RE: [PATCH] drivers/soc: Remove all strcpy() uses in favor of strscpy()
From: David Laight <hidden>
Date: 2021-07-28 08:36:51
Also in:
linux-arm-msm, linux-hardening, linux-renesas-soc, lkml
From: Geert Uytterhoeven
Sent: 26 July 2021 09:03 Hi Len, On Sun, Jul 25, 2021 at 5:15 PM Len Baker [off-list ref] wrote:quoted
strcpy() performs no bounds checking on the destination buffer. This could result in linear overflows beyond the end of the buffer, leading to all kinds of misbehaviors. The safe replacement is strscpy(). Signed-off-by: Len Baker <redacted>Thanks for your patch!quoted
--- This is a task of the KSPP [1] [1] https://github.com/KSPP/linux/issues/88Any chance the almost one year old question in that ticket can be answered?quoted
drivers/soc/renesas/rcar-sysc.c | 6 ++++--Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be> But please see my comments below...quoted
--- a/drivers/soc/renesas/r8a779a0-sysc.c +++ b/drivers/soc/renesas/r8a779a0-sysc.c@@ -404,19 +404,21 @@ static int __init r8a779a0_sysc_pd_init(void) for (i = 0; i < info->num_areas; i++) { const struct r8a779a0_sysc_area *area = &info->areas[i]; struct r8a779a0_sysc_pd *pd; + size_t area_name_size;I wouldn't mind a shorter name, like "n".quoted
if (!area->name) { /* Skip NULLified area */ continue; } - pd = kzalloc(sizeof(*pd) + strlen(area->name) + 1, GFP_KERNEL); + area_name_size = strlen(area->name) + 1; + pd = kzalloc(sizeof(*pd) + area_name_size, GFP_KERNEL); if (!pd) { error = -ENOMEM; goto out_put; } - strcpy(pd->name, area->name); + strscpy(pd->name, area->name, area_name_size);
You can just use memcpy(). David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales) _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel