Re: [PATCH linux-next] tracing: use strscpy() to instead of strncpy()

From: Justin Stitt
Date: Mon Sep 30 2024 - 21:33:57 EST


Hi Steve,

Can we revisit this patch? see below.

On Tue, Jan 24, 2023 at 12:17:03PM GMT, Steven Rostedt wrote:
> On Mon, 9 Jan 2023 19:39:21 +0800 (CST)
> <yang.yang29@xxxxxxxxxx> wrote:
>
> > From: Xu Panda <xu.panda@xxxxxxxxxx>
> >
> > The implementation of strscpy() is more robust and safer.
> > That's now the recommended way to copy NUL-terminated strings.
>
> But the string being copied is *not* NUL-terminated! And this change causes
> a bug.
>
> This is the 3rd patch I've seen that blindly converts strncpy() to
> strscpy() and causes a bug in doing so. Not very safe if you ask me.
>
> >
> > Signed-off-by: Xu Panda <xu.panda@xxxxxxxxxx>
> > Signed-off-by: Yang Yang <yang.yang29@xxxxxxxxxx>
> > ---
> > kernel/trace/trace_events_synth.c | 3 +--
> > 1 file changed, 1 insertion(+), 2 deletions(-)
> >
> > diff --git a/kernel/trace/trace_events_synth.c b/kernel/trace/trace_events_synth.c
> > index 67592eed0be8..cd636edd045e 100644
> > --- a/kernel/trace/trace_events_synth.c
> > +++ b/kernel/trace/trace_events_synth.c
> > @@ -195,8 +195,7 @@ static int synth_field_string_size(char *type)
> > if (len == 0)
> > return 0; /* variable-length string */
> >
> > - strncpy(buf, start, len);
> > - buf[len] = '\0';
> > + strscpy(buf, start, len + 1);
> >
> > err = kstrtouint(buf, 0, &size);
> > if (err)
>
>
> Here's the code being affected:
>
> static int synth_field_string_size(char *type)
> {
> char buf[4], *end, *start;
> unsigned int len;
> int size, err;
>
> start = strstr(type, "char[");
> if (start == NULL)
> return -EINVAL;
> start += sizeof("char[") - 1;
>
> end = strchr(type, ']');
> if (!end || end < start || type + strlen(type) > end + 1)
> return -EINVAL;
>
> len = end - start;
> if (len > 3)
> return -EINVAL;
>
> if (len == 0)
> return 0; /* variable-length string */
>
> strncpy(buf, start, len);
> buf[len] = '\0';
>
> And you are replacing the above two lines with just:
>
> strscpy(buf, start, len + 1);
>
>
> If you noticed, the string being placed into buf is:
>
> "char[123]"
>
> Where we want to copy that "123" into buf.
>
> strscpy() expects the source to be nul terminated, or it will return -E2BIG.
>
> So the above will *always* return -E2BIG *and* not end buf[] with '\0' as
> if strscpy() returns -E2BIG, then buf[] is not guaranteed to be
> NUL-terminated.

@buf should still be NUL-terminated while returning -E2BIG in this
instance. For context, here's the implementation of strscpy():
...
/* Hit buffer length without finding a NUL; force NUL-termination. */
if (res)
dest[res-1] = '\0';

return -E2BIG;

... and the only other spot where we can return E2BIG is way earlier in
the function where we check the count.
if (count == 0 || WARN_ON_ONCE(count > INT_MAX))
return -E2BIG;

So it seems we should be NUL-terminating @buf in all cases, considering
count is greater than 0 and certainly not larger than INT_MAX. And, with
the `len + 1` we shouldn't be seeing any data loss either.

>
> NACK!
>
> -- Steve
>

I'm keen on replacing this instance of strncpy towards the goal of [1].
If we don't want to use strscpy() I think memcpy() is another viable
alternative (of course leaving the manual NUL-byte assignment as-is).

[1]: https://github.com/KSPP/linux/issues/90

Thanks
Justin