Hi Lee, On Fri, Jun 26, 2020 at 3:06 PM Lee Jones <[email protected]> wrote: > We need to ensure there's a place for the NULL terminator.
But who's filling that space with a NUL (not NULL) terminator? > Fixes the following W=1 warning(s): > > In file included from include/linux/bitmap.h:9, > from include/linux/nodemask.h:95, > from include/linux/mmzone.h:17, > from include/linux/gfp.h:6, > from include/linux/umh.h:4, > from include/linux/kmod.h:9, > from include/linux/module.h:16, > from drivers/misc/c2port/core.c:9: > In function ‘strncpy’, > inlined from ‘c2port_device_register’ at drivers/misc/c2port/core.c:926:2: > include/linux/string.h:297:30: warning: ‘__builtin_strncpy’ specified bound > 32 equals destination size [-Wstringop-truncation] > 297 | #define __underlying_strncpy __builtin_strncpy > | ^ > include/linux/string.h:307:9: note: in expansion of macro > ‘__underlying_strncpy’ > 307 | return __underlying_strncpy(p, q, size); > | ^~~~~~~~~~~~~~~~~~~~ > > Cc: Rodolfo Giometti <[email protected]> > Cc: "Eurotech S.p.A" <[email protected]> > Signed-off-by: Lee Jones <[email protected]> > --- > drivers/misc/c2port/core.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/misc/c2port/core.c b/drivers/misc/c2port/core.c > index 33bba18022892..80d87e8a0bea9 100644 > --- a/drivers/misc/c2port/core.c > +++ b/drivers/misc/c2port/core.c > @@ -923,7 +923,7 @@ struct c2port_device *c2port_device_register(char *name, > } > dev_set_drvdata(c2dev->dev, c2dev); c2dev is allocated using: c2dev = kmalloc(sizeof(struct c2port_device), GFP_KERNEL); hence the allocated memory is not zeroed. > > - strncpy(c2dev->name, name, C2PORT_NAME_LEN); > + strncpy(c2dev->name, name, C2PORT_NAME_LEN - 1); strncpy() 1. does not terminate the destination with a NUL if the source length is C2PORT_NAME_LEN - 1, 2. fills all remaining space in the destination buffer with NUL characters. So c2dev.name[C2PORT_NAME_LEN - 1] always contains an uninitialized value. Now, it seems the only caller of c2port_device_register() passes "uc" as the name. Which means in practice c2dev.name[] will be NUL-terminated. However, the last byte will still be uninitialized, and if the buffer is ever copied to userspace, your patch will have introduced a leak. > c2dev->ops = ops; > mutex_init(&c2dev->mutex); Gr{oetje,eeting}s, Geert -- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- [email protected] In personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say "programmer" or something like that. -- Linus Torvalds
