lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 28 Sep 2023 14:41:59 +0100
From: Lee Jones <lee@...nel.org>
To: Kees Cook <keescook@...omium.org>
Cc: Justin Stitt <justinstitt@...gle.com>, Pavel Machek <pavel@....cz>,
	linux-leds@...r.kernel.org, linux-kernel@...r.kernel.org,
	linux-hardening@...r.kernel.org
Subject: Re: [PATCH] leds: lp3952: replace deprecated strncpy with strscpy

On Sat, 23 Sep 2023, Kees Cook wrote:

> On Fri, Sep 22, 2023 at 03:27:17PM +0000, Justin Stitt wrote:
> > `strncpy` is deprecated for use on NUL-terminated destination strings
> > [1] and as such we should prefer more robust and less ambiguous string
> > interfaces.
> > 
> > We expect `dest` to be NUL-terminated due to its use with dev_err.
> > 
> > lp3952_get_label()'s  dest argument is priv->leds[i].name:
> > |    acpi_ret = lp3952_get_label(&priv->client->dev, led_name_hdl[i],
> > |                                priv->leds[i].name);
> > ... which is then assigned to:
> > |    priv->leds[i].cdev.name = priv->leds[i].name;
> > ... which is used with a format string
> > |    dev_err(&priv->client->dev,
> > |            "couldn't register LED %s\n",
> > |            priv->leds[i].cdev.name);
> > 
> > There is no indication that NUL-padding is required but if it is let's
> > opt for strscpy_pad.
> > 
> > Considering the above, a suitable replacement is `strscpy` [2] due to
> > the fact that it guarantees NUL-termination on the destination buffer
> > without unnecessarily NUL-padding.
> > 
> > Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
> > Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2]
> > Link: https://github.com/KSPP/linux/issues/90
> > Cc: linux-hardening@...r.kernel.org
> > Signed-off-by: Justin Stitt <justinstitt@...gle.com>
> > ---
> > Note: build-tested only.
> > ---
> >  drivers/leds/leds-lp3952.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/drivers/leds/leds-lp3952.c b/drivers/leds/leds-lp3952.c
> > index 3bd55652a706..62ade3f05a87 100644
> > --- a/drivers/leds/leds-lp3952.c
> > +++ b/drivers/leds/leds-lp3952.c
> > @@ -101,7 +101,7 @@ static int lp3952_get_label(struct device *dev, const char *label, char *dest)
> >  	if (ret)
> >  		return ret;
> >  
> > -	strncpy(dest, str, LP3952_LABEL_MAX_LEN);
> > +	strscpy(dest, str, LP3952_LABEL_MAX_LEN);
> 
> Given my desire to use sizeof(dest) for these things, I wonder if it'd
> be nicer to pass more context here for the compiler as the only user of
> this function is the immediately next function. Instead of passing in
> "char *dest", it could pass "struct lp3952_led_array *priv", and
> suddenly sizeof() would be possible.
> 
> But, since it's technically correct as-is:
> 
> struct lp3952_ctrl_hdl {
>         struct led_classdev cdev;
>         char name[LP3952_LABEL_MAX_LEN];
> 
> There's no pressing need to actually do the priv refactor. It's just a
> comment on the coding style of the original code. :)
> 
> Reviewed-by: Kees Cook <keescook@...omium.org>

I've applied this as-is, but please consider Kees' proposal.

-- 
Lee Jones [李琼斯]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ