Re: [PATCH] inotify: Use strscpy() for event->name copies

From: Kees Cook
Date: Tue Dec 17 2024 - 02:52:09 EST

Next message: Kees Cook: "Re: [PATCH] rtnetlink: do_setlink: Use true struct sockaddr"
Previous message: Jinlong Mao: "Re: [PATCH v1 0/2] Add Qualcomm extended CTI support"
In reply to: Matthew Wilcox: "Re: [PATCH] inotify: Use strscpy() for event->name copies"
Next in thread: Jan Kara: "Re: [PATCH] inotify: Use strscpy() for event->name copies"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On December 16, 2024 8:12:07 PM PST, Matthew Wilcox <willy@xxxxxxxxxxxxx> wrote:
>On Mon, Dec 16, 2024 at 02:45:15PM -0800, Kees Cook wrote:
>> Since we have already allocated "len + 1" space for event->name, make sure
>> that name->name cannot ever accidentally cause a copy overflow by calling
>> strscpy() instead of the unbounded strcpy() routine. This assists in
>> the ongoing efforts to remove the unsafe strcpy() API[1] from the kernel.
>
>Since a qstr can't contain a NUL before the length, why not just use
>memcpy()?
>
>> event->name_len = len;
>> if (len)
>> - strcpy(event->name, name->name);
>> + strscpy(event->name, name->name, event->name_len + 1);

So that the destination is guaranteed to be NUL terminated no matter what's in the source. :) (i.e. try to limit unlikely conditions from expanding.)

--
Kees Cook

Next message: Kees Cook: "Re: [PATCH] rtnetlink: do_setlink: Use true struct sockaddr"
Previous message: Jinlong Mao: "Re: [PATCH v1 0/2] Add Qualcomm extended CTI support"
In reply to: Matthew Wilcox: "Re: [PATCH] inotify: Use strscpy() for event->name copies"
Next in thread: Jan Kara: "Re: [PATCH] inotify: Use strscpy() for event->name copies"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]