Re: [PATCH] lib/string: avoid reading beyond src buffer in strscpy

From: Linus Torvalds
Date: Tue Dec 12 2017 - 17:42:59 EST


On Tue, Dec 12, 2017 at 8:06 AM, Andrey Ryabinin
<aryabinin@xxxxxxxxxxxxx> wrote:
>
> See for yourself, strscpy() is the only sting function doing this.

No, strnlen_user() definitely does too.

It's just that KASAN doesn't track user pointers.

And the important strlen() in the kernel is the pathname hashing code,
which *definitely* accesses outside the source, but since it can
actually traverse to another page we have that one annotated too (with
load_unaligned_zeropad()).

So no, strscpy() isn't the only one doing it, it is just the only one
that KASAN catches.

Linus