diff mbox series

crypto: hisilicon - fix strncpy warning with strlcpy

Message ID 1591241524-6452-1-git-send-email-zhangfei.gao@linaro.org (mailing list archive)
State Changes Requested
Delegated to: Herbert Xu
Headers show
Series crypto: hisilicon - fix strncpy warning with strlcpy | expand

Commit Message

Zhangfei Gao June 4, 2020, 3:32 a.m. UTC
Use strlcpy to fix the warning
warning: 'strncpy' specified bound 64 equals destination size
         [-Wstringop-truncation]

Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Zhangfei Gao <zhangfei.gao@linaro.org>
---
 drivers/crypto/hisilicon/qm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Herbert Xu June 4, 2020, 3:39 a.m. UTC | #1
On Thu, Jun 04, 2020 at 11:32:04AM +0800, Zhangfei Gao wrote:
> Use strlcpy to fix the warning
> warning: 'strncpy' specified bound 64 equals destination size
>          [-Wstringop-truncation]
> 
> Reported-by: kernel test robot <lkp@intel.com>
> Signed-off-by: Zhangfei Gao <zhangfei.gao@linaro.org>
> ---
>  drivers/crypto/hisilicon/qm.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/crypto/hisilicon/qm.c b/drivers/crypto/hisilicon/qm.c
> index f795fb5..224f3e2 100644
> --- a/drivers/crypto/hisilicon/qm.c
> +++ b/drivers/crypto/hisilicon/qm.c
> @@ -1574,7 +1574,7 @@ static int qm_alloc_uacce(struct hisi_qm *qm)
>  		.ops = &uacce_qm_ops,
>  	};
>  
> -	strncpy(interface.name, pdev->driver->name, sizeof(interface.name));
> +	strlcpy(interface.name, pdev->driver->name, sizeof(interface.name));

Should this even allow truncation? Perhaps it'd be better to fail
in case of an overrun?

Cheers,
Zhangfei Gao June 4, 2020, 6:10 a.m. UTC | #2
On 2020/6/4 上午11:39, Herbert Xu wrote:
> On Thu, Jun 04, 2020 at 11:32:04AM +0800, Zhangfei Gao wrote:
>> Use strlcpy to fix the warning
>> warning: 'strncpy' specified bound 64 equals destination size
>>           [-Wstringop-truncation]
>>
>> Reported-by: kernel test robot <lkp@intel.com>
>> Signed-off-by: Zhangfei Gao <zhangfei.gao@linaro.org>
>> ---
>>   drivers/crypto/hisilicon/qm.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/crypto/hisilicon/qm.c b/drivers/crypto/hisilicon/qm.c
>> index f795fb5..224f3e2 100644
>> --- a/drivers/crypto/hisilicon/qm.c
>> +++ b/drivers/crypto/hisilicon/qm.c
>> @@ -1574,7 +1574,7 @@ static int qm_alloc_uacce(struct hisi_qm *qm)
>>   		.ops = &uacce_qm_ops,
>>   	};
>>   
>> -	strncpy(interface.name, pdev->driver->name, sizeof(interface.name));
>> +	strlcpy(interface.name, pdev->driver->name, sizeof(interface.name));
> Should this even allow truncation? Perhaps it'd be better to fail
> in case of an overrun?
I think we do not need consider overrun, since it at most copy size-1 
bytes to dest.
 From the manual: strlcpy()
        This  function  is  similar  to  strncpy(), but it copies at 
most size-1 bytes to dest, always adds a terminating null
        byte,
And simple tested with smaller SIZE of interface.name,  only SIZE-1 is 
copied, so it is safe.
-#define UACCE_MAX_NAME_SIZE    64
+#define UACCE_MAX_NAME_SIZE    4

Thanks
Herbert Xu June 4, 2020, 6:18 a.m. UTC | #3
On Thu, Jun 04, 2020 at 02:10:37PM +0800, Zhangfei Gao wrote:
>
> > Should this even allow truncation? Perhaps it'd be better to fail
> > in case of an overrun?
> I think we do not need consider overrun, since it at most copy size-1 bytes
> to dest.
> From the manual: strlcpy()
>        This  function  is  similar  to  strncpy(), but it copies at most
> size-1 bytes to dest, always adds a terminating null
>        byte,
> And simple tested with smaller SIZE of interface.name,  only SIZE-1 is
> copied, so it is safe.
> -#define UACCE_MAX_NAME_SIZE    64
> +#define UACCE_MAX_NAME_SIZE    4

That's not what I meant.  As it is if you do exceed the limit the
name is silently truncated.  Wouldn't it be better to fail the
allocation instead?

Cheers,
Zhangfei Gao June 4, 2020, 6:44 a.m. UTC | #4
On 2020/6/4 下午2:18, Herbert Xu wrote:
> On Thu, Jun 04, 2020 at 02:10:37PM +0800, Zhangfei Gao wrote:
>>> Should this even allow truncation? Perhaps it'd be better to fail
>>> in case of an overrun?
>> I think we do not need consider overrun, since it at most copy size-1 bytes
>> to dest.
>>  From the manual: strlcpy()
>>         This  function  is  similar  to  strncpy(), but it copies at most
>> size-1 bytes to dest, always adds a terminating null
>>         byte,
>> And simple tested with smaller SIZE of interface.name,  only SIZE-1 is
>> copied, so it is safe.
>> -#define UACCE_MAX_NAME_SIZE    64
>> +#define UACCE_MAX_NAME_SIZE    4
> That's not what I meant.  As it is if you do exceed the limit the
> name is silently truncated.  Wouldn't it be better to fail the
> allocation instead?
I think it is fine.
1. Currently the name size is 64, bigger enough.
Simply grep in driver name, 64 should be enough.
We can make it larger when there is a request.
2. it does not matter what the name is, since it is just an interface.
cat /sys/class/uacce/hisi_zip-0/flags
cat /sys/class/uacce/his-0/flags
should be both fine to app only they can be distinguished.
3. It maybe a hard restriction to fail just because of a long name.

What do you think.

Thanks
Herbert Xu June 4, 2020, 6:50 a.m. UTC | #5
On Thu, Jun 04, 2020 at 02:44:16PM +0800, Zhangfei Gao wrote:
>
> I think it is fine.
> 1. Currently the name size is 64, bigger enough.
> Simply grep in driver name, 64 should be enough.
> We can make it larger when there is a request.
> 2. it does not matter what the name is, since it is just an interface.
> cat /sys/class/uacce/hisi_zip-0/flags
> cat /sys/class/uacce/his-0/flags
> should be both fine to app only they can be distinguished.
> 3. It maybe a hard restriction to fail just because of a long name.

I think we should err on the side of caution.  IOW, unless you
know that you need it to succeed when it exceeds the limit, then
you should just make it fail.

Thanks,
Zhou Wang June 4, 2020, 1:52 p.m. UTC | #6
On 2020/6/4 14:50, Herbert Xu wrote:
> On Thu, Jun 04, 2020 at 02:44:16PM +0800, Zhangfei Gao wrote:
>>
>> I think it is fine.
>> 1. Currently the name size is 64, bigger enough.
>> Simply grep in driver name, 64 should be enough.
>> We can make it larger when there is a request.
>> 2. it does not matter what the name is, since it is just an interface.
>> cat /sys/class/uacce/hisi_zip-0/flags
>> cat /sys/class/uacce/his-0/flags
>> should be both fine to app only they can be distinguished.
>> 3. It maybe a hard restriction to fail just because of a long name.
> 
> I think we should err on the side of caution.  IOW, unless you
> know that you need it to succeed when it exceeds the limit, then
> you should just make it fail.

Yes. We need make it fail to avoid silent truncation.

> 
> Thanks,
>
Zhangfei Gao June 5, 2020, 9:34 a.m. UTC | #7
On 2020/6/4 下午2:50, Herbert Xu wrote:
> On Thu, Jun 04, 2020 at 02:44:16PM +0800, Zhangfei Gao wrote:
>> I think it is fine.
>> 1. Currently the name size is 64, bigger enough.
>> Simply grep in driver name, 64 should be enough.
>> We can make it larger when there is a request.
>> 2. it does not matter what the name is, since it is just an interface.
>> cat /sys/class/uacce/hisi_zip-0/flags
>> cat /sys/class/uacce/his-0/flags
>> should be both fine to app only they can be distinguished.
>> 3. It maybe a hard restriction to fail just because of a long name.
> I think we should err on the side of caution.  IOW, unless you
> know that you need it to succeed when it exceeds the limit, then
> you should just make it fail.
Thanks Herbert
Will add a check after the copy.

         strlcpy(interface.name, pdev->driver->name, 
sizeof(interface.name));
         if (strlen(pdev->driver->name) != strlen(interface.name))
                 return -EINVAL;

Will resend the fix after rc1 is open.

Thanks
Herbert Xu June 5, 2020, 12:17 p.m. UTC | #8
On Fri, Jun 05, 2020 at 05:34:32PM +0800, Zhangfei Gao wrote:
> Will add a check after the copy.
> 
>         strlcpy(interface.name, pdev->driver->name, sizeof(interface.name));
>         if (strlen(pdev->driver->name) != strlen(interface.name))
>                 return -EINVAL;

You don't need to do strlen.  The function strlcpy returns the
length of the source string.

Better yet use strscpy which will even return an error for you.

Cheers,
Zhangfei Gao June 5, 2020, 3:26 p.m. UTC | #9
On 2020/6/5 下午8:17, Herbert Xu wrote:
> On Fri, Jun 05, 2020 at 05:34:32PM +0800, Zhangfei Gao wrote:
>> Will add a check after the copy.
>>
>>          strlcpy(interface.name, pdev->driver->name, sizeof(interface.name));
>>          if (strlen(pdev->driver->name) != strlen(interface.name))
>>                  return -EINVAL;
> You don't need to do strlen.  The function strlcpy returns the
> length of the source string.
>
> Better yet use strscpy which will even return an error for you.
>
>
Yes, good idea, we can use strscpy.

+       int ret;

-       strncpy(interface.name, pdev->driver->name, sizeof(interface.name));
+       ret = strscpy(interface.name, pdev->driver->name, 
sizeof(interface.name));
+       if (ret < 0)
+               return ret;

Will resend later, thanks Herbert.
Eric Biggers June 5, 2020, 3:49 p.m. UTC | #10
On Fri, Jun 05, 2020 at 11:26:20PM +0800, Zhangfei Gao wrote:
> 
> 
> On 2020/6/5 下午8:17, Herbert Xu wrote:
> > On Fri, Jun 05, 2020 at 05:34:32PM +0800, Zhangfei Gao wrote:
> > > Will add a check after the copy.
> > > 
> > >          strlcpy(interface.name, pdev->driver->name, sizeof(interface.name));
> > >          if (strlen(pdev->driver->name) != strlen(interface.name))
> > >                  return -EINVAL;
> > You don't need to do strlen.  The function strlcpy returns the
> > length of the source string.
> > 
> > Better yet use strscpy which will even return an error for you.
> > 
> > 
> Yes, good idea, we can use strscpy.
> 
> +       int ret;
> 
> -       strncpy(interface.name, pdev->driver->name, sizeof(interface.name));
> +       ret = strscpy(interface.name, pdev->driver->name,
> sizeof(interface.name));
> +       if (ret < 0)
> +               return ret;

You might want to use -ENAMETOOLONG instead of the strscpy return value of
-E2BIG.
Zhangfei Gao June 6, 2020, 1:42 a.m. UTC | #11
On 2020/6/5 下午11:49, Eric Biggers wrote:
> On Fri, Jun 05, 2020 at 11:26:20PM +0800, Zhangfei Gao wrote:
>>
>> On 2020/6/5 下午8:17, Herbert Xu wrote:
>>> On Fri, Jun 05, 2020 at 05:34:32PM +0800, Zhangfei Gao wrote:
>>>> Will add a check after the copy.
>>>>
>>>>           strlcpy(interface.name, pdev->driver->name, sizeof(interface.name));
>>>>           if (strlen(pdev->driver->name) != strlen(interface.name))
>>>>                   return -EINVAL;
>>> You don't need to do strlen.  The function strlcpy returns the
>>> length of the source string.
>>>
>>> Better yet use strscpy which will even return an error for you.
>>>
>>>
>> Yes, good idea, we can use strscpy.
>>
>> +       int ret;
>>
>> -       strncpy(interface.name, pdev->driver->name, sizeof(interface.name));
>> +       ret = strscpy(interface.name, pdev->driver->name,
>> sizeof(interface.name));
>> +       if (ret < 0)
>> +               return ret;
> You might want to use -ENAMETOOLONG instead of the strscpy return value of
> -E2BIG.
Yes, make sense, thanks Eric
David Laight June 7, 2020, 1:03 p.m. UTC | #12
From: Herbert Xu
> Sent: 05 June 2020 13:17
...
> Better yet use strscpy which will even return an error for you.

It really ought to return the buffer length on truncation.
Then you can loop:
	while(...)
		buf += strxxxcpy(buf, src, buf_end - buf);
and only check right at the end.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
Eric Biggers June 10, 2020, 6:56 a.m. UTC | #13
On Sun, Jun 07, 2020 at 01:03:45PM +0000, David Laight wrote:
> From: Herbert Xu
> > Sent: 05 June 2020 13:17
> ...
> > Better yet use strscpy which will even return an error for you.
> 
> It really ought to return the buffer length on truncation.
> Then you can loop:
> 	while(...)
> 		buf += strxxxcpy(buf, src, buf_end - buf);
> and only check right at the end.
> 
> 	David

scnprintf() can be used for that.

But that doesn't seem relevant to this patch.

- Eric
diff mbox series

Patch

diff --git a/drivers/crypto/hisilicon/qm.c b/drivers/crypto/hisilicon/qm.c
index f795fb5..224f3e2 100644
--- a/drivers/crypto/hisilicon/qm.c
+++ b/drivers/crypto/hisilicon/qm.c
@@ -1574,7 +1574,7 @@  static int qm_alloc_uacce(struct hisi_qm *qm)
 		.ops = &uacce_qm_ops,
 	};
 
-	strncpy(interface.name, pdev->driver->name, sizeof(interface.name));
+	strlcpy(interface.name, pdev->driver->name, sizeof(interface.name));
 
 	uacce = uacce_alloc(&pdev->dev, &interface);
 	if (IS_ERR(uacce))