| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202310051549.D76C508541@keescook>
Date: Thu, 5 Oct 2023 16:09:23 -0700
From: Kees Cook <keescook@...omium.org>
To: Justin Stitt <justinstitt@...gle.com>
Cc: Rasesh Mody <rmody@...vell.com>,
Sudarsana Kalluru <skalluru@...vell.com>,
GR-Linux-NIC-Dev@...vell.com,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-hardening@...r.kernel.org
Subject: Re: [PATCH] bna: replace deprecated strncpy with strscpy
On Thu, Oct 05, 2023 at 09:05:42PM +0000, Justin Stitt wrote:
> `strncpy` is deprecated for use on NUL-terminated destination strings
> [1] and as such we should prefer more robust and less ambiguous string
> interfaces.
>
> bfa_ioc_get_adapter_manufacturer() simply copies a string literal into
> `manufacturer`.
>
> NUL-padding is not needed because bfa_ioc_get_adapter_manufacturer()'s
> only caller passes `ad_attr` (which is from ioc_attr) which is then
> memset to 0.
> bfa_nw_ioc_get_attr() ->
> bfa_ioc_get_adapter_attr() ->
> bfa_nw_ioc_get_attr() ->
> memset((void *)ioc_attr, 0, sizeof(struct bfa_ioc_attr));
>
> Considering the above, a suitable replacement is `strscpy` [2] due to
> the fact that it guarantees NUL-termination on the destination buffer
> without unnecessarily NUL-padding.
>
> Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
> Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2]
> Link: https://github.com/KSPP/linux/issues/90
> Cc: linux-hardening@...r.kernel.org
> Signed-off-by: Justin Stitt <justinstitt@...gle.com>
> ---
> Note: build-tested only.
> ---
> drivers/net/ethernet/brocade/bna/bfa_ioc.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/ethernet/brocade/bna/bfa_ioc.c b/drivers/net/ethernet/brocade/bna/bfa_ioc.c
> index b07522ac3e74..497cb65f2d06 100644
> --- a/drivers/net/ethernet/brocade/bna/bfa_ioc.c
> +++ b/drivers/net/ethernet/brocade/bna/bfa_ioc.c
> @@ -2839,7 +2839,7 @@ bfa_ioc_get_adapter_optrom_ver(struct bfa_ioc *ioc, char *optrom_ver)
> static void
> bfa_ioc_get_adapter_manufacturer(struct bfa_ioc *ioc, char *manufacturer)
> {
> - strncpy(manufacturer, BFA_MFG_NAME, BFA_ADAPTER_MFG_NAME_LEN);
> + strscpy(manufacturer, BFA_MFG_NAME, sizeof(manufacturer));
> }
tl;dr: please use:
strscpy_pad(manufacturer, BFA_MFG_NAME, BFA_ADAPTER_MFG_NAME_LEN);
sizeof() will not work correctly here -- manufacturer is a char *,
so this will always be sizeof(unsigned long). Which begs the question,
why is an unbounded string being passed here? Yay fragile API.
I notice bfa_ioc_get_adapter_manufacturer() in drivers/scsi/bfa/bfa_ioc.c
does this:
memset((void *)manufacturer, 0, BFA_ADAPTER_MFG_NAME_LEN);
strscpy(manufacturer, BFA_MFG_NAME, BFA_ADAPTER_MFG_NAME_LEN);
So, I think we should follow suit (but use strscpy_pad() instead to
avoid the partially redundant memset).
I also note that the "manufacturer" argument comes from many possible
structs, not just struct bfa_adapter_attr:
drivers/net/ethernet/brocade/bna/bfa_ioc.c:2761: bfa_ioc_get_adapter_manufacturer(ioc, ad_attr->manufacturer);
struct bfa_adapter_attr {
char manufacturer[BFA_ADAPTER_MFG_NAME_LEN];
drivers/scsi/bfa/bfa_ioc.c:2698: bfa_ioc_get_adapter_manufacturer(ioc, ad_attr->manufacturer);
struct bfa_adapter_attr_s {
char manufacturer[BFA_ADAPTER_MFG_NAME_LEN];
drivers/scsi/bfa/bfa_fcs_lport.c:2630: bfa_ioc_get_adapter_manufacturer(&port->fcs->bfa->ioc,
struct bfa_fcs_fdmi_hba_attr_s {
...
u8 manufacturer[64];
This is unexpectedly large... I was expecting either 8 or
BFA_ADAPTER_MFG_NAME_LEN:
drivers/net/ethernet/brocade/bna/bfa_defs.h:31: BFA_ADAPTER_MFG_NAME_LEN = 8, /*!< manufacturer name length */
drivers/scsi/bfa/bfa_defs.h:259: BFA_ADAPTER_MFG_NAME_LEN = 8, /* manufacturer name length */
(But it seems not a problem, since it's memset() before...)
And there are more that I've check, since I also found this macro:
#define bfa_get_adapter_manufacturer(__bfa, __manufacturer) \
bfa_ioc_get_adapter_manufacturer(&(__bfa)->ioc, __manufacturer)
And there are multiple implementations of bfa_ioc_get_adapter_manufacturer(), it seems.
--
Kees Cook
Powered by blists - more mailing lists