Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp1565041ybh; Tue, 14 Jul 2020 00:53:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJykWb8jM67aElk58QHouETCrtIikqmb4TzDc3BkeGEMckvgzW8frM7cx/mfuyLEAM4RHWnF X-Received: by 2002:a17:906:6406:: with SMTP id d6mr3313625ejm.30.1594713195029; Tue, 14 Jul 2020 00:53:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594713195; cv=none; d=google.com; s=arc-20160816; b=vysyGN8njxK440CrfOayzutXq8O9U/aYsT0B3nz8z2EoQLVEbGn1pcOHvKIZUyY7/f GUHh6JrNbIv1DaYLIPsDjG0oizjm+n4NBSfGRnVBKJW68BIpG7xk8yLf+dgHHETey29i LR7EG5gMgWsATJkZKGlweP5RIzhKaTyoFKPwka/+Z79qwYPaffX2+Zq7P7LIUDT+wHfn lD49nfIVbufmx4SOIypBp8IDZcOhJYdne4RjrqoPstY0m2I4P6CncmvDgbe80TAlDW+D QZTxCyzEhE/oTWEjkD4kVfsVolpz6HwuxdlRJF7gZVKsmuKnpRf1p2RmdFLcEO0Vzrr3 kSLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version; bh=JKKFYCNbrHcntMKmomghUJmGw3PeibTvXyRYrVoghbU=; b=EZZ7mtgRVyaCASVQChe0a/s2W0KYHwgtvhqncFvOamBBj49OCk/zpZgKNnIWsU4N/s sS3uWgP/K0HGWaMJzZY7HdIqQjrSwcBILiWvCshBmV9dY6KtCxx47cImSdkaAa2VNhh+ grCtIkyZEhSfrpN4E+reuYrqC4V9Tsu7Qe784eJf8ZZAlUgTS4O72mjJq0AmOpKhrsQt v4nO41wSuShvTc7/k1lp9yxtgzh7UAQedpru3KqG3YCjEsGQqg0ca2HswNOCVNtHSzsN HIed4qEP9VpdArlEU/yEUgy0NMIDaM2Caci1+MCI0RKjGCl/SJMU0JDJbV6+ACB+XW9/ 3OAA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d18si10640632edy.194.2020.07.14.00.52.51; Tue, 14 Jul 2020 00:53:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726414AbgGNHwi convert rfc822-to-8bit (ORCPT + 99 others); Tue, 14 Jul 2020 03:52:38 -0400 Received: from mail-ot1-f66.google.com ([209.85.210.66]:40622 "EHLO mail-ot1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725801AbgGNHwh (ORCPT ); Tue, 14 Jul 2020 03:52:37 -0400 Received: by mail-ot1-f66.google.com with SMTP id c25so12363325otf.7 for ; Tue, 14 Jul 2020 00:52:36 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=GnEuOKgk5NDFLsvpeWRSzwDF6EpvyIkpFCLXT7y40fg=; b=Ru/EkcpZp5Q1sliZV8lhYgDjQpdie0MgXwvYsd9HTupHaPEyt7LyL3WKF+oa4w5S7p i/d9EJzxp+WxYpbfNpvyek0itowNn9UBUkKXjYl4XafDc/jJ49Q5VpVdFUxJ53KNiu1K lPyqgvqNw20/48kmiPMY9Iq1KkeSTx0hcTghfHRzDJExReQIxFJ6mVZ/IHjnx68VZvr6 KTY33zfTS2ELlNLvSdJxlJygHWydjd93Gnjhr32P1OchN3QvOZvDzkR5To6dAU+TVoVn 2PCcPBusnXhORWn/eKWqtZUxqc2+y+9JM41UuHw0l285nRH9VO327orkS8Mo471Hjt+Q BAcQ== X-Gm-Message-State: AOAM532XQPRZUTqBvec6BHeqqZYXNTMqiW0l0Gmtz7ORyGG36a1UgQDn sxvYcLLbWqiXxij1f0U5py6YLfkrK7CJP4Qs1tE= X-Received: by 2002:a9d:1b0d:: with SMTP id l13mr2954831otl.145.1594713156044; Tue, 14 Jul 2020 00:52:36 -0700 (PDT) MIME-Version: 1.0 References: <20200626130525.389469-1-lee.jones@linaro.org> <20200626130525.389469-2-lee.jones@linaro.org> <20200714074629.GG3500@dell> In-Reply-To: <20200714074629.GG3500@dell> From: Geert Uytterhoeven Date: Tue, 14 Jul 2020 09:52:24 +0200 Message-ID: Subject: Re: [PATCH 01/10] misc: c2port: core: Ensure source size does not equal destination size in strncpy() To: Lee Jones Cc: Arnd Bergmann , Greg KH , "Eurotech S.p.A" , Rodolfo Giometti , Linux Kernel Mailing List , Linux ARM Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8BIT Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Lee, On Tue, Jul 14, 2020 at 9:46 AM Lee Jones wrote: > On Mon, 13 Jul 2020, Geert Uytterhoeven wrote: > > On Fri, Jun 26, 2020 at 3:06 PM Lee Jones wrote: > > > We need to ensure there's a place for the NULL terminator. > > > > But who's filling that space with a NUL (not NULL) terminator? > > > > > Fixes the following W=1 warning(s): > > > > > > In file included from include/linux/bitmap.h:9, > > > from include/linux/nodemask.h:95, > > > from include/linux/mmzone.h:17, > > > from include/linux/gfp.h:6, > > > from include/linux/umh.h:4, > > > from include/linux/kmod.h:9, > > > from include/linux/module.h:16, > > > from drivers/misc/c2port/core.c:9: > > > In function ‘strncpy’, > > > inlined from ‘c2port_device_register’ at drivers/misc/c2port/core.c:926:2: > > > include/linux/string.h:297:30: warning: ‘__builtin_strncpy’ specified bound 32 equals destination size [-Wstringop-truncation] > > > 297 | #define __underlying_strncpy __builtin_strncpy > > > | ^ > > > include/linux/string.h:307:9: note: in expansion of macro ‘__underlying_strncpy’ > > > 307 | return __underlying_strncpy(p, q, size); > > > | ^~~~~~~~~~~~~~~~~~~~ > > > > > > Cc: Rodolfo Giometti > > > Cc: "Eurotech S.p.A" > > > Signed-off-by: Lee Jones > > > --- > > > drivers/misc/c2port/core.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/drivers/misc/c2port/core.c b/drivers/misc/c2port/core.c > > > index 33bba18022892..80d87e8a0bea9 100644 > > > --- a/drivers/misc/c2port/core.c > > > +++ b/drivers/misc/c2port/core.c > > > @@ -923,7 +923,7 @@ struct c2port_device *c2port_device_register(char *name, > > > } > > > dev_set_drvdata(c2dev->dev, c2dev); > > > > c2dev is allocated using: > > > > c2dev = kmalloc(sizeof(struct c2port_device), GFP_KERNEL); > > > > hence the allocated memory is not zeroed. > > > > > > > > - strncpy(c2dev->name, name, C2PORT_NAME_LEN); > > > + strncpy(c2dev->name, name, C2PORT_NAME_LEN - 1); > > > > strncpy() > > 1. does not terminate the destination with a NUL if the source length > > is C2PORT_NAME_LEN - 1, > > 2. fills all remaining space in the destination buffer with NUL characters. > > > > So c2dev.name[C2PORT_NAME_LEN - 1] always contains an uninitialized > > value. > > > > Now, it seems the only caller of c2port_device_register() passes > > "uc" as the name. Which means in practice c2dev.name[] will be > > NUL-terminated. However, the last byte will still be uninitialized, and > > if the buffer is ever copied to userspace, your patch will have introduced > > a leak. > > Quite right. Good spot. I must have made the assumption that the > destination buffer would be pre-initialised. Not sure why it's not in > this case. Seems like an odd practice. > > So we have a choice. We can either enlarge the destination buffer to > *actually* allow a full length (32 byte in this case) naming string, > or zero the buffer. > > Or even both! > > Do you have a preference? Do we know if the buffer or full c2dev struct is ever copied to userspace? If it may be copied => kalloc(). If it will never be copied => strlcpy() (no NUL-padding, only NUL-terminator). Oh, and there is a newer one on the block (which I always have to lookup), which is preferred over strlcpy() and strncpy(): strscpy(). And reading lib/string.c, there's strscpy_pad(), too ;-) Gr{oetje,eeting}s, Geert -- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org In personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say "programmer" or something like that. -- Linus Torvalds