1. Patchew
  2. linux
  3. View series

[PATCH v2] scsi: target: Replace deprecated strncpy() with strscpy()

Thorsten Blum posted 1 patch 9 months, 2 weeks ago 
drivers/target/target_core_configfs.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
[PATCH v2] scsi: target: Replace deprecated strncpy() with strscpy()
Posted by Thorsten Blum 9 months, 2 weeks ago 
strncpy() is deprecated for NUL-terminated destination buffers; use
strscpy() instead. The destination buffer db_root is only used with "%s"
format strings and must therefore be NUL-terminated, but not NUL-padded.

Use scnprintf() because snprintf() could return a value >= DB_ROOT_LEN
and lead to an out-of-bounds access. This doesn't happen because count
is explicitly checked against DB_ROOT_LEN before. However, scnprintf()
always returns the number of characters actually written to the string
buffer, which is always within the bounds of db_root_stage, and should
be preferred over snprintf().

The size parameter of strscpy() is optional and since DB_ROOT_LEN is the
size of the destination buffer, it can be removed. Remove it to simplify
the code.

Compile-tested only.

Link: https://github.com/KSPP/linux/issues/90
Link: https://github.com/KSPP/linux/issues/105
Cc: linux-hardening@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
---
Changes in v2:
- Improve the commit message and replace another strncpy() as suggested
  by Kees Cook
- Replace snprintf() with scnprintf()
- Link to v1: https://lore.kernel.org/r/20250226121003.359876-1-thorsten.blum@linux.dev/
---
 drivers/target/target_core_configfs.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/target/target_core_configfs.c b/drivers/target/target_core_configfs.c
index c40217f44b1b..66804bf1ee32 100644
--- a/drivers/target/target_core_configfs.c
+++ b/drivers/target/target_core_configfs.c
@@ -123,7 +123,7 @@ static ssize_t target_core_item_dbroot_store(struct config_item *item,
 		goto unlock;
 	}
 
-	read_bytes = snprintf(db_root_stage, DB_ROOT_LEN, "%s", page);
+	read_bytes = scnprintf(db_root_stage, DB_ROOT_LEN, "%s", page);
 	if (!read_bytes)
 		goto unlock;
 
@@ -143,7 +143,7 @@ static ssize_t target_core_item_dbroot_store(struct config_item *item,
 	}
 	filp_close(fp, NULL);
 
-	strncpy(db_root, db_root_stage, read_bytes);
+	strscpy(db_root, db_root_stage);
 	pr_debug("Target_Core_ConfigFS: db_root set to %s\n", db_root);
 
 	r = read_bytes;
@@ -3664,7 +3664,7 @@ static void target_init_dbroot(void)
 	}
 	filp_close(fp, NULL);
 
-	strncpy(db_root, db_root_stage, DB_ROOT_LEN);
+	strscpy(db_root, db_root_stage);
 	pr_debug("Target_Core_ConfigFS: db_root set to %s\n", db_root);
 }
 
-- 
2.48.1
Re: [PATCH v2] scsi: target: Replace deprecated strncpy() with strscpy()
Posted by Martin K. Petersen 9 months, 1 week ago 
On Sun, 02 Mar 2025 23:56:41 +0100, Thorsten Blum wrote:

> strncpy() is deprecated for NUL-terminated destination buffers; use
> strscpy() instead. The destination buffer db_root is only used with "%s"
> format strings and must therefore be NUL-terminated, but not NUL-padded.
> 
> Use scnprintf() because snprintf() could return a value >= DB_ROOT_LEN
> and lead to an out-of-bounds access. This doesn't happen because count
> is explicitly checked against DB_ROOT_LEN before. However, scnprintf()
> always returns the number of characters actually written to the string
> buffer, which is always within the bounds of db_root_stage, and should
> be preferred over snprintf().
> 
> [...]

Applied to 6.15/scsi-queue, thanks!

[1/1] scsi: target: Replace deprecated strncpy() with strscpy()
      https://git.kernel.org/mkp/scsi/c/dfb7df1ddb29

-- 
Martin K. Petersen	Oracle Linux Engineering
Re: [PATCH v2] scsi: target: Replace deprecated strncpy() with strscpy()
Posted by Martin K. Petersen 9 months, 2 weeks ago 
Thorsten,

> strncpy() is deprecated for NUL-terminated destination buffers; use
> strscpy() instead. The destination buffer db_root is only used with
> "%s" format strings and must therefore be NUL-terminated, but not
> NUL-padded.

Applied to 6.15/scsi-staging, thanks!

-- 
Martin K. Petersen	Oracle Linux Engineering
Re: [PATCH v2] scsi: target: Replace deprecated strncpy() with strscpy()
Posted by Kees Cook 9 months, 2 weeks ago 
On Sun, Mar 02, 2025 at 11:56:41PM +0100, Thorsten Blum wrote:
> strncpy() is deprecated for NUL-terminated destination buffers; use
> strscpy() instead. The destination buffer db_root is only used with "%s"
> format strings and must therefore be NUL-terminated, but not NUL-padded.
> 
> Use scnprintf() because snprintf() could return a value >= DB_ROOT_LEN
> and lead to an out-of-bounds access. This doesn't happen because count
> is explicitly checked against DB_ROOT_LEN before. However, scnprintf()
> always returns the number of characters actually written to the string
> buffer, which is always within the bounds of db_root_stage, and should
> be preferred over snprintf().
> 
> The size parameter of strscpy() is optional and since DB_ROOT_LEN is the
> size of the destination buffer, it can be removed. Remove it to simplify
> the code.
> 
> Compile-tested only.
> 
> Link: https://github.com/KSPP/linux/issues/90
> Link: https://github.com/KSPP/linux/issues/105
> Cc: linux-hardening@vger.kernel.org
> Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>

Reviewed-by: Kees Cook <kees@kernel.org>

-- 
Kees Cook

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.