 2025 14:09:12 +0200
From: Miguel García <miguelgarciaroman8@...il.com>
To: richard@....at,
	miquel.raynal@...tlin.com,
	vigneshr@...com
Cc: chengzhihao1@...wei.com,
	linux-mtd@...ts.infradead.org,
	linux-kernel@...r.kernel.org,
	skhan@...uxfoundation.org,
	Miguel García <miguelgarciaroman8@...il.com>
Subject: [PATCH] mtd: ubi: replace strcpy with strscpy in mtd parameter parser

Replace the strcpy() calls used to copy the 'mtd=' parameter into local
buffers with strscpy() to avoid potential overflow and guarantee NUL
termination. Destinations are fixed-size arrays (buf and p->name), so
use sizeof().

While this code is currently safe due to prior length checks
(strnlen(val, MTD_PARAM_LEN_MAX) and early return on overflow),
replacing strcpy() with strscpy() follows current kernel best practices
and makes the code more robust to future changes. The sizeof() calls
correctly compute the buffer sizes, matching MTD_PARAM_LEN_MAX.

Tested in QEMU (initramfs + built-ins):
 - mtdram.total_size=16384 mtdram.erasesize=256 ubi.mtd=0
 - ubi.mtd="mtdram test device"
 - overly long name -> proper "parameter ... is too long" handling

No functional change intended.

Signed-off-by: Miguel García <miguelgarciaroman8@...il.com>
---
 drivers/mtd/ubi/build.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
index ef6a22f372f9..0d9f31522356 100644
--- a/drivers/mtd/ubi/build.c
+++ b/drivers/mtd/ubi/build.c
@@ -1497,7 +1497,7 @@ static int ubi_mtd_param_parse(const char *val, const struct kernel_param *kp)
 		return 0;
 	}
 
-	strcpy(buf, val);
+	strscpy(buf, val, sizeof(buf));
 
 	/* Get rid of the final newline */
 	if (buf[len - 1] == '\n')
@@ -1512,7 +1512,7 @@ static int ubi_mtd_param_parse(const char *val, const struct kernel_param *kp)
 	}
 
 	p = &mtd_dev_param[mtd_devs];
-	strcpy(&p->name[0], tokens[0]);
+	strscpy(&p->name[0], tokens[0], sizeof(p->name));
 
 	token = tokens[1];
 	if (token) {
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ