samples: Replace strlcpy() with strscpy()
Commit Message
strlcpy() reads the entire source buffer first. This read may exceed
the destination size limit. This is both inefficient and can lead
to linear read overflows if a source string is not NUL-terminated[1].
Additionally, it returns the size of the source string, not the
resulting size of the destination string. In an effort to remove strlcpy()
completely[2], replace strlcpy() here with strscpy().
Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy [1]
Link: https://github.com/KSPP/linux/issues/89 [2]
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Valentin Schneider <vschneid@redhat.com>
Cc: "Steven Rostedt (Google)" <rostedt@goodmis.org>
Cc: Chuck Lever <chuck.lever@oracle.com>
Cc: Geliang Tang <geliang.tang@suse.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
samples/trace_events/trace-events-sample.h | 2 +-
samples/v4l/v4l2-pci-skeleton.c | 10 +++++-----
2 files changed, 6 insertions(+), 6 deletions(-)
Comments
On Thu, 16 Nov 2023 11:15:10 -0800
Kees Cook <keescook@chromium.org> wrote:
> diff --git a/samples/trace_events/trace-events-sample.h b/samples/trace_events/trace-events-sample.h
> index 1c6b843b8c4e..23f923ccd529 100644
> --- a/samples/trace_events/trace-events-sample.h
> +++ b/samples/trace_events/trace-events-sample.h
> @@ -305,7 +305,7 @@ TRACE_EVENT(foo_bar,
> ),
>
> TP_fast_assign(
> - strlcpy(__entry->foo, foo, 10);
> + strscpy(__entry->foo, foo, 10);
> __entry->bar = bar;
> memcpy(__get_dynamic_array(list), lst,
> __length_of(lst) * sizeof(int));
Acked-by: Steven Rostedt (Google) <rostedt@goodmis.org>
-- Steve
On Thu, 16 Nov 2023 11:15:10 -0800, Kees Cook wrote:
> strlcpy() reads the entire source buffer first. This read may exceed
> the destination size limit. This is both inefficient and can lead
> to linear read overflows if a source string is not NUL-terminated[1].
> Additionally, it returns the size of the source string, not the
> resulting size of the destination string. In an effort to remove strlcpy()
> completely[2], replace strlcpy() here with strscpy().
>
> [...]
Applied to for-next/hardening, thanks!
[1/1] samples: Replace strlcpy() with strscpy()
https://git.kernel.org/kees/c/40b2519d7566
Take care,
@@ -305,7 +305,7 @@ TRACE_EVENT(foo_bar,
),
TP_fast_assign(
- strlcpy(__entry->foo, foo, 10);
+ strscpy(__entry->foo, foo, 10);
__entry->bar = bar;
memcpy(__get_dynamic_array(list), lst,
__length_of(lst) * sizeof(int));
@@ -291,8 +291,8 @@ static int skeleton_querycap(struct file *file, void *priv,
{
struct skeleton *skel = video_drvdata(file);
- strlcpy(cap->driver, KBUILD_MODNAME, sizeof(cap->driver));
- strlcpy(cap->card, "V4L2 PCI Skeleton", sizeof(cap->card));
+ strscpy(cap->driver, KBUILD_MODNAME, sizeof(cap->driver));
+ strscpy(cap->card, "V4L2 PCI Skeleton", sizeof(cap->card));
snprintf(cap->bus_info, sizeof(cap->bus_info), "PCI:%s",
pci_name(skel->pdev));
return 0;
@@ -597,11 +597,11 @@ static int skeleton_enum_input(struct file *file, void *priv,
i->type = V4L2_INPUT_TYPE_CAMERA;
if (i->index == 0) {
i->std = SKEL_TVNORMS;
- strlcpy(i->name, "S-Video", sizeof(i->name));
+ strscpy(i->name, "S-Video", sizeof(i->name));
i->capabilities = V4L2_IN_CAP_STD;
} else {
i->std = 0;
- strlcpy(i->name, "HDMI", sizeof(i->name));
+ strscpy(i->name, "HDMI", sizeof(i->name));
i->capabilities = V4L2_IN_CAP_DV_TIMINGS;
}
return 0;
@@ -845,7 +845,7 @@ static int skeleton_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
/* Initialize the video_device structure */
vdev = &skel->vdev;
- strlcpy(vdev->name, KBUILD_MODNAME, sizeof(vdev->name));
+ strscpy(vdev->name, KBUILD_MODNAME, sizeof(vdev->name));
/*
* There is nothing to clean up, so release is set to an empty release
* function. The release callback must be non-NULL.