Re: [PATCH] bpf: replace deprecated strncpy with strscpy

From: Daniel Borkmann
Date: Wed Apr 03 2024 - 10:55:21 EST


On 4/3/24 5:06 AM, Ratheesh Kannoth wrote:
On 2024-04-03 at 05:22:50, Justin Stitt (justinstitt@xxxxxxxxxx) wrote:
strncpy() is deprecated for use on NUL-terminated destination strings
[1] and as such we should prefer more robust and less ambiguous string
interfaces.

bpf sym names get looked up and compared/cleaned with various string
apis. This suggests they need to be NUL-terminated (strncpy() suggests
this but does not guarantee it).

| static int compare_symbol_name(const char *name, char *namebuf)
| {
| cleanup_symbol_name(namebuf);
| return strcmp(name, namebuf);
| }

| static void cleanup_symbol_name(char *s)
| {
| ...
| res = strstr(s, ".llvm.");
| ...
| }

Use strscpy() as this method guarantees NUL-termination on the
destination buffer.

This patch also replaces two uses of strncpy() used in log.c. These are
simple replacements as postfix has been zero-initialized on the stack
and has source arguments with a size less than the destination's size.

Note that this patch uses the new 2-argument version of strscpy
introduced in Commit e6584c3964f2f ("string: Allow 2-argument
strscpy()").

Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2]
Link: https://github.com/KSPP/linux/issues/90
Cc: linux-hardening@xxxxxxxxxxxxxxx
Signed-off-by: Justin Stitt <justinstitt@xxxxxxxxxx>
---
Note: build-tested only.

Found with: $ rg "strncpy\("
---
kernel/bpf/core.c | 4 ++--
kernel/bpf/log.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 696bc55de8e8..8c9078f4549c 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -747,7 +747,7 @@ const char *__bpf_address_lookup(unsigned long addr, unsigned long *size,
unsigned long symbol_start = ksym->start;
unsigned long symbol_end = ksym->end;

- strncpy(sym, ksym->name, KSYM_NAME_LEN);
+ strscpy(sym, ksym->name, KSYM_NAME_LEN);
You dont have to check return value of strscpy for errors ?

That would be overkill, it can be easily audited that both pointers are
of size KSYM_NAME_LEN, as is the count arg.

Thanks,
Daniel