[v4,0/3] drivers/soc: Remove all strcpy() uses

Message ID	20210808125012.4715-1-len.baker@gmx.com
Headers	show Return-Path: <linux-arm-msm-owner@kernel.org> From: Len Baker <len.baker@gmx.com> To: Andy Gross <agross@kernel.org>, Bjorn Andersson <bjorn.andersson@linaro.org>, Geert Uytterhoeven <geert+renesas@glider.be>, Magnus Damm <magnus.damm@gmail.com>, Santosh Shilimkar <ssantosh@kernel.org> Cc: Len Baker <len.baker@gmx.com>, Kees Cook <keescook@chromium.org>, David Laight <David.Laight@ACULAB.COM>, Robin Murphy <robin.murphy@arm.com>, linux-hardening@vger.kernel.org, linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, linux-renesas-soc@vger.kernel.org, linux-arm-kernel@lists.infradead.org Subject: [PATCH v4 0/3] drivers/soc: Remove all strcpy() uses Date: Sun, 8 Aug 2021 14:50:09 +0200 Message-Id: <20210808125012.4715-1-len.baker@gmx.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk
Series	drivers/soc: Remove all strcpy() uses \| expand [v4,0/3] drivers/soc: Remove all strcpy() uses [v4,1/3] drivers/soc/qcom: Prefer strscpy over strcpy [v4,2/3] drivers/soc/renesas: Prefer memcpy over strcpy [v4,3/3] drivers/soc/ti: Prefer strscpy over strcpy

Message ID

20210808125012.4715-1-len.baker@gmx.com

Headers

From: Len Baker <len.baker@gmx.com>
To: Andy Gross <agross@kernel.org>,
	Bjorn Andersson <bjorn.andersson@linaro.org>,
	Geert Uytterhoeven <geert+renesas@glider.be>,
	Magnus Damm <magnus.damm@gmail.com>,
	Santosh Shilimkar <ssantosh@kernel.org>
Cc: Len Baker <len.baker@gmx.com>, Kees Cook <keescook@chromium.org>,
	David Laight <David.Laight@ACULAB.COM>,
	Robin Murphy <robin.murphy@arm.com>,
	linux-hardening@vger.kernel.org, linux-arm-msm@vger.kernel.org,
	linux-kernel@vger.kernel.org, linux-renesas-soc@vger.kernel.org,
	linux-arm-kernel@lists.infradead.org
Subject: [PATCH v4 0/3] drivers/soc: Remove all strcpy() uses
Date: Sun,  8 Aug 2021 14:50:09 +0200
Message-Id: <20210808125012.4715-1-len.baker@gmx.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Precedence: bulk

Series

drivers/soc: Remove all strcpy() uses | expand

Message

Len Baker Aug. 8, 2021, 12:50 p.m. UTC

strcpy() performs no bounds checking on the destination buffer. This
could result in linear overflows beyond the end of the buffer, leading
to all kinds of misbehaviors. So use strscpy() or memcpy() as a safe
replacement.

This is a task of the KSPP [1].

Changelog v1 -> v2
- Change the "area_name_size" variable for a shorter name (Geert
  Uytterhoeven).
- Add the "Reviewed-by: Geert Uytterhoeven" tag.
- Use the memcpy function instead of strscpy function when the
  size of the destination buffer cannot be obtained with "sizeof"
  (David Laight, Robin Murphy).

Changelog v2 -> v3
- Remove the "Reviewed-by: Geert Uytterhoeven" tag since the code
  has changed after the v1 review (use of memcpy instead of
  strscpy).

Changelog v3 -> v4
- Split the changes in 3 commits (Bjorn Andersson).
- Don't break a long line (Bjorn Andersson).
- Reword the commit when used the memcpy function (Bjorn Andersson)

The previous version can be found here [2].

[1] https://github.com/KSPP/linux/issues/88
[2] https://lore.kernel.org/linux-hardening/20210801131958.6144-1-len.baker@gmx.com/

Len Baker (3):
  drivers/soc/qcom: Prefer strscpy over strcpy
  drivers/soc/renesas: Prefer memcpy over strcpy
  drivers/soc/ti: Prefer strscpy over strcpy

 drivers/soc/qcom/pdr_interface.c    | 12 ++++++------
 drivers/soc/renesas/r8a779a0-sysc.c |  6 ++++--
 drivers/soc/renesas/rcar-sysc.c     |  6 ++++--
 drivers/soc/ti/knav_dma.c           |  2 +-
 4 files changed, 15 insertions(+), 11 deletions(-)

--
2.25.1

Comments

Bernd Petrovitsch Aug. 8, 2021, 3:35 p.m. UTC | #1

Hi all!

On 08/08/2021 14:50, Len Baker wrote:
> strcpy() performs no bounds checking on the destination buffer. This
> could result in linear overflows beyond the end of the buffer, leading
> to all kinds of misbehaviors. So, use memcpy() as a safe replacement.
> 
> This is a previous step in the path to remove the strcpy() function
> entirely from the kernel.
> 
> Signed-off-by: Len Baker <len.baker@gmx.com>
> ---
>  drivers/soc/renesas/r8a779a0-sysc.c | 6 ++++--
>  drivers/soc/renesas/rcar-sysc.c     | 6 ++++--
>  2 files changed, 8 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/soc/renesas/r8a779a0-sysc.c b/drivers/soc/renesas/r8a779a0-sysc.c
> index d464ffa1be33..7410b9fa9846 100644
> --- a/drivers/soc/renesas/r8a779a0-sysc.c
> +++ b/drivers/soc/renesas/r8a779a0-sysc.c
> @@ -404,19 +404,21 @@ static int __init r8a779a0_sysc_pd_init(void)
>  	for (i = 0; i < info->num_areas; i++) {
>  		const struct r8a779a0_sysc_area *area = &info->areas[i];
>  		struct r8a779a0_sysc_pd *pd;
> +		size_t n;
> 
>  		if (!area->name) {
>  			/* Skip NULLified area */
>  			continue;
>  		}
> 
> -		pd = kzalloc(sizeof(*pd) + strlen(area->name) + 1, GFP_KERNEL)> +		n = strlen(area->name) + 1;
> +		pd = kzalloc(sizeof(*pd) + n, GFP_KERNEL);
Zeroing the allocated bytes is not needed since it's completly
overwritten with the strcpy()/memcpy().
>  		if (!pd) {
>  			error = -ENOMEM;
>  			goto out_put;
>  		}
> 
> -		strcpy(pd->name, area->name);
> +		memcpy(pd->name, area->name, n);
>  		pd->genpd.name = pd->name;
>  		pd->pdr = area->pdr;
>  		pd->flags = area->flags;

And similar for the second hunk.

MfG,
	Bernd

Christophe JAILLET Aug. 8, 2021, 5:06 p.m. UTC | #2

Hi,

Le 08/08/2021 à 17:35, Bernd Petrovitsch a écrit :
> Hi all!
> 
> On 08/08/2021 14:50, Len Baker wrote:
>> strcpy() performs no bounds checking on the destination buffer. This
>> could result in linear overflows beyond the end of the buffer, leading
>> to all kinds of misbehaviors. So, use memcpy() as a safe replacement.
>>
>> This is a previous step in the path to remove the strcpy() function
>> entirely from the kernel.
>>
>> Signed-off-by: Len Baker <len.baker@gmx.com>
>> ---
>>   drivers/soc/renesas/r8a779a0-sysc.c | 6 ++++--
>>   drivers/soc/renesas/rcar-sysc.c     | 6 ++++--
>>   2 files changed, 8 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/soc/renesas/r8a779a0-sysc.c b/drivers/soc/renesas/r8a779a0-sysc.c
>> index d464ffa1be33..7410b9fa9846 100644
>> --- a/drivers/soc/renesas/r8a779a0-sysc.c
>> +++ b/drivers/soc/renesas/r8a779a0-sysc.c
>> @@ -404,19 +404,21 @@ static int __init r8a779a0_sysc_pd_init(void)
>>   	for (i = 0; i < info->num_areas; i++) {
>>   		const struct r8a779a0_sysc_area *area = &info->areas[i];
>>   		struct r8a779a0_sysc_pd *pd;
>> +		size_t n;
>>
>>   		if (!area->name) {
>>   			/* Skip NULLified area */
>>   			continue;
>>   		}
>>
>> -		pd = kzalloc(sizeof(*pd) + strlen(area->name) + 1, GFP_KERNEL);
>> +		n = strlen(area->name) + 1;
>> +		pd = kzalloc(sizeof(*pd) + n, GFP_KERNEL);
> Zeroing the allocated bytes is not needed since it's completly
> overwritten with the strcpy()/memcpy().

The strcpy()/memcpy() only overwrites the pd->name field, not the whole 
pd structure.
I think that it is needed to keep the kzalloc.

Just my 2c,
CJ

>>   		if (!pd) {
>>   			error = -ENOMEM;
>>   			goto out_put;
>>   		}
>>
>> -		strcpy(pd->name, area->name);
>> +		memcpy(pd->name, area->name, n);
>>   		pd->genpd.name = pd->name;
>>   		pd->pdr = area->pdr;
>>   		pd->flags = area->flags;
> 
> And similar for the second hunk.
> 
> MfG,
> 	Bernd
>

Len Baker Aug. 10, 2021, 3:59 p.m. UTC | #3

Hi,

On Sun, Aug 08, 2021 at 07:06:30PM +0200, Christophe JAILLET wrote:
> Hi,

>

> Le 08/08/2021 à 17:35, Bernd Petrovitsch a écrit :

> > Hi all!

> >

> > On 08/08/2021 14:50, Len Baker wrote:

> > > strcpy() performs no bounds checking on the destination buffer. This

> > > could result in linear overflows beyond the end of the buffer, leading

> > > to all kinds of misbehaviors. So, use memcpy() as a safe replacement.

> > >

> > > This is a previous step in the path to remove the strcpy() function

> > > entirely from the kernel.

> > >

> > > Signed-off-by: Len Baker <len.baker@gmx.com>

> > > ---

> > >   drivers/soc/renesas/r8a779a0-sysc.c | 6 ++++--

> > >   drivers/soc/renesas/rcar-sysc.c     | 6 ++++--

> > >   2 files changed, 8 insertions(+), 4 deletions(-)

> > >

> > > diff --git a/drivers/soc/renesas/r8a779a0-sysc.c b/drivers/soc/renesas/r8a779a0-sysc.c

> > > index d464ffa1be33..7410b9fa9846 100644

> > > --- a/drivers/soc/renesas/r8a779a0-sysc.c

> > > +++ b/drivers/soc/renesas/r8a779a0-sysc.c

> > > @@ -404,19 +404,21 @@ static int __init r8a779a0_sysc_pd_init(void)

> > >   	for (i = 0; i < info->num_areas; i++) {

> > >   		const struct r8a779a0_sysc_area *area = &info->areas[i];

> > >   		struct r8a779a0_sysc_pd *pd;

> > > +		size_t n;

> > >

> > >   		if (!area->name) {

> > >   			/* Skip NULLified area */

> > >   			continue;

> > >   		}

> > >

> > > -		pd = kzalloc(sizeof(*pd) + strlen(area->name) + 1, GFP_KERNEL);

> > > +		n = strlen(area->name) + 1;

> > > +		pd = kzalloc(sizeof(*pd) + n, GFP_KERNEL);

> > Zeroing the allocated bytes is not needed since it's completly

> > overwritten with the strcpy()/memcpy().

>

> The strcpy()/memcpy() only overwrites the pd->name field, not the whole pd

> structure.


You are right.

> I think that it is needed to keep the kzalloc.


Yes, I think so. The kzalloc is needed to guarantee that the whole struct is
initialize (all the members are initialized with zeros).

Regards,
Len

>

> Just my 2c,

> CJ

>

> > >   		if (!pd) {

> > >   			error = -ENOMEM;

> > >   			goto out_put;

> > >   		}

> > >

> > > -		strcpy(pd->name, area->name);

> > > +		memcpy(pd->name, area->name, n);

> > >   		pd->genpd.name = pd->name;

> > >   		pd->pdr = area->pdr;

> > >   		pd->flags = area->flags;

> >

> > And similar for the second hunk.

> >

> > MfG,

> > 	Bernd

> >

>