2023-06-14 01:34:17

by Azeem Shaikh

[permalink] [raw]
Subject: [PATCH] kallsyms: Replace all non-returning strlcpy with strscpy

strlcpy() reads the entire source buffer first.
This read may exceed the destination size limit.
This is both inefficient and can lead to linear read
overflows if a source string is not NUL-terminated [1].
In an effort to remove strlcpy() completely [2], replace
strlcpy() here with strscpy().
No return values were used, so direct replacement is safe.

[1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy
[2] https://github.com/KSPP/linux/issues/89

Signed-off-by: Azeem Shaikh <[email protected]>
---
kernel/kallsyms.c | 4 ++--
kernel/params.c | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c
index 0f82c3d5a57d..7982cc9d497c 100644
--- a/kernel/kallsyms.c
+++ b/kernel/kallsyms.c
@@ -667,7 +667,7 @@ static int get_ksymbol_bpf(struct kallsym_iter *iter)
{
int ret;

- strlcpy(iter->module_name, "bpf", MODULE_NAME_LEN);
+ strscpy(iter->module_name, "bpf", MODULE_NAME_LEN);
iter->exported = 0;
ret = bpf_get_kallsym(iter->pos - iter->pos_ftrace_mod_end,
&iter->value, &iter->type,
@@ -687,7 +687,7 @@ static int get_ksymbol_bpf(struct kallsym_iter *iter)
*/
static int get_ksymbol_kprobe(struct kallsym_iter *iter)
{
- strlcpy(iter->module_name, "__builtin__kprobes", MODULE_NAME_LEN);
+ strscpy(iter->module_name, "__builtin__kprobes", MODULE_NAME_LEN);
iter->exported = 0;
return kprobe_get_kallsym(iter->pos - iter->pos_bpf_end,
&iter->value, &iter->type,
diff --git a/kernel/params.c b/kernel/params.c
index 6a7548979aa9..07d01f6ce9a2 100644
--- a/kernel/params.c
+++ b/kernel/params.c
@@ -847,7 +847,7 @@ static void __init param_sysfs_builtin(void)
name_len = 0;
} else {
name_len = dot - kp->name + 1;
- strlcpy(modname, kp->name, name_len);
+ strscpy(modname, kp->name, name_len);
}
kernel_add_sysfs_param(modname, kp, name_len);
}
--
2.41.0.162.gfafddb0af9-goog




2023-06-14 18:07:35

by Kees Cook

[permalink] [raw]
Subject: Re: [PATCH] kallsyms: Replace all non-returning strlcpy with strscpy

On Wed, Jun 14, 2023 at 01:03:54AM +0000, Azeem Shaikh wrote:
> strlcpy() reads the entire source buffer first.
> This read may exceed the destination size limit.
> This is both inefficient and can lead to linear read
> overflows if a source string is not NUL-terminated [1].
> In an effort to remove strlcpy() completely [2], replace
> strlcpy() here with strscpy().
> No return values were used, so direct replacement is safe.
>
> [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy
> [2] https://github.com/KSPP/linux/issues/89
>
> Signed-off-by: Azeem Shaikh <[email protected]>

Reviewed-by: Kees Cook <[email protected]>

--
Kees Cook

2023-06-14 19:01:54

by Kees Cook

[permalink] [raw]
Subject: Re: [PATCH] kallsyms: Replace all non-returning strlcpy with strscpy

On Wed, 14 Jun 2023 01:03:54 +0000, Azeem Shaikh wrote:
> strlcpy() reads the entire source buffer first.
> This read may exceed the destination size limit.
> This is both inefficient and can lead to linear read
> overflows if a source string is not NUL-terminated [1].
> In an effort to remove strlcpy() completely [2], replace
> strlcpy() here with strscpy().
> No return values were used, so direct replacement is safe.
>
> [...]

Applied to for-next/hardening, thanks!

[1/1] kallsyms: Replace all non-returning strlcpy with strscpy
https://git.kernel.org/kees/c/5a5d3a09dd76

--
Kees Cook