| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 14 Sep 2023 21:54:44 -0700
From: Kees Cook <keescook@...omium.org>
To: Justin Stitt <justinstitt@...gle.com>
Cc: Ben Skeggs <bskeggs@...hat.com>, Karol Herbst <kherbst@...hat.com>,
Lyude Paul <lyude@...hat.com>,
David Airlie <airlied@...il.com>,
Daniel Vetter <daniel@...ll.ch>,
dri-devel@...ts.freedesktop.org, nouveau@...ts.freedesktop.org,
linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH] drm/nouveau/nvif: refactor deprecated strncpy
On Thu, Sep 14, 2023 at 09:30:37PM +0000, Justin Stitt wrote:
> `strncpy` is deprecated and as such we should prefer more robust and
> less ambiguous string interfaces.
>
> A suitable replacement is `strscpy_pad` due to the fact that it
> guarantees NUL-termination on the destination buffer whilst also
> maintaining the NUL-padding behavior that `strncpy` provides. I am not
> sure whether NUL-padding is strictly needed but I see in
> `nvif_object_ctor()` args is memcpy'd elsewhere so I figured we'd keep
> the same functionality.
>
> Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
> Link: https://github.com/KSPP/linux/issues/90
> Cc: linux-hardening@...r.kernel.org
> Signed-off-by: Justin Stitt <justinstitt@...gle.com>
> ---
> Note: build-tested only.
> ---
> drivers/gpu/drm/nouveau/nvif/client.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/nouveau/nvif/client.c b/drivers/gpu/drm/nouveau/nvif/client.c
> index a3264a0e933a..3a27245f467f 100644
> --- a/drivers/gpu/drm/nouveau/nvif/client.c
> +++ b/drivers/gpu/drm/nouveau/nvif/client.c
> @@ -69,7 +69,7 @@ nvif_client_ctor(struct nvif_client *parent, const char *name, u64 device,
> } nop = {};
> int ret;
>
> - strncpy(args.name, name, sizeof(args.name));
> + strscpy_pad(args.name, name, sizeof(args.name));
> ret = nvif_object_ctor(parent != client ? &parent->object : NULL,
> name ? name : "nvifClient", 0,
> NVIF_CLASS_CLIENT, &args, sizeof(args),
Right, I see the memcpy too:
nvif_object_ctor(struct nvif_object *parent, const char *name, u32 handle,
s32 oclass, void *data, u32 size, struct nvif_object *object)
{
...
memcpy(args->new.data, data, size);
However, "args" is already zeroed:
struct nvif_client_v0 args = { .device = device };
So there's no need for _pad(). However, I couldn't immediatley see
why args.name must be %NUL terminated. It's ultimately passed through
an ioctl:
return client->driver->ioctl(client->object.priv, data, size, hack);
But I did find it...
args is:
struct nvif_client_v0 {
...
char name[32];
};
And "name" only ever comes through nvif_client_ctor(), which all end up
via here, using "cli":
struct nouveau_cli {
...
char name[32];
...
snprintf(cli->name, sizeof(cli->name), "%s", sname);
...
ret = nvif_client_ctor(&drm->master.base, cli->name, device,
&cli->base);
So we'll always be %NUL terminated.
Therefore, yes, conversion looks good:
Reviewed-by: Kees Cook <keescook@...omium.org>
Thanks!
-Kees
>
> ---
> base-commit: 3669558bdf354cd352be955ef2764cde6a9bf5ec
> change-id: 20230914-strncpy-drivers-gpu-drm-nouveau-nvif-client-c-82b023c36953
>
> Best regards,
> --
> Justin Stitt <justinstitt@...gle.com>
>
--
Kees Cook
Powered by blists - more mailing lists