linux-fbdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] staging/fbtft: Remove all strcpy() uses
@ 2021-07-18 13:39 Len Baker
  2021-07-18 19:42 ` Andy Shevchenko
  0 siblings, 1 reply; 5+ messages in thread
From: Len Baker @ 2021-07-18 13:39 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: Len Baker, Andy Shevchenko, Phil Reid, dri-devel, linux-fbdev,
	linux-staging, linux-kernel

strcpy() performs no bounds checking on the destination buffer. This
could result in linear overflows beyond the end of the buffer, leading
to all kinds of misbehaviors. The safe replacement is strscpy() but in
this case it is simpler to add NULL to the first position since we want
to empty the string.

This is a previous step in the path to remove the strcpy() function.

Signed-off-by: Len Baker <len.baker@gmx.com>
---
 drivers/staging/fbtft/fbtft-core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/fbtft/fbtft-core.c b/drivers/staging/fbtft/fbtft-core.c
index 3723269890d5..b8791806cb20 100644
--- a/drivers/staging/fbtft/fbtft-core.c
+++ b/drivers/staging/fbtft/fbtft-core.c
@@ -1037,7 +1037,7 @@ int fbtft_init_display(struct fbtft_par *par)
 		case -1:
 			i++;
 			/* make debug message */
-			strcpy(msg, "");
+			msg[0] = 0;
 			j = i + 1;
 			while (par->init_sequence[j] >= 0) {
 				sprintf(str, "0x%02X ", par->init_sequence[j]);
--
2.25.1


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] staging/fbtft: Remove all strcpy() uses
  2021-07-18 13:39 [PATCH] staging/fbtft: Remove all strcpy() uses Len Baker
@ 2021-07-18 19:42 ` Andy Shevchenko
  2021-07-19  7:53   ` Geert Uytterhoeven
  2021-07-24 11:09   ` Len Baker
  0 siblings, 2 replies; 5+ messages in thread
From: Andy Shevchenko @ 2021-07-18 19:42 UTC (permalink / raw)
  To: Len Baker
  Cc: Greg Kroah-Hartman, Andy Shevchenko, Phil Reid, dri-devel,
	open list:FRAMEBUFFER LAYER, linux-staging,
	Linux Kernel Mailing List

On Sun, Jul 18, 2021 at 4:43 PM Len Baker <len.baker@gmx.com> wrote:
>
> strcpy() performs no bounds checking on the destination buffer. This
> could result in linear overflows beyond the end of the buffer, leading
> to all kinds of misbehaviors. The safe replacement is strscpy() but in
> this case it is simpler to add NULL to the first position since we want
> to empty the string.

> This is a previous step in the path to remove the strcpy() function.

Any document behind this (something to read on the site(s) more or
less affiliated with what is going to happen in the kernel) to read
background?

...

>                 case -1:
>                         i++;
>                         /* make debug message */
> -                       strcpy(msg, "");
> +                       msg[0] = 0;

Strictly speaking it should be '\0'.

>                         j = i + 1;
>                         while (par->init_sequence[j] >= 0) {
>                                 sprintf(str, "0x%02X ", par->init_sequence[j]);


-- 
With Best Regards,
Andy Shevchenko

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] staging/fbtft: Remove all strcpy() uses
  2021-07-18 19:42 ` Andy Shevchenko
@ 2021-07-19  7:53   ` Geert Uytterhoeven
  2021-07-24 11:15     ` Len Baker
  2021-07-24 11:09   ` Len Baker
  1 sibling, 1 reply; 5+ messages in thread
From: Geert Uytterhoeven @ 2021-07-19  7:53 UTC (permalink / raw)
  To: Andy Shevchenko
  Cc: Len Baker, Greg Kroah-Hartman, Andy Shevchenko, Phil Reid,
	dri-devel, open list:FRAMEBUFFER LAYER, linux-staging,
	Linux Kernel Mailing List

On Sun, Jul 18, 2021 at 9:43 PM Andy Shevchenko
<andy.shevchenko@gmail.com> wrote:
> On Sun, Jul 18, 2021 at 4:43 PM Len Baker <len.baker@gmx.com> wrote:
> > strcpy() performs no bounds checking on the destination buffer. This
> > could result in linear overflows beyond the end of the buffer, leading
> > to all kinds of misbehaviors. The safe replacement is strscpy() but in
> > this case it is simpler to add NULL to the first position since we want

"NULL" is a pointer value, "NUL" is the character with value zero.

> > to empty the string.
>
> > This is a previous step in the path to remove the strcpy() function.
>
> Any document behind this (something to read on the site(s) more or
> less affiliated with what is going to happen in the kernel) to read
> background?
>
> ...
>
> >                 case -1:
> >                         i++;
> >                         /* make debug message */
> > -                       strcpy(msg, "");

While this strcpy() is provably safe at compile-time, and will probably
be replaced by an assignment to zero by the compiler...

> > +                       msg[0] = 0;
>
> Strictly speaking it should be '\0'.
>
> >                         j = i + 1;
> >                         while (par->init_sequence[j] >= 0) {
> >                                 sprintf(str, "0x%02X ", par->init_sequence[j]);

... the real danger is the

        strcat(msg, str);

on the next line.
Fortunately this whole debug printing block (including the strcpy)
can (and should) be rewritten to just use "%*ph".

Gr{oetje,eeting}s,

                        Geert

-- 
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] staging/fbtft: Remove all strcpy() uses
  2021-07-18 19:42 ` Andy Shevchenko
  2021-07-19  7:53   ` Geert Uytterhoeven
@ 2021-07-24 11:09   ` Len Baker
  1 sibling, 0 replies; 5+ messages in thread
From: Len Baker @ 2021-07-24 11:09 UTC (permalink / raw)
  To: Andy Shevchenko
  Cc: Len Baker, Greg Kroah-Hartman, Phil Reid, dri-devel,
	open list:FRAMEBUFFER LAYER, linux-staging,
	Linux Kernel Mailing List

Hi,

On Sun, Jul 18, 2021 at 10:42:42PM +0300, Andy Shevchenko wrote:
> On Sun, Jul 18, 2021 at 4:43 PM Len Baker <len.baker@gmx.com> wrote:
> >
> > strcpy() performs no bounds checking on the destination buffer. This
> > could result in linear overflows beyond the end of the buffer, leading
> > to all kinds of misbehaviors. The safe replacement is strscpy() but in
> > this case it is simpler to add NULL to the first position since we want
> > to empty the string.
>
> > This is a previous step in the path to remove the strcpy() function.
>
> Any document behind this (something to read on the site(s) more or
> less affiliated with what is going to happen in the kernel) to read
> background?

This is a task of the KSPP (kernel self protection project) [1]

[1] https://github.com/KSPP/linux/issues/88

>
> ...
>
> >                 case -1:
> >                         i++;
> >                         /* make debug message */
> > -                       strcpy(msg, "");
> > +                       msg[0] = 0;
>
> Strictly speaking it should be '\0'.

Ok, understood.

>
> >                         j = i + 1;
> >                         while (par->init_sequence[j] >= 0) {
> >                                 sprintf(str, "0x%02X ", par->init_sequence[j]);
>
>
> --
> With Best Regards,
> Andy Shevchenko

Thanks for the feedback,
Len

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] staging/fbtft: Remove all strcpy() uses
  2021-07-19  7:53   ` Geert Uytterhoeven
@ 2021-07-24 11:15     ` Len Baker
  0 siblings, 0 replies; 5+ messages in thread
From: Len Baker @ 2021-07-24 11:15 UTC (permalink / raw)
  To: Geert Uytterhoeven, Andy Shevchenko
  Cc: Len Baker, Greg Kroah-Hartman, Phil Reid, dri-devel,
	open list:FRAMEBUFFER LAYER, linux-staging,
	Linux Kernel Mailing List

On Mon, Jul 19, 2021 at 09:53:29AM +0200, Geert Uytterhoeven wrote:
> On Sun, Jul 18, 2021 at 9:43 PM Andy Shevchenko
> <andy.shevchenko@gmail.com> wrote:
> > On Sun, Jul 18, 2021 at 4:43 PM Len Baker <len.baker@gmx.com> wrote:
> > > strcpy() performs no bounds checking on the destination buffer. This
> > > could result in linear overflows beyond the end of the buffer, leading
> > > to all kinds of misbehaviors. The safe replacement is strscpy() but in
> > > this case it is simpler to add NULL to the first position since we want
>
> "NULL" is a pointer value, "NUL" is the character with value zero.

Ok, understood. Thanks.

>
> > > to empty the string.
> >
> > > This is a previous step in the path to remove the strcpy() function.
> >
> > Any document behind this (something to read on the site(s) more or
> > less affiliated with what is going to happen in the kernel) to read
> > background?
> >
> > ...
> >
> > >                 case -1:
> > >                         i++;
> > >                         /* make debug message */
> > > -                       strcpy(msg, "");
>
> While this strcpy() is provably safe at compile-time, and will probably
> be replaced by an assignment to zero by the compiler...
>
> > > +                       msg[0] = 0;
> >
> > Strictly speaking it should be '\0'.
> >
> > >                         j = i + 1;
> > >                         while (par->init_sequence[j] >= 0) {
> > >                                 sprintf(str, "0x%02X ", par->init_sequence[j]);
>
> ... the real danger is the
>
>         strcat(msg, str);
>
> on the next line.
> Fortunately this whole debug printing block (including the strcpy)
> can (and should) be rewritten to just use "%*ph".

Ok, I will work on it and I will send a v2 for review. Thanks for the
feedback.

>
> Gr{oetje,eeting}s,
>
>                         Geert
>
> --
> Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org
>
> In personal conversations with technical people, I call myself a hacker. But
> when I'm talking to journalists I just say "programmer" or something like that.
>                                 -- Linus Torvalds

Regards,
Len

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2021-07-24 11:16 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-18 13:39 [PATCH] staging/fbtft: Remove all strcpy() uses Len Baker
2021-07-18 19:42 ` Andy Shevchenko
2021-07-19  7:53   ` Geert Uytterhoeven
2021-07-24 11:15     ` Len Baker
2021-07-24 11:09   ` Len Baker

This is a public inbox, see mirroring instructions
on how to clone and mirror all data and code used for this inbox