| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251031110647.102728-2-thorsten.blum@linux.dev>
Date: Fri, 31 Oct 2025 12:06:47 +0100
From: Thorsten Blum <thorsten.blum@...ux.dev>
To: Paul Moore <paul@...l-moore.com>,
James Morris <jmorris@...ei.org>,
"Serge E. Hallyn" <serge@...lyn.com>
Cc: Thorsten Blum <thorsten.blum@...ux.dev>,
linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: [PATCH] device_cgroup: Replace strcpy/sprintf in set_majmin
strcpy() is deprecated and sprintf() does not perform bounds checking
either. While the current code works correctly, strscpy() and snprintf()
are safer alternatives that follow secure coding best practices.
Link: https://github.com/KSPP/linux/issues/88
Signed-off-by: Thorsten Blum <thorsten.blum@...ux.dev>
---
security/device_cgroup.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index dc4df7475081..a41f558f6fdd 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -273,9 +273,9 @@ static char type_to_char(short type)
static void set_majmin(char *str, unsigned m)
{
if (m == ~0)
- strcpy(str, "*");
+ strscpy(str, "*", MAJMINLEN);
else
- sprintf(str, "%u", m);
+ snprintf(str, MAJMINLEN, "%u", m);
}
static int devcgroup_seq_show(struct seq_file *m, void *v)
--
2.51.1
Powered by blists - more mailing lists