2023-07-10 03:14:27

by Azeem Shaikh

[permalink] [raw]
Subject: [PATCH] wifi: mwifiex: Replace strlcpy with strscpy

strlcpy() reads the entire source buffer first.
This read may exceed the destination size limit.
This is both inefficient and can lead to linear read
overflows if a source string is not NUL-terminated [1].
In an effort to remove strlcpy() completely [2], replace
strlcpy() here with strscpy().

Direct replacement is safe here since return value of -errno
is used to check for truncation instead of sizeof(dest).

[1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy
[2] https://github.com/KSPP/linux/issues/89

Signed-off-by: Azeem Shaikh <[email protected]>
---
drivers/net/wireless/marvell/mwifiex/main.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/drivers/net/wireless/marvell/mwifiex/main.c b/drivers/net/wireless/marvell/mwifiex/main.c
index 1cd9d20cca16..8d3c4bcf9c89 100644
--- a/drivers/net/wireless/marvell/mwifiex/main.c
+++ b/drivers/net/wireless/marvell/mwifiex/main.c
@@ -725,9 +725,8 @@ static int mwifiex_init_hw_fw(struct mwifiex_adapter *adapter,
* manufacturing mode is enabled
*/
if (mfg_mode) {
- if (strlcpy(adapter->fw_name, MFG_FIRMWARE,
- sizeof(adapter->fw_name)) >=
- sizeof(adapter->fw_name)) {
+ if (strscpy(adapter->fw_name, MFG_FIRMWARE,
+ sizeof(adapter->fw_name)) < 0) {
pr_err("%s: fw_name too long!\n", __func__);
return -1;
}
--
2.41.0.255.g8b1d071c50-goog




2023-07-13 00:00:53

by Kees Cook

[permalink] [raw]
Subject: Re: [PATCH] wifi: mwifiex: Replace strlcpy with strscpy

On Mon, Jul 10, 2023 at 03:06:25AM +0000, Azeem Shaikh wrote:
> strlcpy() reads the entire source buffer first.
> This read may exceed the destination size limit.
> This is both inefficient and can lead to linear read
> overflows if a source string is not NUL-terminated [1].
> In an effort to remove strlcpy() completely [2], replace
> strlcpy() here with strscpy().
>
> Direct replacement is safe here since return value of -errno
> is used to check for truncation instead of sizeof(dest).
>
> [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy
> [2] https://github.com/KSPP/linux/issues/89
>
> Signed-off-by: Azeem Shaikh <[email protected]>

Reviewed-by: Kees Cook <[email protected]>

--
Kees Cook

2023-07-27 16:22:58

by Kees Cook

[permalink] [raw]
Subject: Re: [PATCH] wifi: mwifiex: Replace strlcpy with strscpy


On Mon, 10 Jul 2023 03:06:25 +0000, Azeem Shaikh wrote:
> strlcpy() reads the entire source buffer first.
> This read may exceed the destination size limit.
> This is both inefficient and can lead to linear read
> overflows if a source string is not NUL-terminated [1].
> In an effort to remove strlcpy() completely [2], replace
> strlcpy() here with strscpy().
>
> [...]

Applied, thanks!

[1/1] wifi: mwifiex: Replace strlcpy with strscpy
https://git.kernel.org/kees/c/5469fb73e96d

Best regards,
--
Kees Cook


2023-07-27 16:24:49

by Kalle Valo

[permalink] [raw]
Subject: Re: [PATCH] wifi: mwifiex: Replace strlcpy with strscpy

Kees Cook <[email protected]> writes:

> On Mon, 10 Jul 2023 03:06:25 +0000, Azeem Shaikh wrote:
>> strlcpy() reads the entire source buffer first.
>> This read may exceed the destination size limit.
>> This is both inefficient and can lead to linear read
>> overflows if a source string is not NUL-terminated [1].
>> In an effort to remove strlcpy() completely [2], replace
>> strlcpy() here with strscpy().
>>
>> [...]
>
> Applied, thanks!
>
> [1/1] wifi: mwifiex: Replace strlcpy with strscpy
> https://git.kernel.org/kees/c/5469fb73e96d

And the same question here, why are you taking wifi patches without
acks? And this already fixed differently in wireless-next so our trees
conflict now:

https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git/commit/?id=caf9ead2c7d06fd7aa4cb48bd569ad61db9a0b4a

--
https://patchwork.kernel.org/project/linux-wireless/list/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

2023-07-27 17:11:04

by Kees Cook

[permalink] [raw]
Subject: Re: [PATCH] wifi: mwifiex: Replace strlcpy with strscpy

On Thu, Jul 27, 2023 at 07:02:31PM +0300, Kalle Valo wrote:
> Kees Cook <[email protected]> writes:
>
> > On Mon, 10 Jul 2023 03:06:25 +0000, Azeem Shaikh wrote:
> >> strlcpy() reads the entire source buffer first.
> >> This read may exceed the destination size limit.
> >> This is both inefficient and can lead to linear read
> >> overflows if a source string is not NUL-terminated [1].
> >> In an effort to remove strlcpy() completely [2], replace
> >> strlcpy() here with strscpy().
> >>
> >> [...]
> >
> > Applied, thanks!
> >
> > [1/1] wifi: mwifiex: Replace strlcpy with strscpy
> > https://git.kernel.org/kees/c/5469fb73e96d
>
> And the same question here, why are you taking wifi patches without
> acks? And this already fixed differently in wireless-next so our trees
> conflict now:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git/commit/?id=caf9ead2c7d06fd7aa4cb48bd569ad61db9a0b4a

Thanks for pointing that out! I saw no feedback on Azeem's patch, so it
looked like it was being ignored.

For the patch you linked to -- it's okay to have lost the overflow
detection and warning?

Regardless, I will drop this from my tree.

-Kees

--
Kees Cook