Re: [PATCH] habanalabs/gaudi: refactor deprecated strncpy

From: Kees Cook
Date: Fri Aug 25 2023 - 16:32:41 EST


On Thu, Aug 24, 2023 at 08:41:26PM +0000, Justin Stitt wrote:
> `strncpy` is deprecated for use on NUL-terminated destination strings [1].
>
> A suitable replacement is `strscpy` [2] due to the fact that it
> guarantees NUL-termination on its destination buffer argument which is
> _not_ the case for `strncpy`!

For strncpy replacements the commit log needs to always address 2 items,
and really get spelled out for reviewers since the diff context is
rarely enough information to judge the safety of the change:

1) How did you determine that the destination buffer does or does not
require %NUL termination?

2) How did you determine that the destination buffer does or does not
need to be %NUL padded?

>
> Link: www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings[1]
> Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2]
> Link: https://github.com/KSPP/linux/issues/90
> Cc: linux-hardening@xxxxxxxxxxxxxxx
> Signed-off-by: Justin Stitt <justinstitt@xxxxxxxxxx>
> ---
> Note: build-tested only
> ---
> drivers/accel/habanalabs/gaudi/gaudi.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/accel/habanalabs/gaudi/gaudi.c b/drivers/accel/habanalabs/gaudi/gaudi.c
> index 056e2ef44afb..f175456cdef0 100644
> --- a/drivers/accel/habanalabs/gaudi/gaudi.c
> +++ b/drivers/accel/habanalabs/gaudi/gaudi.c
> @@ -660,7 +660,7 @@ static int gaudi_set_fixed_properties(struct hl_device *hdev)
> prop->pcie_dbi_base_address = mmPCIE_DBI_BASE;
> prop->pcie_aux_dbi_reg_addr = CFG_BASE + mmPCIE_AUX_DBI;
>
> - strncpy(prop->cpucp_info.card_name, GAUDI_DEFAULT_CARD_NAME,
> + strscpy(prop->cpucp_info.card_name, GAUDI_DEFAULT_CARD_NAME,
> CARD_NAME_MAX_LEN);
>
> prop->max_pending_cs = GAUDI_MAX_PENDING_CS;
> @@ -8000,7 +8000,7 @@ static int gaudi_cpucp_info_get(struct hl_device *hdev)
> return rc;
>
> if (!strlen(prop->cpucp_info.card_name))
> - strncpy(prop->cpucp_info.card_name, GAUDI_DEFAULT_CARD_NAME,
> + strscpy(prop->cpucp_info.card_name, GAUDI_DEFAULT_CARD_NAME,
> CARD_NAME_MAX_LEN);

When I look at this string, I see it gets copied out to userspace
directly:

static int hw_ip_info(struct hl_device *hdev, struct hl_info_args *args)
{
struct hl_info_hw_ip_info hw_ip = {0};
...
memcpy(hw_ip.card_name, prop->cpucp_info.card_name,
min(CARD_NAME_MAX_LEN, HL_INFO_CARD_NAME_MAX_LEN));
...
return copy_to_user(out, &hw_ip,
min((size_t) size, sizeof(hw_ip))) ? -EFAULT : 0;
}

So if "prop" isn't zero initialized, this is now a kernel memory content
exposure, due to the lack of padding.

If I track the allocation of "hdev" all the way back, I can see it is,
however, zero initialized:

static int create_hdev(struct hl_device **dev, struct pci_dev *pdev)
...
hdev = kzalloc(sizeof(*hdev), GFP_KERNEL);


But since it's still sent via copy_to_user(), the more defensive
replacement here should be strscpy_pad().

(Also, I think you can do all three files in the same patch -- it's
operating on the same struct and in the same way.)

-Kees

--
Kees Cook