arch/sh/drivers/dma/dma-api.c | 2 +- arch/sh/kernel/setup.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-)
strlcpy() reads the entire source buffer first.
This read may exceed the destination size limit.
This is both inefficient and can lead to linear read
overflows if a source string is not NUL-terminated [1].
In an effort to remove strlcpy() completely [2], replace
strlcpy() here with strscpy().
No return values were used, so direct replacement is safe.
[1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy
[2] https://github.com/KSPP/linux/issues/89
Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com>
---
arch/sh/drivers/dma/dma-api.c | 2 +-
arch/sh/kernel/setup.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/sh/drivers/dma/dma-api.c b/arch/sh/drivers/dma/dma-api.c
index ab9170494dcc..89cd4a3b4cca 100644
--- a/arch/sh/drivers/dma/dma-api.c
+++ b/arch/sh/drivers/dma/dma-api.c
@@ -198,7 +198,7 @@ int request_dma(unsigned int chan, const char *dev_id)
if (atomic_xchg(&channel->busy, 1))
return -EBUSY;
- strlcpy(channel->dev_id, dev_id, sizeof(channel->dev_id));
+ strscpy(channel->dev_id, dev_id, sizeof(channel->dev_id));
if (info->ops->request) {
result = info->ops->request(channel);
diff --git a/arch/sh/kernel/setup.c b/arch/sh/kernel/setup.c
index af977ec4ca5e..e4f0f9a1d355 100644
--- a/arch/sh/kernel/setup.c
+++ b/arch/sh/kernel/setup.c
@@ -304,9 +304,9 @@ void __init setup_arch(char **cmdline_p)
bss_resource.end = virt_to_phys(__bss_stop)-1;
#ifdef CONFIG_CMDLINE_OVERWRITE
- strlcpy(command_line, CONFIG_CMDLINE, sizeof(command_line));
+ strscpy(command_line, CONFIG_CMDLINE, sizeof(command_line));
#else
- strlcpy(command_line, COMMAND_LINE, sizeof(command_line));
+ strscpy(command_line, COMMAND_LINE, sizeof(command_line));
#ifdef CONFIG_CMDLINE_EXTEND
strlcat(command_line, " ", sizeof(command_line));
strlcat(command_line, CONFIG_CMDLINE, sizeof(command_line));On Tue, 2023-05-30 at 16:30 +0000, Azeem Shaikh wrote:
> strlcpy() reads the entire source buffer first.
> This read may exceed the destination size limit.
> This is both inefficient and can lead to linear read
> overflows if a source string is not NUL-terminated [1].
> In an effort to remove strlcpy() completely [2], replace
> strlcpy() here with strscpy().
> No return values were used, so direct replacement is safe.
>
> [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy
> [2] https://github.com/KSPP/linux/issues/89
>
> Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com>
> ---
> arch/sh/drivers/dma/dma-api.c | 2 +-
> arch/sh/kernel/setup.c | 4 ++--
> 2 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/arch/sh/drivers/dma/dma-api.c b/arch/sh/drivers/dma/dma-api.c
> index ab9170494dcc..89cd4a3b4cca 100644
> --- a/arch/sh/drivers/dma/dma-api.c
> +++ b/arch/sh/drivers/dma/dma-api.c
> @@ -198,7 +198,7 @@ int request_dma(unsigned int chan, const char *dev_id)
> if (atomic_xchg(&channel->busy, 1))
> return -EBUSY;
>
> - strlcpy(channel->dev_id, dev_id, sizeof(channel->dev_id));
> + strscpy(channel->dev_id, dev_id, sizeof(channel->dev_id));
>
> if (info->ops->request) {
> result = info->ops->request(channel);
> diff --git a/arch/sh/kernel/setup.c b/arch/sh/kernel/setup.c
> index af977ec4ca5e..e4f0f9a1d355 100644
> --- a/arch/sh/kernel/setup.c
> +++ b/arch/sh/kernel/setup.c
> @@ -304,9 +304,9 @@ void __init setup_arch(char **cmdline_p)
> bss_resource.end = virt_to_phys(__bss_stop)-1;
>
> #ifdef CONFIG_CMDLINE_OVERWRITE
> - strlcpy(command_line, CONFIG_CMDLINE, sizeof(command_line));
> + strscpy(command_line, CONFIG_CMDLINE, sizeof(command_line));
> #else
> - strlcpy(command_line, COMMAND_LINE, sizeof(command_line));
> + strscpy(command_line, COMMAND_LINE, sizeof(command_line));
> #ifdef CONFIG_CMDLINE_EXTEND
> strlcat(command_line, " ", sizeof(command_line));
> strlcat(command_line, CONFIG_CMDLINE, sizeof(command_line));
Acked-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
--
.''`. John Paul Adrian Glaubitz
: :' : Debian Developer
`. `' Physicist
`- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913
On Tue, 2023-05-30 at 16:30 +0000, Azeem Shaikh wrote:
> strlcpy() reads the entire source buffer first.
> This read may exceed the destination size limit.
> This is both inefficient and can lead to linear read
> overflows if a source string is not NUL-terminated [1].
> In an effort to remove strlcpy() completely [2], replace
> strlcpy() here with strscpy().
> No return values were used, so direct replacement is safe.
>
> [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy
> [2] https://github.com/KSPP/linux/issues/89
>
> Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com>
> ---
> arch/sh/drivers/dma/dma-api.c | 2 +-
> arch/sh/kernel/setup.c | 4 ++--
> 2 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/arch/sh/drivers/dma/dma-api.c b/arch/sh/drivers/dma/dma-api.c
> index ab9170494dcc..89cd4a3b4cca 100644
> --- a/arch/sh/drivers/dma/dma-api.c
> +++ b/arch/sh/drivers/dma/dma-api.c
> @@ -198,7 +198,7 @@ int request_dma(unsigned int chan, const char *dev_id)
> if (atomic_xchg(&channel->busy, 1))
> return -EBUSY;
>
> - strlcpy(channel->dev_id, dev_id, sizeof(channel->dev_id));
> + strscpy(channel->dev_id, dev_id, sizeof(channel->dev_id));
>
> if (info->ops->request) {
> result = info->ops->request(channel);
> diff --git a/arch/sh/kernel/setup.c b/arch/sh/kernel/setup.c
> index af977ec4ca5e..e4f0f9a1d355 100644
> --- a/arch/sh/kernel/setup.c
> +++ b/arch/sh/kernel/setup.c
> @@ -304,9 +304,9 @@ void __init setup_arch(char **cmdline_p)
> bss_resource.end = virt_to_phys(__bss_stop)-1;
>
> #ifdef CONFIG_CMDLINE_OVERWRITE
> - strlcpy(command_line, CONFIG_CMDLINE, sizeof(command_line));
> + strscpy(command_line, CONFIG_CMDLINE, sizeof(command_line));
> #else
> - strlcpy(command_line, COMMAND_LINE, sizeof(command_line));
> + strscpy(command_line, COMMAND_LINE, sizeof(command_line));
> #ifdef CONFIG_CMDLINE_EXTEND
> strlcat(command_line, " ", sizeof(command_line));
> strlcat(command_line, CONFIG_CMDLINE, sizeof(command_line));
Tested-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
--
.''`. John Paul Adrian Glaubitz
: :' : Debian Developer
`. `' Physicist
`- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913
On Tue, 30 May 2023 16:30:41 +0000, Azeem Shaikh wrote:
> strlcpy() reads the entire source buffer first.
> This read may exceed the destination size limit.
> This is both inefficient and can lead to linear read
> overflows if a source string is not NUL-terminated [1].
> In an effort to remove strlcpy() completely [2], replace
> strlcpy() here with strscpy().
> No return values were used, so direct replacement is safe.
>
> [...]
Build tested with sh4 GCC 13.1 from:
https://mirrors.edge.kernel.org/pub/tools/crosstool/files/bin/x86_64/13.1.0/
with defconfig and:
CONFIG_CPU_SUBTYPE_SH7343=y
CONFIG_SH_DMA=y
CONFIG_SH_DMA_API=y
Applied to for-next/hardening, thanks!
[1/1] sh: Replace all non-returning strlcpy with strscpy
https://git.kernel.org/kees/c/ca64da3052be
--
Kees Cook
Hi Kees! On Wed, 2023-06-14 at 11:44 -0700, Kees Cook wrote: > On Tue, 30 May 2023 16:30:41 +0000, Azeem Shaikh wrote: > > strlcpy() reads the entire source buffer first. > > This read may exceed the destination size limit. > > This is both inefficient and can lead to linear read > > overflows if a source string is not NUL-terminated [1]. > > In an effort to remove strlcpy() completely [2], replace > > strlcpy() here with strscpy(). > > No return values were used, so direct replacement is safe. > > > > [...] > > Build tested with sh4 GCC 13.1 from: > https://mirrors.edge.kernel.org/pub/tools/crosstool/files/bin/x86_64/13.1.0/ > > with defconfig and: > CONFIG_CPU_SUBTYPE_SH7343=y > CONFIG_SH_DMA=y > CONFIG_SH_DMA_API=y > > Applied to for-next/hardening, thanks! > > [1/1] sh: Replace all non-returning strlcpy with strscpy > https://git.kernel.org/kees/c/ca64da3052be > Apologies, this fell off my table. I should have acked and tested this being the SuperH maintainer. If you can still update the patch in your tree, I can both test and ack this patch. Adrian -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer `. `' Physicist `- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913
On Wed, Jun 14, 2023 at 08:49:13PM +0200, John Paul Adrian Glaubitz wrote: > Hi Kees! > > On Wed, 2023-06-14 at 11:44 -0700, Kees Cook wrote: > > On Tue, 30 May 2023 16:30:41 +0000, Azeem Shaikh wrote: > > > strlcpy() reads the entire source buffer first. > > > This read may exceed the destination size limit. > > > This is both inefficient and can lead to linear read > > > overflows if a source string is not NUL-terminated [1]. > > > In an effort to remove strlcpy() completely [2], replace > > > strlcpy() here with strscpy(). > > > No return values were used, so direct replacement is safe. > > > > > > [...] > > > > Build tested with sh4 GCC 13.1 from: > > https://mirrors.edge.kernel.org/pub/tools/crosstool/files/bin/x86_64/13.1.0/ > > > > with defconfig and: > > CONFIG_CPU_SUBTYPE_SH7343=y > > CONFIG_SH_DMA=y > > CONFIG_SH_DMA_API=y > > > > Applied to for-next/hardening, thanks! > > > > [1/1] sh: Replace all non-returning strlcpy with strscpy > > https://git.kernel.org/kees/c/ca64da3052be > > > > Apologies, this fell off my table. I should have acked and tested this being the > SuperH maintainer. If you can still update the patch in your tree, I can both > test and ack this patch. Absolutely! Thanks for double-checking. :) -Kees -- Kees Cook
On Wed, 2023-06-14 at 12:03 -0700, Kees Cook wrote: > On Wed, Jun 14, 2023 at 08:49:13PM +0200, John Paul Adrian Glaubitz wrote: > > Hi Kees! > > > > On Wed, 2023-06-14 at 11:44 -0700, Kees Cook wrote: > > > On Tue, 30 May 2023 16:30:41 +0000, Azeem Shaikh wrote: > > > > strlcpy() reads the entire source buffer first. > > > > This read may exceed the destination size limit. > > > > This is both inefficient and can lead to linear read > > > > overflows if a source string is not NUL-terminated [1]. > > > > In an effort to remove strlcpy() completely [2], replace > > > > strlcpy() here with strscpy(). > > > > No return values were used, so direct replacement is safe. > > > > > > > > [...] > > > > > > Build tested with sh4 GCC 13.1 from: > > > https://mirrors.edge.kernel.org/pub/tools/crosstool/files/bin/x86_64/13.1.0/ > > > > > > with defconfig and: > > > CONFIG_CPU_SUBTYPE_SH7343=y > > > CONFIG_SH_DMA=y > > > CONFIG_SH_DMA_API=y > > > > > > Applied to for-next/hardening, thanks! > > > > > > [1/1] sh: Replace all non-returning strlcpy with strscpy > > > https://git.kernel.org/kees/c/ca64da3052be > > > > > > > Apologies, this fell off my table. I should have acked and tested this being the > > SuperH maintainer. If you can still update the patch in your tree, I can both > > test and ack this patch. > > Absolutely! Thanks for double-checking. :) I have tested the patch on my SH-7785LCR board on top of Linus' tree and also acked it. Thanks, Adrian -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer `. `' Physicist `- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913
On Wed, Jun 14, 2023 at 09:23:49PM +0200, John Paul Adrian Glaubitz wrote: > On Wed, 2023-06-14 at 12:03 -0700, Kees Cook wrote: > > On Wed, Jun 14, 2023 at 08:49:13PM +0200, John Paul Adrian Glaubitz wrote: > > > Hi Kees! > > > > > > On Wed, 2023-06-14 at 11:44 -0700, Kees Cook wrote: > > > > On Tue, 30 May 2023 16:30:41 +0000, Azeem Shaikh wrote: > > > > > strlcpy() reads the entire source buffer first. > > > > > This read may exceed the destination size limit. > > > > > This is both inefficient and can lead to linear read > > > > > overflows if a source string is not NUL-terminated [1]. > > > > > In an effort to remove strlcpy() completely [2], replace > > > > > strlcpy() here with strscpy(). > > > > > No return values were used, so direct replacement is safe. > > > > > > > > > > [...] > > > > > > > > Build tested with sh4 GCC 13.1 from: > > > > https://mirrors.edge.kernel.org/pub/tools/crosstool/files/bin/x86_64/13.1.0/ > > > > > > > > with defconfig and: > > > > CONFIG_CPU_SUBTYPE_SH7343=y > > > > CONFIG_SH_DMA=y > > > > CONFIG_SH_DMA_API=y > > > > > > > > Applied to for-next/hardening, thanks! > > > > > > > > [1/1] sh: Replace all non-returning strlcpy with strscpy > > > > https://git.kernel.org/kees/c/ca64da3052be > > > > > > > > > > Apologies, this fell off my table. I should have acked and tested this being the > > > SuperH maintainer. If you can still update the patch in your tree, I can both > > > test and ack this patch. > > > > Absolutely! Thanks for double-checking. :) > > I have tested the patch on my SH-7785LCR board on top of Linus' tree and > also acked it. Awesome. :) I have updated the tags and will push out my tree shortly. Thanks! -Kees -- Kees Cook
On Tue, May 30, 2023 at 04:30:41PM +0000, Azeem Shaikh wrote: > strlcpy() reads the entire source buffer first. > This read may exceed the destination size limit. > This is both inefficient and can lead to linear read > overflows if a source string is not NUL-terminated [1]. > In an effort to remove strlcpy() completely [2], replace > strlcpy() here with strscpy(). > No return values were used, so direct replacement is safe. > > [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy > [2] https://github.com/KSPP/linux/issues/89 > > Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com> Reviewed-by: Kees Cook <keescook@chromium.org> -- Kees Cook
© 2016 - 2026 Red Hat, Inc.