| Message ID | 20230913-strncpy-drivers-edac-edac_mc_sysfs-c-v3-1-38c1db7d207f@google.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v3] EDAC/mc_sysfs: refactor deprecated strncpy | expand |
On Wed, Sep 13, 2023 at 05:20:50PM +0000, Justin Stitt wrote: > `strncpy` is deprecated for use on NUL-terminated destination strings [1]. > > We should prefer more robust and less ambiguous string interfaces. > > A suitable replacement is `strscpy` [2] due to the fact that it > guarantees NUL-termination on the destination buffer without needlessly > NUL-padding. > > Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1] > Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2] > Link: https://github.com/KSPP/linux/issues/90 > Cc: linux-hardening@vger.kernel.org > Signed-off-by: Justin Stitt <justinstitt@google.com> > --- > Changes in v3: > - prefer strscpy to strscpy_pad (thanks Tony) > - Link to v2: https://lore.kernel.org/r/20230913-strncpy-drivers-edac-edac_mc_sysfs-c-v2-1-2d2e6bd43642@google.com > > Changes in v2: > - included refactor of another strncpy in same file > - Link to v1: https://lore.kernel.org/r/20230913-strncpy-drivers-edac-edac_mc_sysfs-c-v1-1-d232891b05b0@google.com > --- > Note: build-tested only. > --- > drivers/edac/edac_mc_sysfs.c | 5 ++--- > 1 file changed, 2 insertions(+), 3 deletions(-) > > diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c > index 15f63452a9be..9a5b4bbd8191 100644 > --- a/drivers/edac/edac_mc_sysfs.c > +++ b/drivers/edac/edac_mc_sysfs.c > @@ -229,8 +229,7 @@ static ssize_t channel_dimm_label_store(struct device *dev, > if (copy_count == 0 || copy_count >= sizeof(rank->dimm->label)) > return -EINVAL; > > - strncpy(rank->dimm->label, data, copy_count); > - rank->dimm->label[copy_count] = '\0'; > + strscpy(rank->dimm->label, data, copy_count); Hrm, I don't like the use of "copy_count" here -- it's the source length, not the destination buffer size. It is technically safe because it was bounds-checked right before, but now we run the risk of additional truncation since "copy_count" will not include the '\0'. Imagine data = "a", count = 1. strscpy(dst, data, 1) will only copy '\0'. I think this should be memcpy(), not strscpy(). The bounds checking and truncation of '\n' has already been calculated -- we're just doing a byte copy at this point: if (count == 0) return -EINVAL; if (data[count - 1] == '\0' || data[count - 1] == '\n') copy_count -= 1; if (copy_count == 0 || copy_count >= sizeof(rank->dimm->label)) return -EINVAL; memcpy(rank->dimm->label, data, copy_count); rank->dimm->label[copy_count] = '\0'; > > return count; > } > @@ -535,7 +534,7 @@ static ssize_t dimmdev_label_store(struct device *dev, > if (copy_count == 0 || copy_count >= sizeof(dimm->label)) > return -EINVAL; > > - strncpy(dimm->label, data, copy_count); > + strscpy(dimm->label, data, copy_count); > dimm->label[copy_count] = '\0'; Same for this one: replace strncpy with memcpy. -Kees > > return count; > > --- > base-commit: 2dde18cd1d8fac735875f2e4987f11817cc0bc2c > change-id: 20230913-strncpy-drivers-edac-edac_mc_sysfs-c-e619b00124a3 > > Best regards, > -- > Justin Stitt <justinstitt@google.com> >
diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c index 15f63452a9be..9a5b4bbd8191 100644 --- a/drivers/edac/edac_mc_sysfs.c +++ b/drivers/edac/edac_mc_sysfs.c @@ -229,8 +229,7 @@ static ssize_t channel_dimm_label_store(struct device *dev, if (copy_count == 0 || copy_count >= sizeof(rank->dimm->label)) return -EINVAL; - strncpy(rank->dimm->label, data, copy_count); - rank->dimm->label[copy_count] = '\0'; + strscpy(rank->dimm->label, data, copy_count); return count; } @@ -535,7 +534,7 @@ static ssize_t dimmdev_label_store(struct device *dev, if (copy_count == 0 || copy_count >= sizeof(dimm->label)) return -EINVAL; - strncpy(dimm->label, data, copy_count); + strscpy(dimm->label, data, copy_count); dimm->label[copy_count] = '\0'; return count;
`strncpy` is deprecated for use on NUL-terminated destination strings [1]. We should prefer more robust and less ambiguous string interfaces. A suitable replacement is `strscpy` [2] due to the fact that it guarantees NUL-termination on the destination buffer without needlessly NUL-padding. Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1] Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2] Link: https://github.com/KSPP/linux/issues/90 Cc: linux-hardening@vger.kernel.org Signed-off-by: Justin Stitt <justinstitt@google.com> --- Changes in v3: - prefer strscpy to strscpy_pad (thanks Tony) - Link to v2: https://lore.kernel.org/r/20230913-strncpy-drivers-edac-edac_mc_sysfs-c-v2-1-2d2e6bd43642@google.com Changes in v2: - included refactor of another strncpy in same file - Link to v1: https://lore.kernel.org/r/20230913-strncpy-drivers-edac-edac_mc_sysfs-c-v1-1-d232891b05b0@google.com --- Note: build-tested only. --- drivers/edac/edac_mc_sysfs.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) --- base-commit: 2dde18cd1d8fac735875f2e4987f11817cc0bc2c change-id: 20230913-strncpy-drivers-edac-edac_mc_sysfs-c-e619b00124a3 Best regards, -- Justin Stitt <justinstitt@google.com>