| Message ID | 20230803-security-tomoyo-v1-1-c53a17908d2f@google.com (mailing list archive) |
|---|---|
| State | Handled Elsewhere |
| Headers | show |
| Series | tomoyo: refactor deprecated strncpy | expand |
On Thu, Aug 03, 2023 at 09:33:44PM +0000, Justin Stitt wrote: > `strncpy` is deprecated for use on NUL-terminated destination strings [1]. > > A suitable replacement is `strscpy` [2] due to the fact that it > guarantees NUL-termination on its destination buffer argument which is > _not_ the case for `strncpy`! > > It should be noted that the destination buffer is zero-initialized and > had a max length of `sizeof(dest) - 1`. There is likely _not_ a bug > present in the current implementation. However, by switching to > `strscpy` we get the benefit of no longer needing the `- 1`'s from the > string copy invocations on top of `strscpy` being a safer interface all > together. > > [1]: www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings > [2]: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html > > Link: https://github.com/KSPP/linux/issues/90 > Cc: linux-hardening@vger.kernel.org > Signed-off-by: Justin Stitt <justinstitt@google.com> Thanks! This looks correct to me. Reviewed-by: Kees Cook <keescook@chromium.org>
Thank you. Applied to https://scm.osdn.net/gitroot/tomoyo/tomoyo-test1.git . On 2023/08/04 16:40, Kees Cook wrote: > On Thu, Aug 03, 2023 at 09:33:44PM +0000, Justin Stitt wrote: >> `strncpy` is deprecated for use on NUL-terminated destination strings [1]. >> >> A suitable replacement is `strscpy` [2] due to the fact that it >> guarantees NUL-termination on its destination buffer argument which is >> _not_ the case for `strncpy`! >> >> It should be noted that the destination buffer is zero-initialized and >> had a max length of `sizeof(dest) - 1`. There is likely _not_ a bug >> present in the current implementation. However, by switching to >> `strscpy` we get the benefit of no longer needing the `- 1`'s from the >> string copy invocations on top of `strscpy` being a safer interface all >> together. >> >> [1]: www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings >> [2]: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html >> >> Link: https://github.com/KSPP/linux/issues/90 >> Cc: linux-hardening@vger.kernel.org >> Signed-off-by: Justin Stitt <justinstitt@google.com> > > Thanks! This looks correct to me. > > Reviewed-by: Kees Cook <keescook@chromium.org> >
diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c index ac20c0bdff9d..90b53500a236 100644 --- a/security/tomoyo/domain.c +++ b/security/tomoyo/domain.c @@ -784,13 +784,12 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) if (!strcmp(domainname, "parent")) { char *cp; - strncpy(ee->tmp, old_domain->domainname->name, - TOMOYO_EXEC_TMPSIZE - 1); + strscpy(ee->tmp, old_domain->domainname->name, TOMOYO_EXEC_TMPSIZE); cp = strrchr(ee->tmp, ' '); if (cp) *cp = '\0'; } else if (*domainname == '<') - strncpy(ee->tmp, domainname, TOMOYO_EXEC_TMPSIZE - 1); + strscpy(ee->tmp, domainname, TOMOYO_EXEC_TMPSIZE); else snprintf(ee->tmp, TOMOYO_EXEC_TMPSIZE - 1, "%s %s", old_domain->domainname->name, domainname);
`strncpy` is deprecated for use on NUL-terminated destination strings [1]. A suitable replacement is `strscpy` [2] due to the fact that it guarantees NUL-termination on its destination buffer argument which is _not_ the case for `strncpy`! It should be noted that the destination buffer is zero-initialized and had a max length of `sizeof(dest) - 1`. There is likely _not_ a bug present in the current implementation. However, by switching to `strscpy` we get the benefit of no longer needing the `- 1`'s from the string copy invocations on top of `strscpy` being a safer interface all together. [1]: www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [2]: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html Link: https://github.com/KSPP/linux/issues/90 Cc: linux-hardening@vger.kernel.org Signed-off-by: Justin Stitt <justinstitt@google.com> --- security/tomoyo/domain.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) --- base-commit: 5d0c230f1de8c7515b6567d9afba1f196fb4e2f4 change-id: 20230803-security-tomoyo-7d58f53d35a6 Best regards, -- Justin Stitt <justinstitt@google.com>