Received: by 2002:a05:7412:6592:b0:d7:7d3a:4fe2 with SMTP id m18csp646131rdg; Thu, 10 Aug 2023 14:53:07 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGrCN6ifpjRnGvPYQG7wuHC3H4e0GXYKqSk+YiBlyORDM5y/PK8VIWAPQRavRM0XTfPtCc7 X-Received: by 2002:a05:6402:12d5:b0:523:bfec:4909 with SMTP id k21-20020a05640212d500b00523bfec4909mr213685edx.7.1691704386837; Thu, 10 Aug 2023 14:53:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691704386; cv=none; d=google.com; s=arc-20160816; b=wOFp+twtPuyrt42JzvlkTivTnJI9OBeAtwaBC4oWOnpa4HzKPnxwxLF3KLg5DACh18 rsIPN4pDyUyHGbMHp9ahRM5aBQ6JduQlA7LyDU5OOOnnP38LxFrRuQgzEa7SDSgXkTpo Srnmosd/ddEZGVVDk9ko11tLaDBm5VSQ/HpbOCarmbagSb19829DVpvCIeuRLC4qZhdX H32088iMqDK/WqRTFOoDsuiqsU7vjhWwvtmuSPSeFCCt1OKKhxpwHi8RpfIbT8PR3Cn5 Hr1O6hkbzDW81LktAAWQ7UNH6FJrmsh7hDu6sY5TEEUAesyRzHYgGgzUK4q3OhMq1w1I Gr3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=mB5FHvaw40P9yBP+ozNkgvaUvFsznWaEsCNsx7UegGc=; fh=zUo8esi0cVZp+hWU29ClQFUg1BVP93th3pi6/F5QwFc=; b=GPEdic8VyiV+z+Qiq574vHG/ZnU/ngaxO8kciz8zllCtz6GCbOYI5VGFaL7OybpmKi es3QGIS0NAl4U8ytlzrjmfIoa6iSzn/ZPeGusFUBulVrrsN2HWjXoe9XFvWaZ9gyLtsq ndYMETya6H7/iPOUEVMNl5jGmxLNpaZYm6AaIOrR7rASidTYybBoLDfw6quoyxaQrWhc 094JmE5aBgaVAZ/9qC1xoL/Z457LGBnwxBknHop+p5Ucan41AjhKkcBNkP5xb6rIMjFp aMuFmoIynoL46DPRYzcl0xssthszLVQwH0NJqu3zeaNl+IjhShCyy5jCdCmVhN5C0kMY W0Bg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=SipkOJu9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z19-20020aa7cf93000000b005234a115ba9si2202710edx.480.2023.08.10.14.52.42; Thu, 10 Aug 2023 14:53:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=SipkOJu9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229896AbjHJVR6 (ORCPT + 99 others); Thu, 10 Aug 2023 17:17:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35292 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229889AbjHJVRz (ORCPT ); Thu, 10 Aug 2023 17:17:55 -0400 Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 570062738 for ; Thu, 10 Aug 2023 14:17:55 -0700 (PDT) Received: by mail-lf1-x12b.google.com with SMTP id 2adb3069b0e04-4fe8c3b5ca0so2078562e87.1 for ; Thu, 10 Aug 2023 14:17:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1691702273; x=1692307073; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=mB5FHvaw40P9yBP+ozNkgvaUvFsznWaEsCNsx7UegGc=; b=SipkOJu9CvcAS02mXC7GaemEiJBBqKhJmFyQFkYw943BmDUzmE7hk1WoIh4iJ5LJDO 5WKJMoRrgWYaf1hIsQTB1Kg0XrbHspHcJfySFlcFbmSComEuMjWmEE5cITAys2FdLwxO NmvxPIuVWWClRGwPuuweVWsASSMUR3NCOnhy0ZNeN7FAOeKDlBzMnw/GckW7MnPfOGDz PdjYtOz6cDwShSPinaze+oKFYA06doDu2J9pTmhPUDR6DLTmkVVZyrYS4maAwMWrsHTj 3deJGULAMRatIHVxcoNsHi0FOI/6YzMwc/+QujX7XcJaG4xpShRMX5KVd+jwL2x39Ttv oMqg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691702273; x=1692307073; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mB5FHvaw40P9yBP+ozNkgvaUvFsznWaEsCNsx7UegGc=; b=jdlcEdX3XbFWFRgqxIMnI1pcNbwlEU8Y0f6+ZfXiiC8xLXW/6TWFMsxeZuH2u0a9xV gx2Tm3Qo9vTvjNWYIPbMzwMoGq+mxGxFszm8kwdCz16KuFy80AVNkYyrZO4+/H/CCj4i G3nsE40Zz3rmFvxpwieCFeo0Pa23XkgA8bkjDK9I9r73m7txe5Tyy/CB6p5PN6p8DwR1 hIp4o2EKt0J+LB5ziB/ao9vfHfWxZIc6yoAVLVQX1PVIxRCzIYQuYPpOEgTK+46vZAPd ML3SVT8psbsh+0mHaOajKVlaMPhIosEr/YxT+VtLhlaNcGgnfaRq3Z+BU3ii5eJwj+oq jKEw== X-Gm-Message-State: AOJu0YwgNcrbYGAoJC4jxLb1jzWCkDYgxnTnlgZ4RCotnFOYjYPTj3B+ PuLu19h5WJNMC8WWPF+Ekl3PUtEF9t2aqAYV3VRT0Q== X-Received: by 2002:a05:6512:3256:b0:4f3:b588:48d0 with SMTP id c22-20020a056512325600b004f3b58848d0mr2615647lfr.14.1691702273438; Thu, 10 Aug 2023 14:17:53 -0700 (PDT) MIME-Version: 1.0 References: <20230810-strncpy-arch-arm64-v1-1-f67f3685cd64@google.com> <202308101155.81497C5B@keescook> <202308101257.47E6ACBD5@keescook> In-Reply-To: <202308101257.47E6ACBD5@keescook> From: Justin Stitt Date: Thu, 10 Aug 2023 14:17:41 -0700 Message-ID: Subject: Re: [PATCH] arm64/sysreg: refactor deprecated strncpy To: Kees Cook Cc: Catalin Marinas , Will Deacon , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Aug 10, 2023 at 12:58=E2=80=AFPM Kees Cook = wrote: > > On Thu, Aug 10, 2023 at 12:25:37PM -0700, Justin Stitt wrote: > > On Thu, Aug 10, 2023 at 12:00=E2=80=AFPM Kees Cook wrote: > > > > > > On Thu, Aug 10, 2023 at 06:39:03PM +0000, Justin Stitt wrote: > > > > `strncpy` is deprecated for use on NUL-terminated destination strin= gs > > > > [1]. Which seems to be the case here due to the forceful setting of= `buf`'s > > > > tail to 0. > > > > > > Another note to include in these evaluations would be "does the > > > destination expect to be %NUL padded?". Here, it looks like no, as al= l > > > the routines "buf" is passed to expect a regular C string (padding > > > doesn't matter). > > > > > > > > > > > A suitable replacement is `strscpy` [2] due to the fact that it > > > > guarantees NUL-termination on its destination buffer argument which= is > > > > _not_ the case for `strncpy`! > > > > > > > > In this case, there is some behavior being used in conjunction with > > > > `strncpy` that `strscpy` already implements. This means we can drop= some > > > > of the extra stuff like `... -1` and `buf[len] =3D 0` > > > > > > > > This should have no functional change and yet uses a more robust an= d > > > > less ambiguous interface whilst reducing code complexity. > > > > > > > > Link: www.kernel.org/doc/html/latest/process/deprecated.html#strncp= y-on-nul-terminated-strings[1] > > > > Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.= 9.en.html [2] > > > > Link: https://github.com/KSPP/linux/issues/90 > > > > Cc: linux-hardening@vger.kernel.org > > > > > > > > Signed-off-by: Justin Stitt > > > > --- > > > > For reference, see a part of `strscpy`'s implementation here: > > > > > > > > | /* Hit buffer length without finding a NUL; force NUL-termina= tion. */ > > > > | if (res) > > > > | dest[res-1] =3D '\0'; > > > > > > > > Note: compile tested > > > > --- > > > > arch/arm64/kernel/idreg-override.c | 5 ++--- > > > > 1 file changed, 2 insertions(+), 3 deletions(-) > > > > > > > > diff --git a/arch/arm64/kernel/idreg-override.c b/arch/arm64/kernel= /idreg-override.c > > > > index 2fe2491b692c..482dc5c71e90 100644 > > > > --- a/arch/arm64/kernel/idreg-override.c > > > > +++ b/arch/arm64/kernel/idreg-override.c > > > > @@ -262,9 +262,8 @@ static __init void __parse_cmdline(const char *= cmdline, bool parse_aliases) > > > > if (!len) > > > > return; > > > > > > > > - len =3D min(len, ARRAY_SIZE(buf) - 1); > > > > - strncpy(buf, cmdline, len); > > > > - buf[len] =3D 0; > > > > + len =3D min(len, ARRAY_SIZE(buf)); > > > > + strscpy(buf, cmdline, len); Perhaps keeping the `... - 1` is good because we then don't have to check strlen immediately after. This does still silently truncate but didn't the previous `strncpy` also do that? > > > > > > This, however, isn't correct: "cmdline" will be incremented by "leN" > > > later, and we want a count of the characters copied into "buf", even = if > > > they're truncated. I think this should be: > > > > > > strscpy(buf, cmdline, ARRAY_SIZE(buf)); > > > len =3D strlen(buf); > > > > > Thoughts on using the return value from `strscpy` here? > > This code seems to silently accept truncation, so -E2BIG will cause a > problem if it only looks at the return value. > > -Kees > > -- > Kees Cook