From: Dan Carpenter <dan.carpenter@linaro.org>
To: Arnd Bergmann <arnd@arndb.de>
Cc: Arnd Bergmann <arnd@kernel.org>,
linux-kernel@vger.kernel.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Kees Cook <keescook@chromium.org>,
Daniel Micay <danielmicay@gmail.com>,
linux-staging@lists.linux.dev
Subject: Re: [PATCH 03/11] staging: replace weird strncpy() with memcpy()
Date: Mon, 8 Apr 2024 18:59:47 +0300 [thread overview]
Message-ID: <948ab982-cb4d-46d4-a3c4-cc1c6369eb92@moroto.mountain> (raw)
In-Reply-To: <d8ee72ec-c16f-443a-b9c1-555dcbc69182@app.fastmail.com>
On Mon, Apr 08, 2024 at 04:45:55PM +0200, Arnd Bergmann wrote:
> On Thu, Mar 28, 2024, at 17:35, Dan Carpenter wrote:
> > On Thu, Mar 28, 2024 at 03:04:47PM +0100, Arnd Bergmann wrote:
> >> This partially reverts an earlier bugfix that replaced the original
> >> incorrect memcpy() with a less bad strncpy(), but it now also avoids
> >> the original overflow.
> >>
> >> Fixes: 88a5b39b69ab ("staging/rts5208: Fix read overflow in memcpy")
> >
> > I don't see a problem with this commit. The "sendbytes - 8" prevents
> > a write overflow to buf, and the strncpy() prevents read overflow from
> > inquiry_string.
>
> I agree the commit did not introduce a runtime bug, but it did
> introduce a warning about the string being truncated.
>
> >> diff --git a/drivers/staging/rts5208/rtsx_scsi.c b/drivers/staging/rts5208/rtsx_scsi.c
> >> index 08bd768ad34d..a73b0959f5a9 100644
> >> --- a/drivers/staging/rts5208/rtsx_scsi.c
> >> +++ b/drivers/staging/rts5208/rtsx_scsi.c
> >> @@ -523,7 +523,7 @@ static int inquiry(struct scsi_cmnd *srb, struct rtsx_chip *chip)
> >>
> >> if (sendbytes > 8) {
> >> memcpy(buf, inquiry_buf, 8);
> >> - strncpy(buf + 8, inquiry_string, sendbytes - 8);
> >> + memcpy(buf + 8, inquiry_string, min(sendbytes, 36) - 8);
> >
> > I think your math is off. The string is 29 characters + NUL. So it
> > should be "min(sendbytes, 38) - 8". You're chopping off the space and
> > the NUL terminator.
> >
> > This only affects pro_formatter_flag code...
>
> The extra two bytes were clearly a mistake in the original version
> at the time it got added to drivers/staging. Note how the code
> immediately below it would overwrite the space and NUL byte again:
>
> if (pro_formatter_flag) {
> if (sendbytes > 36)
> memcpy(buf + 36, formatter_inquiry_str, sendbytes - 36);
> }
>
Ah. Okay. Fair enough.
I do think this code is really suspect... What is the point of allowing
sendbytes < 36? But that's not related to your patch.
regards,
dan carpenter
next prev parent reply other threads:[~2024-04-08 15:59 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-28 14:04 [PATCH 00/11] address remaining stringop-truncation warnings Arnd Bergmann
2024-03-28 14:04 ` Arnd Bergmann
2024-03-28 14:04 ` [PATCH 01/11] staging: vc04_services: changen strncpy() to strscpy_pad() Arnd Bergmann
2024-03-28 14:04 ` Arnd Bergmann
2024-03-28 14:42 ` Dan Carpenter
2024-03-28 14:42 ` Dan Carpenter
2024-03-28 16:15 ` Arnd Bergmann
2024-03-28 16:15 ` Arnd Bergmann
2024-03-28 23:10 ` Justin Stitt
2024-03-28 23:10 ` Justin Stitt
2024-03-28 14:04 ` [PATCH 02/11] scsi: devinfo: rework scsi_strcpy_devinfo() Arnd Bergmann
2024-03-28 16:46 ` Bart Van Assche
2024-03-28 23:14 ` Justin Stitt
2024-03-28 23:18 ` Arnd Bergmann
2024-03-28 14:04 ` [PATCH 03/11] staging: replace weird strncpy() with memcpy() Arnd Bergmann
2024-03-28 16:35 ` Dan Carpenter
2024-04-08 14:45 ` Arnd Bergmann
2024-04-08 15:59 ` Dan Carpenter [this message]
2024-04-08 19:20 ` Arnd Bergmann
2024-03-28 14:04 ` [PATCH 04/11] orangefs: convert strncpy() to strscpy() Arnd Bergmann
2024-03-28 23:17 ` Justin Stitt
2024-03-28 14:04 ` [PATCH 05/11] test_hexdump: avoid string truncation warning Arnd Bergmann
2024-03-28 23:54 ` Justin Stitt
2024-04-08 15:38 ` Arnd Bergmann
2024-04-08 19:53 ` Justin Stitt
2024-03-28 14:04 ` [PATCH 06/11] acpi: avoid warning for truncated string copy Arnd Bergmann
2024-03-28 23:20 ` Justin Stitt
2024-04-08 14:41 ` Rafael J. Wysocki
2024-03-28 14:04 ` [PATCH 07/11] block/partitions/ldm: convert strncpy() to strscpy() Arnd Bergmann
2024-03-28 23:24 ` Justin Stitt
2024-03-28 14:04 ` [PATCH 08/11] blktrace: convert strncpy() to strscpy_pad() Arnd Bergmann
2024-03-28 14:14 ` Steven Rostedt
2024-04-08 18:05 ` Arnd Bergmann
2024-03-28 14:04 ` [PATCH 09/11] staging: rtl8723bs: convert strncpy to strscpy Arnd Bergmann
2024-03-28 23:01 ` Justin Stitt
2024-04-08 18:15 ` Arnd Bergmann
2024-03-28 14:04 ` [PATCH 10/11] staging: greybus: change strncpy() to strscpy() Arnd Bergmann
2024-03-28 15:00 ` Dan Carpenter
2024-04-08 18:26 ` Arnd Bergmann
2024-04-09 7:09 ` Dan Carpenter
2024-03-28 23:28 ` Justin Stitt
2024-04-08 18:30 ` Arnd Bergmann
2024-03-28 14:04 ` [PATCH 11/11] kbuild: enable -Wstringop-truncation globally Arnd Bergmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=948ab982-cb4d-46d4-a3c4-cc1c6369eb92@moroto.mountain \
--to=dan.carpenter@linaro.org \
--cc=arnd@arndb.de \
--cc=arnd@kernel.org \
--cc=danielmicay@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.