linux-edac.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Len Baker <len.baker@gmx.com>
To: Borislav Petkov <bp@alien8.de>
Cc: Len Baker <len.baker@gmx.com>,
	Mauro Carvalho Chehab <mchehab@kernel.org>,
	Tony Luck <tony.luck@intel.com>,
	James Morse <james.morse@arm.com>,
	Robert Richter <rric@kernel.org>, Joe Perches <joe@perches.com>,
	David Laight <David.Laight@aculab.com>,
	Kees Cook <keescook@chromium.org>,
	linux-hardening@vger.kernel.org, linux-edac@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH v4] EDAC/mc: Prefer strscpy over strcpy
Date: Tue, 24 Aug 2021 12:28:07 +0200	[thread overview]
Message-ID: <20210824090338.GB7999@titan> (raw)
In-Reply-To: <YSPbOo90alPsv4vL@zn.tnic>

Hi Borislav,

On Mon, Aug 23, 2021 at 07:30:34PM +0200, Borislav Petkov wrote:
> On Sat, Aug 14, 2021 at 09:55:27AM +0200, Len Baker wrote:
> > strcpy() performs no bounds checking on the destination buffer. This
> > could result in linear overflows beyond the end of the buffer, leading
> > to all kinds of misbehaviors. The safe replacement is strscpy().
> >
> > This is a previous step in the path to remove the strcpy() function
>
> "previous step"?

This is a task of the KSPP [1] and the main reason is to clean up the
proliferation of str*cpy functions in the kernel.

[1] https://github.com/KSPP/linux/issues/88

> > entirely from the kernel.
> >
> > Signed-off-by: Len Baker <len.baker@gmx.com>
>
> ...
>
> > diff --git a/drivers/edac/edac_mc.c b/drivers/edac/edac_mc.c
> > index f6d462d0be2d..7aea6c502316 100644
> > --- a/drivers/edac/edac_mc.c
> > +++ b/drivers/edac/edac_mc.c
> > @@ -1032,6 +1032,7 @@ void edac_mc_handle_error(const enum hw_event_mc_err_type type,
> >  	int i, n_labels = 0;
> >  	struct edac_raw_error_desc *e = &mci->error_desc;
> >  	bool any_memory = true;
> > +	size_t len;
> >
> >  	edac_dbg(3, "MC%d\n", mci->mc_idx);
> >
> > @@ -1086,6 +1087,7 @@ void edac_mc_handle_error(const enum hw_event_mc_err_type type,
> >  	 */
> >  	p = e->label;
> >  	*p = '\0';
> > +	len = sizeof(e->label);
> >
> >  	mci_for_each_dimm(mci, dimm) {
> >  		if (top_layer >= 0 && top_layer != dimm->location[0])
> > @@ -1114,10 +1116,12 @@ void edac_mc_handle_error(const enum hw_event_mc_err_type type,
> >  			*p = '\0';
> >  		} else {
> >  			if (p != e->label) {
> > -				strcpy(p, OTHER_LABEL);
> > -				p += strlen(OTHER_LABEL);
> > +				strscpy(p, OTHER_LABEL, len);
>
> Hm, maybe I'm missing something but looking at that strscpy()
> definition, why aren't you doing:
>
> 				num = strscpy(p, OTHER_LABEL, len);
> 				if (num < 0)
> 					/* just in case */
> 					break;
>
> 				len -= num;
> 				p   += num;
>
> since that function supposedly returns the number of chars copied.

Yes, you are right. The same discussion happened in the v3 review [2] and
I agree with the reasons that Robert Richter exposed. Using the strlen()
implementation it is not necessary to check the return code of strcpy and
we can assume a silent truncation.

[2] https://lore.kernel.org/linux-hardening/YRN+8u59lJ6MWsOL@rric.localdomain/

Regards,
Len

> > +				len -= strlen(p);
> > +				p += strlen(p);
> >  			}
> > -			strcpy(p, dimm->label);
> > +			strscpy(p, dimm->label, len);
> > +			len -= strlen(p);
> >  			p += strlen(p);
>
> Ditto.
>
> Thx.
>
> --
> Regards/Gruss,
>     Boris.
>
> https://people.kernel.org/tglx/notes-about-netiquette

  reply	other threads:[~2021-08-24 10:28 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-14  7:55 [PATCH v4] EDAC/mc: Prefer strscpy over strcpy Len Baker
2021-08-23 17:30 ` Borislav Petkov
2021-08-24 10:28   ` Len Baker [this message]
2021-08-24 18:26     ` Borislav Petkov
2021-08-24 19:05       ` Joe Perches
2021-08-25  8:48       ` David Laight
2021-08-27 17:36       ` Len Baker
2021-08-27 17:54         ` Borislav Petkov
2021-08-27 19:08           ` Joe Perches
2021-08-29 16:14           ` Len Baker

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210824090338.GB7999@titan \
    --to=len.baker@gmx.com \
    --cc=David.Laight@aculab.com \
    --cc=bp@alien8.de \
    --cc=james.morse@arm.com \
    --cc=joe@perches.com \
    --cc=keescook@chromium.org \
    --cc=linux-edac@vger.kernel.org \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mchehab@kernel.org \
    --cc=rric@kernel.org \
    --cc=tony.luck@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).