Hi Steve, Can we revisit this patch? see below.
On Tue, Jan 24, 2023 at 12:17:03PM GMT, Steven Rostedt wrote: > On Mon, 9 Jan 2023 19:39:21 +0800 (CST) > <[email protected]> wrote: > > > From: Xu Panda <[email protected]> > > > > The implementation of strscpy() is more robust and safer. > > That's now the recommended way to copy NUL-terminated strings. > > But the string being copied is *not* NUL-terminated! And this change causes > a bug. > > This is the 3rd patch I've seen that blindly converts strncpy() to > strscpy() and causes a bug in doing so. Not very safe if you ask me. > > > > > Signed-off-by: Xu Panda <[email protected]> > > Signed-off-by: Yang Yang <[email protected]> > > --- > > kernel/trace/trace_events_synth.c | 3 +-- > > 1 file changed, 1 insertion(+), 2 deletions(-) > > > > diff --git a/kernel/trace/trace_events_synth.c > > b/kernel/trace/trace_events_synth.c > > index 67592eed0be8..cd636edd045e 100644 > > --- a/kernel/trace/trace_events_synth.c > > +++ b/kernel/trace/trace_events_synth.c > > @@ -195,8 +195,7 @@ static int synth_field_string_size(char *type) > > if (len == 0) > > return 0; /* variable-length string */ > > > > - strncpy(buf, start, len); > > - buf[len] = '\0'; > > + strscpy(buf, start, len + 1); > > > > err = kstrtouint(buf, 0, &size); > > if (err) > > > Here's the code being affected: > > static int synth_field_string_size(char *type) > { > char buf[4], *end, *start; > unsigned int len; > int size, err; > > start = strstr(type, "char["); > if (start == NULL) > return -EINVAL; > start += sizeof("char[") - 1; > > end = strchr(type, ']'); > if (!end || end < start || type + strlen(type) > end + 1) > return -EINVAL; > > len = end - start; > if (len > 3) > return -EINVAL; > > if (len == 0) > return 0; /* variable-length string */ > > strncpy(buf, start, len); > buf[len] = '\0'; > > And you are replacing the above two lines with just: > > strscpy(buf, start, len + 1); > > > If you noticed, the string being placed into buf is: > > "char[123]" > > Where we want to copy that "123" into buf. > > strscpy() expects the source to be nul terminated, or it will return -E2BIG. > > So the above will *always* return -E2BIG *and* not end buf[] with '\0' as > if strscpy() returns -E2BIG, then buf[] is not guaranteed to be > NUL-terminated. @buf should still be NUL-terminated while returning -E2BIG in this instance. For context, here's the implementation of strscpy(): ... /* Hit buffer length without finding a NUL; force NUL-termination. */ if (res) dest[res-1] = '\0'; return -E2BIG; ... and the only other spot where we can return E2BIG is way earlier in the function where we check the count. if (count == 0 || WARN_ON_ONCE(count > INT_MAX)) return -E2BIG; So it seems we should be NUL-terminating @buf in all cases, considering count is greater than 0 and certainly not larger than INT_MAX. And, with the `len + 1` we shouldn't be seeing any data loss either. > > NACK! > > -- Steve > I'm keen on replacing this instance of strncpy towards the goal of [1]. If we don't want to use strscpy() I think memcpy() is another viable alternative (of course leaving the manual NUL-byte assignment as-is). [1]: https://github.com/KSPP/linux/issues/90 Thanks Justin
