Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp2097512pxv; Sat, 24 Jul 2021 05:24:10 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwq6ALLalEUwc+BSz9eGEDAJR4T7AePoyoLfycZJ43CVKrG2JmQDO4/UGYjgWsMrnxcHSr0 X-Received: by 2002:a17:906:844d:: with SMTP id e13mr8921151ejy.503.1627129450757; Sat, 24 Jul 2021 05:24:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1627129450; cv=none; d=google.com; s=arc-20160816; b=bbQfm8EIA+QhOM1s75JD8gmqsPLbQQ906Puyc76mLskbvvm9OfaitdBAr/FPRanO79 CS74DVcESOwGYhlV+hrVUqyI6cF4HcrcYTgpFHTLMcXDB6JIJpW4hhTbIN1EP/a0E9HF fApsPWSgxIYO14QN3iQH4hgbG+WPk+6f7OR5sdphSyM/5kcmTKYhGuEl5lVIX+HRkR7/ uN5PE8Z7Y9E+RVplNBfNe9IUhMDpAtwjTv6Hil8F8Nh40CZGjxqNWxFSGcsAKiCFORB4 Kjlkz6Zv7df0u0ZaDej9/+vwx+umUT/P0wNLksGSagGe+UBAEn4ShHxKF1IKbnwUwD1E rnOA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=W7Pygvwfm8JLMUFx4szYCnjn8TbkoYAmQiYgBlLA1vA=; b=bnSNLBFeye0d7QczpXW9OdlLHyila2K13arEadsEwLDbAoQnD9MDcAv5uUsP2ZrMgk UFuiANi0f0SRFxw0KR/0Eaf37zQgnTnKgPUDD+0so9vTQrMQbdS6eFTm8OElPq8ZpIeG jVmKlr7IoFcUhRAmgq11uaFstY9ZZ2CEuKYcjU1q10Jw/MfLA0QZrQ/BJTvkvZ2jGDZ0 YU/g6y/cQtTxQPjpjUwBCoLVCd94XL7c/+up9M9FVNLv4/uBP2g5AUlFD3i4MQPl3zcp Sz8WOdpqHiKl3BOchxd7/bxXX7oxXSdR1dveYy/M2m+ToAqesr/crna0fOChS14V0+E5 Swzg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmx.net header.s=badeba3b8450 header.b="bT9i9lP/"; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmx.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y11si15796995ejr.504.2021.07.24.05.23.38; Sat, 24 Jul 2021 05:24:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmx.net header.s=badeba3b8450 header.b="bT9i9lP/"; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmx.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232079AbhGXLll (ORCPT + 99 others); Sat, 24 Jul 2021 07:41:41 -0400 Received: from mout.gmx.net ([212.227.17.22]:50909 "EHLO mout.gmx.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231993AbhGXLll (ORCPT ); Sat, 24 Jul 2021 07:41:41 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1627129330; bh=+TaYaR257ozdshQtS3WXdm4kpGQ/mYuT4adntj9dZDY=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date; b=bT9i9lP/InlqryozYGyHe4lmQHhXjUlvWRRMaUpGg4OCcUA/vFIiuNGdBq51WhQ5Z 1JgT4+bA4f5okfTR34YelgzLESEyeqcKiJEVXF61uIC09ndFU3edDy/JDtDHoHMbu+ QgCRddmwVNnoLrSS41sQECl2+BYGwJnNBv9CswlM= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from localhost.localdomain ([83.52.228.41]) by mail.gmx.net (mrgmx104 [212.227.17.174]) with ESMTPSA (Nemesis) id 1M6DWi-1m0h5e0o1I-006gAx; Sat, 24 Jul 2021 14:22:10 +0200 From: Len Baker To: Kees Cook , Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz Cc: Len Baker , Adam Sampson , linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH v2] drivers/bluetooth: Remove all strcpy() uses Date: Sat, 24 Jul 2021 14:21:52 +0200 Message-Id: <20210724122152.7133-1-len.baker@gmx.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:Hm/ltCsIDwdfostYMasJW+pVyd6MwCTeYo7M76GOcqZWmlJx65k iJrCA36FnpXehauOo6MZUu593MJwh0Mc+gnHGGgOswqVsDcF1jFwH8UCeTM+kR6Q8JL4Agt JPULsIfNDK5PyjfE+HcYLsGffN5NLI+6Au2eqW5Rl8i5h/7Bc1XyEUslK2jbBXGEHGyB4Ub YPKJDZoS5Iv7t8RboZ0+w== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:u08/bVCs2Ew=:V8u3M2AOPSIWZn0otgm7Tz iKQMhvkF5FdURooAExnnfd4YL2eeocfZckFgPSmx79pjr9yqK0FWOPxP6JNYZpD7hFuArBAoU GJ+tDAaPhGCRIEvBzTz5UlKILfKsJ5DSnjU19jcHPv0wrarpexPZTggx/cwrTqDCohSNRCPIE 2csIoYpnPftArqUfK7CuTpMIy+w4MY0fIFNer2c58dUQweesjwzYULqWnluQGg4UbvUPXxbNd JrswwG8n6BAZNm81+AmG9s2uRDnMTzaF8/XGIYWJiAwA1aKFN4F7E3QP8BQIvMPFs1pWR1rGW cDhBiKidzKZX5TTk14Z5YRnCqtzVoXn2faaSam0LDSCgcSvJWMI0USPUEardujmIYn3uUc2Bs AzFOA56kh5AHycnRQhIr+G0SAgQDME3y10M61vlB4glx5t/F9gAhvj7rJ4C+EBi5qNzhClr/S auWtLdmKLb3PANr08rGfyaFBSiZq80uIlg6EmYkPrBWhXz0dO8PoS6E2JAB312B2+DQwz9j0l 7YkTFqCOSdGlBaeAJGNgzBjWqv8EKr+VjIBVKdE4xd7RGo3jEkqnPfeJfGMakTZSG45vCHz2d tdINvwfLa7plyVGITyWiVZB0ZcBqc3P6dYT69tZboCcvoYuDPp3ENjCriZqsZBi+sU4fvtts9 RgsUOLAPzfdtEqEwYPYguPGgd4qgbuHjuU1o1bF4D7YtwKnXLdqX0SWqT6gG5MiBVeevLUYMP toJPAA15O68Nr/87/A8yyq8sw1mPkCkzfzNpZr379nCuIJCk/HJREhdL/olJATbnE8zT5TTCO wKH9zn+Xvu7Cou62GP0C2amZ3BLsdbYe+XZfp+QdACPZZ+kNXbrjUSbE9uHuis4V846rIUuOa zKRQlq0c3vO2GGgE5zDhaTVd/arG7I9VUmVQ8Y2TrmfcPgLakMb6gIE68JbZEZvYjNLMcAFZ7 /jBXmFTUZOrOupm74HBa5fDf3cwsdNrcE6OwEjNcQ11Qh8At1f4YkT1w4v/xXViGPkvC2bvgW tNpw+QMHowQJ1mRw12y6ugTH0+ESdH2ioO7eyQYAH51yULMGd7a3ZPKEzt3khqI1MHpAUVtyk 7tFEpWwOrA0l7XtoIqNVSVM88lxARD/gbQt Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org strcpy() performs no bounds checking on the destination buffer. This could result in linear overflows beyond the end of the buffer, leading to all kinds of misbehaviors. The safe replacement is strscpy() but in this case it is better to use the scnprintf to simplify the arithmetic. This is a previous step in the path to remove the strcpy() function entirely from the kernel. Signed-off-by: Len Baker =2D-- Changelog v1 -> v2 - Add spaces to the "plus" sign. - Use the correct size for the fw_dump_ptr buffer (Adam Sampson) drivers/bluetooth/btmrvl_sdio.c | 29 ++++++++++++++--------------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/drivers/bluetooth/btmrvl_sdio.c b/drivers/bluetooth/btmrvl_sd= io.c index cddd350beba3..68378b42ea7f 100644 =2D-- a/drivers/bluetooth/btmrvl_sdio.c +++ b/drivers/bluetooth/btmrvl_sdio.c @@ -1350,6 +1350,7 @@ static void btmrvl_sdio_coredump(struct device *dev) u8 *dbg_ptr, *end_ptr, *fw_dump_data, *fw_dump_ptr; u8 dump_num =3D 0, idx, i, read_reg, doneflag =3D 0; u32 memory_size, fw_dump_len =3D 0; + int size =3D 0; card =3D sdio_get_drvdata(func); priv =3D card->priv; @@ -1478,7 +1479,7 @@ static void btmrvl_sdio_coredump(struct device *dev) if (fw_dump_len =3D=3D 0) return; - fw_dump_data =3D vzalloc(fw_dump_len+1); + fw_dump_data =3D vzalloc(fw_dump_len + 1); if (!fw_dump_data) { BT_ERR("Vzalloc fw_dump_data fail!"); return; @@ -1493,20 +1494,18 @@ static void btmrvl_sdio_coredump(struct device *de= v) struct memory_type_mapping *entry =3D &mem_type_mapping_tbl[idx]; if (entry->mem_ptr) { - strcpy(fw_dump_ptr, "=3D=3D=3D=3D=3D=3D=3D=3DStart dump "); - fw_dump_ptr +=3D strlen("=3D=3D=3D=3D=3D=3D=3D=3DStart dump "); - - strcpy(fw_dump_ptr, entry->mem_name); - fw_dump_ptr +=3D strlen(entry->mem_name); - - strcpy(fw_dump_ptr, "=3D=3D=3D=3D=3D=3D=3D=3D\n"); - fw_dump_ptr +=3D strlen("=3D=3D=3D=3D=3D=3D=3D=3D\n"); - - memcpy(fw_dump_ptr, entry->mem_ptr, entry->mem_size); - fw_dump_ptr +=3D entry->mem_size; - - strcpy(fw_dump_ptr, "\n=3D=3D=3D=3D=3D=3D=3D=3DEnd dump=3D=3D=3D=3D=3D= =3D=3D=3D\n"); - fw_dump_ptr +=3D strlen("\n=3D=3D=3D=3D=3D=3D=3D=3DEnd dump=3D=3D=3D= =3D=3D=3D=3D=3D\n"); + size +=3D scnprintf(fw_dump_ptr + size, + fw_dump_len + 1 - size, + "=3D=3D=3D=3D=3D=3D=3D=3DStart dump %s=3D=3D=3D=3D=3D=3D=3D=3D\n", + entry->mem_name); + + memcpy(fw_dump_ptr + size, entry->mem_ptr, + entry->mem_size); + size +=3D entry->mem_size; + + size +=3D scnprintf(fw_dump_ptr + size, + fw_dump_len + 1 - size, + "\n=3D=3D=3D=3D=3D=3D=3D=3DEnd dump=3D=3D=3D=3D=3D=3D=3D=3D\n"); vfree(mem_type_mapping_tbl[idx].mem_ptr); mem_type_mapping_tbl[idx].mem_ptr =3D NULL; =2D- 2.25.1