kernel/trace/trace_events_synth.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
From: Xu Panda <xu.panda@zte.com.cn>
The implementation of strscpy() is more robust and safer.
That's now the recommended way to copy NUL-terminated strings.
Signed-off-by: Xu Panda <xu.panda@zte.com.cn>
Signed-off-by: Yang Yang <yang.yang29@zte.com.cn>
---
kernel/trace/trace_events_synth.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/kernel/trace/trace_events_synth.c b/kernel/trace/trace_events_synth.c
index 67592eed0be8..cd636edd045e 100644
--- a/kernel/trace/trace_events_synth.c
+++ b/kernel/trace/trace_events_synth.c
@@ -195,8 +195,7 @@ static int synth_field_string_size(char *type)
if (len == 0)
return 0; /* variable-length string */
- strncpy(buf, start, len);
- buf[len] = '\0';
+ strscpy(buf, start, len + 1);
err = kstrtouint(buf, 0, &size);
if (err)
--
2.15.2On Mon, 9 Jan 2023 19:39:21 +0800 (CST)
<yang.yang29@zte.com.cn> wrote:
> From: Xu Panda <xu.panda@zte.com.cn>
>
> The implementation of strscpy() is more robust and safer.
> That's now the recommended way to copy NUL-terminated strings.
But the string being copied is *not* NUL-terminated! And this change causes
a bug.
This is the 3rd patch I've seen that blindly converts strncpy() to
strscpy() and causes a bug in doing so. Not very safe if you ask me.
>
> Signed-off-by: Xu Panda <xu.panda@zte.com.cn>
> Signed-off-by: Yang Yang <yang.yang29@zte.com.cn>
> ---
> kernel/trace/trace_events_synth.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/kernel/trace/trace_events_synth.c b/kernel/trace/trace_events_synth.c
> index 67592eed0be8..cd636edd045e 100644
> --- a/kernel/trace/trace_events_synth.c
> +++ b/kernel/trace/trace_events_synth.c
> @@ -195,8 +195,7 @@ static int synth_field_string_size(char *type)
> if (len == 0)
> return 0; /* variable-length string */
>
> - strncpy(buf, start, len);
> - buf[len] = '\0';
> + strscpy(buf, start, len + 1);
>
> err = kstrtouint(buf, 0, &size);
> if (err)
Here's the code being affected:
static int synth_field_string_size(char *type)
{
char buf[4], *end, *start;
unsigned int len;
int size, err;
start = strstr(type, "char[");
if (start == NULL)
return -EINVAL;
start += sizeof("char[") - 1;
end = strchr(type, ']');
if (!end || end < start || type + strlen(type) > end + 1)
return -EINVAL;
len = end - start;
if (len > 3)
return -EINVAL;
if (len == 0)
return 0; /* variable-length string */
strncpy(buf, start, len);
buf[len] = '\0';
And you are replacing the above two lines with just:
strscpy(buf, start, len + 1);
If you noticed, the string being placed into buf is:
"char[123]"
Where we want to copy that "123" into buf.
strscpy() expects the source to be nul terminated, or it will return -E2BIG.
So the above will *always* return -E2BIG *and* not end buf[] with '\0' as
if strscpy() returns -E2BIG, then buf[] is not guaranteed to be
NUL-terminated.
NACK!
-- Steve
Hi Steven, I was about to submit the same patch when I found this one from 2023. On 24. Jan 2023, at 18:17, Steven Rostedt wrote: > So the above will *always* return -E2BIG *and* not end buf[] with '\0' as > if strscpy() returns -E2BIG, then buf[] is not guaranteed to be > NUL-terminated. The return value is not used and the strscpy() documentation in linux/string.h says: "The destination @dst buffer is always NUL terminated, unless it's zero- sized." and "Preferred to strncpy() since it always returns a valid string, ..." Has strscpy() changed since 2023 or could this patch be revisited? I saw that Justin also made an effort in September 2024 [1] to revisit it and to remove the deprecated strncpy() here. > NACK! > > -- Steve Thanks, Thorsten [1] https://lore.kernel.org/r/yhv3rzg6vhgwage27cyvg72t4vwf5x3tdtj3zjipryzvz3u55x@c33q753uxyi3/ Cc: linux-hardening@vger.kernel.org
Hi Steve,
Can we revisit this patch? see below.
On Tue, Jan 24, 2023 at 12:17:03PM GMT, Steven Rostedt wrote:
> On Mon, 9 Jan 2023 19:39:21 +0800 (CST)
> <yang.yang29@zte.com.cn> wrote:
>
> > From: Xu Panda <xu.panda@zte.com.cn>
> >
> > The implementation of strscpy() is more robust and safer.
> > That's now the recommended way to copy NUL-terminated strings.
>
> But the string being copied is *not* NUL-terminated! And this change causes
> a bug.
>
> This is the 3rd patch I've seen that blindly converts strncpy() to
> strscpy() and causes a bug in doing so. Not very safe if you ask me.
>
> >
> > Signed-off-by: Xu Panda <xu.panda@zte.com.cn>
> > Signed-off-by: Yang Yang <yang.yang29@zte.com.cn>
> > ---
> > kernel/trace/trace_events_synth.c | 3 +--
> > 1 file changed, 1 insertion(+), 2 deletions(-)
> >
> > diff --git a/kernel/trace/trace_events_synth.c b/kernel/trace/trace_events_synth.c
> > index 67592eed0be8..cd636edd045e 100644
> > --- a/kernel/trace/trace_events_synth.c
> > +++ b/kernel/trace/trace_events_synth.c
> > @@ -195,8 +195,7 @@ static int synth_field_string_size(char *type)
> > if (len == 0)
> > return 0; /* variable-length string */
> >
> > - strncpy(buf, start, len);
> > - buf[len] = '\0';
> > + strscpy(buf, start, len + 1);
> >
> > err = kstrtouint(buf, 0, &size);
> > if (err)
>
>
> Here's the code being affected:
>
> static int synth_field_string_size(char *type)
> {
> char buf[4], *end, *start;
> unsigned int len;
> int size, err;
>
> start = strstr(type, "char[");
> if (start == NULL)
> return -EINVAL;
> start += sizeof("char[") - 1;
>
> end = strchr(type, ']');
> if (!end || end < start || type + strlen(type) > end + 1)
> return -EINVAL;
>
> len = end - start;
> if (len > 3)
> return -EINVAL;
>
> if (len == 0)
> return 0; /* variable-length string */
>
> strncpy(buf, start, len);
> buf[len] = '\0';
>
> And you are replacing the above two lines with just:
>
> strscpy(buf, start, len + 1);
>
>
> If you noticed, the string being placed into buf is:
>
> "char[123]"
>
> Where we want to copy that "123" into buf.
>
> strscpy() expects the source to be nul terminated, or it will return -E2BIG.
>
> So the above will *always* return -E2BIG *and* not end buf[] with '\0' as
> if strscpy() returns -E2BIG, then buf[] is not guaranteed to be
> NUL-terminated.
@buf should still be NUL-terminated while returning -E2BIG in this
instance. For context, here's the implementation of strscpy():
...
/* Hit buffer length without finding a NUL; force NUL-termination. */
if (res)
dest[res-1] = '\0';
return -E2BIG;
... and the only other spot where we can return E2BIG is way earlier in
the function where we check the count.
if (count == 0 || WARN_ON_ONCE(count > INT_MAX))
return -E2BIG;
So it seems we should be NUL-terminating @buf in all cases, considering
count is greater than 0 and certainly not larger than INT_MAX. And, with
the `len + 1` we shouldn't be seeing any data loss either.
>
> NACK!
>
> -- Steve
>
I'm keen on replacing this instance of strncpy towards the goal of [1].
If we don't want to use strscpy() I think memcpy() is another viable
alternative (of course leaving the manual NUL-byte assignment as-is).
[1]: https://github.com/KSPP/linux/issues/90
Thanks
Justin
On Mon, 9 Jan 2023 19:39:21 +0800 (CST) <yang.yang29@zte.com.cn> wrote: > From: Xu Panda <xu.panda@zte.com.cn> > > The implementation of strscpy() is more robust and safer. > That's now the recommended way to copy NUL-terminated strings. This looks good to me. Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org> Thank you, > > Signed-off-by: Xu Panda <xu.panda@zte.com.cn> > Signed-off-by: Yang Yang <yang.yang29@zte.com.cn> > --- > kernel/trace/trace_events_synth.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/kernel/trace/trace_events_synth.c b/kernel/trace/trace_events_synth.c > index 67592eed0be8..cd636edd045e 100644 > --- a/kernel/trace/trace_events_synth.c > +++ b/kernel/trace/trace_events_synth.c > @@ -195,8 +195,7 @@ static int synth_field_string_size(char *type) > if (len == 0) > return 0; /* variable-length string */ > > - strncpy(buf, start, len); > - buf[len] = '\0'; > + strscpy(buf, start, len + 1); > > err = kstrtouint(buf, 0, &size); > if (err) > -- > 2.15.2 -- Masami Hiramatsu (Google) <mhiramat@kernel.org>
© 2016 - 2026 Red Hat, Inc.