xfs: replace deprecated strncpy with strscpy_pad

Message ID	20240405-strncpy-xfs-split1-v1-1-3e3df465adb9@google.com (mailing list archive)
State	New, archived
Headers	show Received: from mail-yb1-f202.google.com (mail-yb1-f202.google.com [209.85.219.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2F9B9173338 for <linux-hardening@vger.kernel.org>; Fri, 5 Apr 2024 19:52:29 +0000 (UTC) Date: Fri, 05 Apr 2024 19:52:27 +0000 Precedence: bulk Mime-Version: 1.0 Message-ID: <20240405-strncpy-xfs-split1-v1-1-3e3df465adb9@google.com> Subject: [PATCH] xfs: replace deprecated strncpy with strscpy_pad From: Justin Stitt <justinstitt@google.com> To: Chandan Babu R <chandan.babu@oracle.com>, "Darrick J. Wong" <djwong@kernel.org> Cc: linux-xfs@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, Justin Stitt <justinstitt@google.com> Content-Type: text/plain; charset="utf-8"
Series	xfs: replace deprecated strncpy with strscpy_pad \| expand xfs: replace deprecated strncpy with strscpy_pad

Message ID

20240405-strncpy-xfs-split1-v1-1-3e3df465adb9@google.com (mailing list archive)

State

New, archived

Headers

Date: Fri, 05 Apr 2024 19:52:27 +0000
Precedence: bulk
Mime-Version: 1.0
Message-ID: <20240405-strncpy-xfs-split1-v1-1-3e3df465adb9@google.com>
Subject: [PATCH] xfs: replace deprecated strncpy with strscpy_pad
From: Justin Stitt <justinstitt@google.com>
To: Chandan Babu R <chandan.babu@oracle.com>,
 "Darrick J. Wong" <djwong@kernel.org>
Cc: linux-xfs@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-hardening@vger.kernel.org, Justin Stitt <justinstitt@google.com>
Content-Type: text/plain; charset="utf-8"

Series

xfs: replace deprecated strncpy with strscpy_pad | expand

Commit Message

Justin Stitt April 5, 2024, 7:52 p.m. UTC

strncpy() is deprecated for use on NUL-terminated destination strings
[1] and as such we should prefer more robust and less ambiguous string
interfaces.

The current code has taken care of NUL-termination by memset()'ing
@label. This is followed by a strncpy() to perform the string copy.

Instead, use strscpy_pad() to get both 1) NUL-termination and 2)
NUL-padding which is needed as this is copied out to userspace.

Note that this patch uses the new 2-argument version of strscpy_pad
introduced in Commit e6584c3964f2f ("string: Allow 2-argument
strscpy()").

Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2]
Link: https://github.com/KSPP/linux/issues/90
Cc: linux-hardening@vger.kernel.org

Signed-off-by: Justin Stitt <justinstitt@google.com>
---
Split from https://lore.kernel.org/all/20240401-strncpy-fs-xfs-xfs_ioctl-c-v1-1-02b9feb1989b@google.com/
with feedback from Christoph H.
---
 fs/xfs/xfs_ioctl.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)


---
base-commit: c85af715cac0a951eea97393378e84bb49384734
change-id: 20240405-strncpy-xfs-split1-a2c408b934c6

Best regards,
--
Justin Stitt <justinstitt@google.com>

Comments

Kees Cook April 9, 2024, 4:22 p.m. UTC | #1

On Fri, Apr 05, 2024 at 07:52:27PM +0000, Justin Stitt wrote:
> strncpy() is deprecated for use on NUL-terminated destination strings
> [1] and as such we should prefer more robust and less ambiguous string
> interfaces.
> 
> The current code has taken care of NUL-termination by memset()'ing
> @label. This is followed by a strncpy() to perform the string copy.
> 
> Instead, use strscpy_pad() to get both 1) NUL-termination and 2)
> NUL-padding which is needed as this is copied out to userspace.
> 
> Note that this patch uses the new 2-argument version of strscpy_pad
> introduced in Commit e6584c3964f2f ("string: Allow 2-argument
> strscpy()").
> 
> Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
> Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2]
> Link: https://github.com/KSPP/linux/issues/90
> Cc: linux-hardening@vger.kernel.org
> 
> Signed-off-by: Justin Stitt <justinstitt@google.com>
> ---
> Split from https://lore.kernel.org/all/20240401-strncpy-fs-xfs-xfs_ioctl-c-v1-1-02b9feb1989b@google.com/
> with feedback from Christoph H.
> ---
>  fs/xfs/xfs_ioctl.c | 5 ++---
>  1 file changed, 2 insertions(+), 3 deletions(-)
> 
> diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
> index d0e2cec6210d..a1156a8b1e15 100644
> --- a/fs/xfs/xfs_ioctl.c
> +++ b/fs/xfs/xfs_ioctl.c
> @@ -1750,15 +1750,14 @@ xfs_ioc_getlabel(
>  	char			__user *user_label)
>  {
>  	struct xfs_sb		*sbp = &mp->m_sb;
> +	/* 1 larger than sb_fname, for a trailing NUL char */
>  	char			label[XFSLABEL_MAX + 1];
>  
>  	/* Paranoia */
>  	BUILD_BUG_ON(sizeof(sbp->sb_fname) > FSLABEL_MAX);
>  
> -	/* 1 larger than sb_fname, so this ensures a trailing NUL char */
> -	memset(label, 0, sizeof(label));
>  	spin_lock(&mp->m_sb_lock);
> -	strncpy(label, sbp->sb_fname, XFSLABEL_MAX);
> +	strscpy_pad(label, sbp->sb_fname);

Is sbp->sb_fname itself NUL-terminated? This looks like another case of
needing the memtostr() helper?

-Kees

>  	spin_unlock(&mp->m_sb_lock);
>  
>  	if (copy_to_user(user_label, label, sizeof(label)))
> 
> ---
> base-commit: c85af715cac0a951eea97393378e84bb49384734
> change-id: 20240405-strncpy-xfs-split1-a2c408b934c6
> 
> Best regards,
> --
> Justin Stitt <justinstitt@google.com>
> 
>

Justin Stitt April 10, 2024, 8:45 p.m. UTC | #2

On Tue, Apr 9, 2024 at 9:22 AM Kees Cook <keescook@chromium.org> wrote:
> >
> > -     /* 1 larger than sb_fname, so this ensures a trailing NUL char */
> > -     memset(label, 0, sizeof(label));
> >       spin_lock(&mp->m_sb_lock);
> > -     strncpy(label, sbp->sb_fname, XFSLABEL_MAX);
> > +     strscpy_pad(label, sbp->sb_fname);
>
> Is sbp->sb_fname itself NUL-terminated? This looks like another case of
> needing the memtostr() helper?
>

I sent a patch [1].

Obviously it depends on your implementation patch landing first; what
tree should it go to?

> Kees Cook

[1]: https://lore.kernel.org/r/20240410-strncpy-xfs-split1-v2-1-7c651502bcb0@google.com

Kees Cook April 11, 2024, 3:31 p.m. UTC | #3

On Wed, Apr 10, 2024 at 01:45:21PM -0700, Justin Stitt wrote:
> On Tue, Apr 9, 2024 at 9:22 AM Kees Cook <keescook@chromium.org> wrote:
> > >
> > > -     /* 1 larger than sb_fname, so this ensures a trailing NUL char */
> > > -     memset(label, 0, sizeof(label));
> > >       spin_lock(&mp->m_sb_lock);
> > > -     strncpy(label, sbp->sb_fname, XFSLABEL_MAX);
> > > +     strscpy_pad(label, sbp->sb_fname);
> >
> > Is sbp->sb_fname itself NUL-terminated? This looks like another case of
> > needing the memtostr() helper?
> >
> 
> I sent a patch [1].
> 
> Obviously it depends on your implementation patch landing first; what
> tree should it go to?

This "flavor" of conversion may need to wait a release? There's no
urgency on the conversion, and there are plenty more to do for this
cycle. ;)

-Kees

> [1]: https://lore.kernel.org/r/20240410-strncpy-xfs-split1-v2-1-7c651502bcb0@google.com

David Laight April 15, 2024, 11:22 a.m. UTC | #4

From: Kees Cook
> Sent: 11 April 2024 16:32
> 
> On Wed, Apr 10, 2024 at 01:45:21PM -0700, Justin Stitt wrote:
> > On Tue, Apr 9, 2024 at 9:22 AM Kees Cook <keescook@chromium.org> wrote:
> > > >
> > > > -     /* 1 larger than sb_fname, so this ensures a trailing NUL char */
> > > > -     memset(label, 0, sizeof(label));
> > > >       spin_lock(&mp->m_sb_lock);
> > > > -     strncpy(label, sbp->sb_fname, XFSLABEL_MAX);
> > > > +     strscpy_pad(label, sbp->sb_fname);
> > >
> > > Is sbp->sb_fname itself NUL-terminated? This looks like another case of
> > > needing the memtostr() helper?
> > >
> >
> > I sent a patch [1].
> >
> > Obviously it depends on your implementation patch landing first; what
> > tree should it go to?
> 
> This "flavor" of conversion may need to wait a release? There's no
> urgency on the conversion, and there are plenty more to do for this
> cycle. ;)

In this case:
	char label[sizeof (sbp->fb_fname) + 1];
	memcpy(label, sbp->sb_fname, sizeof (sbp->sb_fname));
	label[sizeof (sbp->fname)] = 0;
is probably the clearest code.
(it is [12] - so no point faffing with the copy.)

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
index d0e2cec6210d..a1156a8b1e15 100644
--- a/fs/xfs/xfs_ioctl.c
+++ b/fs/xfs/xfs_ioctl.c
@@ -1750,15 +1750,14 @@  xfs_ioc_getlabel(
 	char			__user *user_label)
 {
 	struct xfs_sb		*sbp = &mp->m_sb;
+	/* 1 larger than sb_fname, for a trailing NUL char */
 	char			label[XFSLABEL_MAX + 1];
 
 	/* Paranoia */
 	BUILD_BUG_ON(sizeof(sbp->sb_fname) > FSLABEL_MAX);
 
-	/* 1 larger than sb_fname, so this ensures a trailing NUL char */
-	memset(label, 0, sizeof(label));
 	spin_lock(&mp->m_sb_lock);
-	strncpy(label, sbp->sb_fname, XFSLABEL_MAX);
+	strscpy_pad(label, sbp->sb_fname);
 	spin_unlock(&mp->m_sb_lock);
 
 	if (copy_to_user(user_label, label, sizeof(label)))

xfs: replace deprecated strncpy with strscpy_pad

Commit Message

Comments

Patch