Re: [PATCH v2] Updating a vulnerable use of strcpy.
From: Rafael J. Wysocki
Date: Mon Jul 01 2024 - 14:11:22 EST
In what way exactly is it vulnerable?
Both ACPI_VIDEO_DEVICE_NAME and ACPI_VIDEO_CLASS are kernel symbols.
On Sun, Jun 30, 2024 at 7:36 PM Muhammad Qasim Abdul Majeed
<qasim.majeed20@xxxxxxxxx> wrote:
>
> Replacing strcpy with strscpy and memory bound the copy.
>
> Signed-off-by: Muhammad Qasim Abdul Majeed <qasim.majeed20@xxxxxxxxx>
> ---
> drivers/acpi/acpi_video.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c
> index 1fda30388297..6113baffd53f 100644
> --- a/drivers/acpi/acpi_video.c
> +++ b/drivers/acpi/acpi_video.c
> @@ -1128,8 +1128,8 @@ static int acpi_video_bus_get_one_device(struct acpi_device *device, void *arg)
> return -ENOMEM;
> }
>
> - strcpy(acpi_device_name(device), ACPI_VIDEO_DEVICE_NAME);
> - strcpy(acpi_device_class(device), ACPI_VIDEO_CLASS);
> + strscpy(acpi_device_name(device), ACPI_VIDEO_DEVICE_NAME, strlen(ACPI_VIDEO_DEVICE_NAME));
> + strscpy(acpi_device_class(device), ACPI_VIDEO_CLASS, strlen(ACPI_VIDEO_CLASS));
Why is a runtime check needed here if all of the sizes in question are
known at compile time?
>
> data->device_id = device_id;
> data->video = video;
> @@ -2010,8 +2010,8 @@ static int acpi_video_bus_add(struct acpi_device *device)
> }
>
> video->device = device;
> - strcpy(acpi_device_name(device), ACPI_VIDEO_BUS_NAME);
> - strcpy(acpi_device_class(device), ACPI_VIDEO_CLASS);
> + strscpy(acpi_device_name(device), ACPI_VIDEO_BUS_NAME, strlen(ACPI_VIDEO_BUS_NAME));
> + strscpy(acpi_device_class(device), ACPI_VIDEO_CLASS, strlen(ACPI_VIDEO_CLASS));
> device->driver_data = video;
>
> acpi_video_bus_find_cap(video);
> --