lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1BFDA086-7B8E-4FD9-8A8A-B7D23A5FE5CF@linux.dev>
Date: Tue, 21 Oct 2025 23:22:05 +0200
From: Thorsten Blum <thorsten.blum@...ux.dev>
To: Krzysztof Kozlowski <krzk@...nel.org>
Cc: Huisong Li <lihuisong@...wei.com>,
 Krzysztof Kozlowski <krzysztof.kozlowski@...aro.org>,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH] w1: therm: Replace deprecated strcpy with strscpy in
 alarms_store

On 20. Oct 2025, at 09:01, Krzysztof Kozlowski wrote:
> On 17/10/2025 19:00, Thorsten Blum wrote:
>> strcpy() is deprecated because it can overflow when the destination
>> buffer is not large enough for the source string. Replace it with
> 
> It cannot overflow. Look at the code - memory is allocated for the size.

The sysfs buffer passed to alarms_store() is allocated with 'size + 1'
bytes to include a NUL terminator. However, the 'size' argument does not
account for this extra byte.

And since 'p_args' is allocated with only 'size' bytes and strcpy()
copies 'buf' until the first '\0' at index 'size', strcpy() writes one
byte past the end of 'p_args'.

Using kstrdup() fixes this issue, as it allocates 'strlen(buf) + 1'
bytes and copies the NUL terminator safely.

I would also remove the misleading comment, drop dev_warn(), and return
-ENOMEM on allocation failure.

Would this work for you?

diff --git a/drivers/w1/slaves/w1_therm.c b/drivers/w1/slaves/w1_therm.c
index 9ccedb3264fb..94512f8b60f5 100644
--- a/drivers/w1/slaves/w1_therm.c
+++ b/drivers/w1/slaves/w1_therm.c
@@ -1841,15 +1841,9 @@ static ssize_t alarms_store(struct device *device,
	s8 tl, th;	/* 1 byte per value + temp ring order */
	char *p_args, *orig;

-	p_args = orig = kmalloc(size, GFP_KERNEL);
-	/* Safe string copys as buf is const */
-	if (!p_args) {
-		dev_warn(device,
-			"%s: error unable to allocate memory %d\n",
-			__func__, -ENOMEM);
-		return size;
-	}
-	strcpy(p_args, buf);
+	p_args = orig = kstrdup(buf, GFP_KERNEL);
+	if (!p_args)
+		return -ENOMEM;

	/* Split string using space char */
	token = strsep(&p_args, " ");

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ