| Message ID | 20250302225641.245127-2-thorsten.blum@linux.dev (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [v2] scsi: target: Replace deprecated strncpy() with strscpy() | expand |
On Sun, Mar 02, 2025 at 11:56:41PM +0100, Thorsten Blum wrote: > strncpy() is deprecated for NUL-terminated destination buffers; use > strscpy() instead. The destination buffer db_root is only used with "%s" > format strings and must therefore be NUL-terminated, but not NUL-padded. > > Use scnprintf() because snprintf() could return a value >= DB_ROOT_LEN > and lead to an out-of-bounds access. This doesn't happen because count > is explicitly checked against DB_ROOT_LEN before. However, scnprintf() > always returns the number of characters actually written to the string > buffer, which is always within the bounds of db_root_stage, and should > be preferred over snprintf(). > > The size parameter of strscpy() is optional and since DB_ROOT_LEN is the > size of the destination buffer, it can be removed. Remove it to simplify > the code. > > Compile-tested only. > > Link: https://github.com/KSPP/linux/issues/90 > Link: https://github.com/KSPP/linux/issues/105 > Cc: linux-hardening@vger.kernel.org > Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Reviewed-by: Kees Cook <kees@kernel.org>
diff --git a/drivers/target/target_core_configfs.c b/drivers/target/target_core_configfs.c index c40217f44b1b..66804bf1ee32 100644 --- a/drivers/target/target_core_configfs.c +++ b/drivers/target/target_core_configfs.c @@ -123,7 +123,7 @@ static ssize_t target_core_item_dbroot_store(struct config_item *item, goto unlock; } - read_bytes = snprintf(db_root_stage, DB_ROOT_LEN, "%s", page); + read_bytes = scnprintf(db_root_stage, DB_ROOT_LEN, "%s", page); if (!read_bytes) goto unlock; @@ -143,7 +143,7 @@ static ssize_t target_core_item_dbroot_store(struct config_item *item, } filp_close(fp, NULL); - strncpy(db_root, db_root_stage, read_bytes); + strscpy(db_root, db_root_stage); pr_debug("Target_Core_ConfigFS: db_root set to %s\n", db_root); r = read_bytes; @@ -3664,7 +3664,7 @@ static void target_init_dbroot(void) } filp_close(fp, NULL); - strncpy(db_root, db_root_stage, DB_ROOT_LEN); + strscpy(db_root, db_root_stage); pr_debug("Target_Core_ConfigFS: db_root set to %s\n", db_root); }
strncpy() is deprecated for NUL-terminated destination buffers; use strscpy() instead. The destination buffer db_root is only used with "%s" format strings and must therefore be NUL-terminated, but not NUL-padded. Use scnprintf() because snprintf() could return a value >= DB_ROOT_LEN and lead to an out-of-bounds access. This doesn't happen because count is explicitly checked against DB_ROOT_LEN before. However, scnprintf() always returns the number of characters actually written to the string buffer, which is always within the bounds of db_root_stage, and should be preferred over snprintf(). The size parameter of strscpy() is optional and since DB_ROOT_LEN is the size of the destination buffer, it can be removed. Remove it to simplify the code. Compile-tested only. Link: https://github.com/KSPP/linux/issues/90 Link: https://github.com/KSPP/linux/issues/105 Cc: linux-hardening@vger.kernel.org Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> --- Changes in v2: - Improve the commit message and replace another strncpy() as suggested by Kees Cook - Replace snprintf() with scnprintf() - Link to v1: https://lore.kernel.org/r/20250226121003.359876-1-thorsten.blum@linux.dev/ --- drivers/target/target_core_configfs.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)