Received: by 2002:a05:7208:9594:b0:7e:5202:c8b4 with SMTP id gs20csp154407rbb; Fri, 23 Feb 2024 15:44:27 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCW0VfJHTpdi9uHV5Sz/kdmC3EKHuhrG34r2vuXU02L2x7FTGV+PEDYYNwdZlpAyM9NraUCUWVGftMblfYrhdVtIzQ8xbOMtXVzBHs7MwA== X-Google-Smtp-Source: AGHT+IG0uYEudM1uTrbbVLHOLvQ7gQboRBFW2UFq66olBCjbJ58W02VQd+TEH+RX5qnUvoeA1I9B X-Received: by 2002:a05:6808:3a0c:b0:3bf:e37a:9250 with SMTP id gr12-20020a0568083a0c00b003bfe37a9250mr1467660oib.18.1708731867377; Fri, 23 Feb 2024 15:44:27 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708731867; cv=pass; d=google.com; s=arc-20160816; b=pdDxlwvhcdo3jIUcpgW8IChO7ofQSMVY4rE8eL2fyVrYL4F5/H3CqCI+EYyNMV49gy ZOcXMYcjuhCh3bcxnKoRa3IYhBo8Zk6eou2sQ5a4a9+LEezfkrYbu5kWj8PJfih6GsdZ BLYAuMXhgXeiDz+hGwhbvFYkSEXvor61sJ2PUK/26/h2uydCimWw2rmQX2dVelhojbRV qoeSGLW7gri0scgjcfqs1cU6qeC69von+6L8QwtfUdmXRrJAg2WWOyqAKTUbpL0IL6oW 3rmeWxoPa1uCTLNZP0hXWOsjU3VgCfWiv4N04RB5hwBmctIkbaycfJY33EgBzwc09W/0 iEmQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:date:dkim-signature; bh=TG2R+CW7/iYHzGbMjn7YtgeUAnWvwQnPCbApfWV73ww=; fh=3PrHEpYpkMVWOM6jRlc3P7DoPhH2r8FpTzHgejdqFZ0=; b=pPL0QziphtetZESCAK8WP4y4sbdhPvAsIWRlDovmAWleydQeiG6c+Lc/N1tAVLd4mh QwCxRpdMEL7TQgQF8XAo28z5dWQ7Zw5v3VF5Lw4rw2aS+yMh9ayw5ojbDoQ41cOOBQtB 4UVhdAyUjwPEjpFOhqDXs2P4W5BKXfXaEk2lnaW3AB+PdH1LL8sArlTTETh1E8Wm1jZn 1ZXmLGHhoKgM3Vyn/8rgxvZqtDtgaOKXwOyJReLsOnoWH8J6+gbqCqnzh9XQdD0BZk+7 lxf7Cw9p1v/3a3/FSpfs4uJ/m4yZI1yPJs/1+jtswfVNu1vehK6yteNckEQsSsLcKUqh ev5Q==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=cYsHNB1L; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-79321-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-79321-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id w16-20020ac857d0000000b0042e6d4c12e1si34885qta.343.2024.02.23.15.44.27 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 23 Feb 2024 15:44:27 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-79321-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=cYsHNB1L; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-79321-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-79321-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 031061C238D0 for ; Fri, 23 Feb 2024 23:44:27 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 44A5A142649; Fri, 23 Feb 2024 23:44:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="cYsHNB1L" Received: from mail-pg1-f180.google.com (mail-pg1-f180.google.com [209.85.215.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D255014DFDB for ; Fri, 23 Feb 2024 23:44:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.180 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708731857; cv=none; b=KXayoumJuvjW5ZSW00BELPbLyTiB1uD6sauQ2vqVPx9Gx37qhZyjUQYJtpgDb+tEdNvNYySW4eAHwG767wIWR8FL7/DLEfxq4KtEVD4fxS/30YAEEiuFEEpobHmzohRIAjFk1L2qk6WXkAloyBZf4n9TOeN3sZ1N4y4nLPy9+C8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708731857; c=relaxed/simple; bh=z9xaYwJuacSDor4K3Ga1UnNCIeJNKm5H9N5VdBn0L+w=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=OUqZLRPeROOGz4yHCw9BdmFh2H+86rsegqFjNo2wCz2+nOSYrFkAbwl9DFBb7sRL4/9Nz5KKcvHgbpIGo0aBM0ZOoN3XiZ+TVOUz/hV1UqTVcT1pL1UVhzy2zH0c8//c8uGj0R/+R0frnKrXj624yANDoqsSrV0qXA4sCqvW3fo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=cYsHNB1L; arc=none smtp.client-ip=209.85.215.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-pg1-f180.google.com with SMTP id 41be03b00d2f7-5c6bd3100fcso1080614a12.3 for ; Fri, 23 Feb 2024 15:44:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1708731855; x=1709336655; darn=vger.kernel.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=TG2R+CW7/iYHzGbMjn7YtgeUAnWvwQnPCbApfWV73ww=; b=cYsHNB1LS/LlCHW+UmrdOBewb1iptUkyvRMedo2F16nljw+DLSYwHmCOJV0JgBaN8q C9aGkwYQxoX54azzj0xuZzJXB1qizrRr2EgwHnTf/v+MqPTnD6qFrkWmKEy1UCOmoU29 wtAC2NGOAk7sPOCbSJU5O4xAhV67c7cdlF3+Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708731855; x=1709336655; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=TG2R+CW7/iYHzGbMjn7YtgeUAnWvwQnPCbApfWV73ww=; b=Upb7Ala9LSfv3jhNmcjEMBrqvQ1xJNItfQrYPsBq8mg8VSAVdqxJyU7O45dbLensk/ snf+Tj6XUgHz7AD4i4ZoSmguFC/WOn/EWka5833kjPfzK5UgImTtZ6w30OKZqYkAlTYU RCQ53h8amsE0Uhrssf5sNxx5b8KmpSW/FyDpRwgS+PJQEyRwHgk/FElBuWMjfynxA7sT +6pBkvbpuOdOYcuHAAa4KCC0XlKLMGUm7Ci7KP1BcLA315hBlaR1WKe4Cs6pN8OBzpqD t5cdgATPhMdHFpf/o6A9rn9kHnihy2KMSJWKtRc46gBw7S79pYBvs/7CpNRHHLRE+u+5 XOGA== X-Forwarded-Encrypted: i=1; AJvYcCXZ94b57giBIS0L8AtewMhjhqQHIq/QT9rd7C376XVcpOp+UJHNzMl4ShPf3/Ats5VvUrXEyHlQOnLEnV1oIRbu9FwGizwEsOfw3Iia X-Gm-Message-State: AOJu0Yy+Twv+CkFFUq3HyI4BubrWW5A5RmfSNZ29gz9Nn4Eqy4sVAiX/ Hl+rpY+0QdeYcx3UZqyy4W/xkhBC8hes2uAzKRUb4SVZNafRiJyfAG7/eALrOA== X-Received: by 2002:a05:6a21:6801:b0:1a0:aea4:a1fe with SMTP id wr1-20020a056a21680100b001a0aea4a1femr1461775pzb.1.1708731855120; Fri, 23 Feb 2024 15:44:15 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id f1-20020a056a000b0100b006e4eb29033asm24889pfu.194.2024.02.23.15.44.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 23 Feb 2024 15:44:14 -0800 (PST) Date: Fri, 23 Feb 2024 15:44:14 -0800 From: Kees Cook To: Justin Stitt Cc: Kees Cook , James Smart , Dick Kennedy , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH] scsi: lpfc: replace deprecated strncpy with strscpy Message-ID: <202402231539.BA96B7F0@keescook> References: <20240222-strncpy-drivers-scsi-lpfc-lpfc_ct-c-v1-1-20c685bd1b43@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: On Fri, Feb 23, 2024 at 12:02:22PM -0800, Justin Stitt wrote: > Hi, > > On Wed, Feb 21, 2024 at 6:38 PM Kees Cook wrote: > > > > > > > > On February 21, 2024 4:41:52 PM PST, Justin Stitt wrote: > > >strncpy() is deprecated for use on NUL-terminated destination strings > > >[1] and as such we should prefer more robust and less ambiguous string > > >interfaces. > > > > > >We expect ae->value_string to be NUL-terminated because there's a > > >comment that says as much; these attr strings are also used with other > > >string APIs, further cementing the fact. > > > > > >Now, the question of whether or not to NUL-pad the destination buffer: > > >lpfc_fdmi_rprt_defer() initializes vports (all zero-initialized), then > > >we call lpfc_fdmi_cmd() with each vport and a mask. Then, inside of > > >lpfc_fdmi_cmd() we check each bit in the mask to invoke the proper > > >callback. Importantly, the zero-initialized vport is passed in as the > > >"attr" parameter. Seeing this: > > >| struct lpfc_fdmi_attr_string *ae = attr; > > >... we can tell that ae->value_string is entirely zero-initialized. Due > > >to this, NUL-padding is _not_ required as it would be redundant. > > > > > >Conveniently, strscpy also returns the number of bytes copied into the > > >destination buffer, eliminating the need for strnlen! > > > > > >Considering the above, a suitable replacement is `strscpy` [2]. > > > > > >Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1] > > >Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2] > > >Link: https://github.com/KSPP/linux/issues/90 > > >Cc: linux-hardening@vger.kernel.org > > >Signed-off-by: Justin Stitt > > >--- > > > drivers/scsi/lpfc/lpfc_ct.c | 5 ++--- > > > 1 file changed, 2 insertions(+), 3 deletions(-) > > > > > >diff --git a/drivers/scsi/lpfc/lpfc_ct.c b/drivers/scsi/lpfc/lpfc_ct.c > > >index baae1f8279e0..42594ec87290 100644 > > >--- a/drivers/scsi/lpfc/lpfc_ct.c > > >+++ b/drivers/scsi/lpfc/lpfc_ct.c > > >@@ -2569,9 +2569,8 @@ lpfc_fdmi_set_attr_string(void *attr, uint16_t attrtype, char *attrstring) > > > * 64 bytes or less. > > > */ > > > > > >- strncpy(ae->value_string, attrstring, sizeof(ae->value_string)); > > >- len = strnlen(ae->value_string, sizeof(ae->value_string)); > > >- /* round string length to a 32bit boundary. Ensure there's a NULL */ > > >+ len = strscpy(ae->value_string, attrstring, sizeof(ae->value_string)); > > > > This could be < 0 on error, and at least lpfc_fdmi_hba_attr_os_ver() may present more than 64 bytes... > > Am I putting too much faith in this comment? > > static inline int lpfc_fdmi_set_attr_string(void *attr, uint16_t > attrtype, char *attrstring) > ... > /* > * We are trusting the caller that if a fdmi string field > * is capped at 64 bytes, the caller passes in a string of > * 64 bytes or less. > */ This comment is clearly wrong, given lpfc_fdmi_hba_attr_os_ver(). :) But I feel like I'm misunderstanding it since it was added by the same commit that added the 256-byte callers, commit 045c58c87560 ("scsi: lpfc: Rework FDMI attribute registration for unintential padding") > > I see lpfc_fdmi_hba_attr_os_ver() calls lpfc_fdmi_set_attr_string() > with an attrstring sized at 256 bytes: > char buf[256] = { 0 }; > > Can we really return -E2BIG from strscpy() if the dest buffer is the > same size as the source buffer? I see my confusion: I didn't check the size of ae->value_string, which I assumed was 64 bytes. But it's 256, so in theory we can't overflow. > I'm happy to just make the standard strncpy -> strscpy replacement and > drop the len assignment. Let me know what you think, Kees. For robustness, let's leave the strlen() in place... -- Kees Cook