[PATCH] Fix possible strscpy() buffer overflows

[Alexander A. Klimov]

In the changed files, strings were copied like this:

    strscpy(DST, SRC, strlen(SRC));

A buffer overflow would happen if strlen(SRC) > sizeof(DST).
Actually, strscpy() must be used this way:

    strscpy(DST, SRC, sizeof(DST));
    strscpy(DST, SRC); // defaults to sizeof(DST)

Signed-off-by: Alexander A. Klimov <grandmaster@xxxxxxxxxxxx>
---
 drivers/edac/versalnet_edac.c | 3 +--
 drivers/misc/lkdtm/fortify.c  | 6 +-----
 sound/soc/codecs/fs210x.c     | 2 +-
 3 files changed, 3 insertions(+), 8 deletions(-)

diff --git a/drivers/edac/versalnet_edac.c b/drivers/edac/versalnet_edac.c
index ec13155824..daa140f4db 100644
--- a/drivers/edac/versalnet_edac.c
+++ b/drivers/edac/versalnet_edac.c
@@ -728,8 +728,7 @@ static int rpmsg_probe(struct rpmsg_device *rpdev)
 	pg = (struct mc_priv *)amd_rpmsg_id_table[0].driver_data;
 	chinfo.src = RPMSG_ADDR_ANY;
 	chinfo.dst = rpdev->dst;
-	strscpy(chinfo.name, amd_rpmsg_id_table[0].name,
-		strlen(amd_rpmsg_id_table[0].name));
+	strscpy(chinfo.name, amd_rpmsg_id_table[0].name);

 	pg->ept = rpmsg_create_ept(rpdev, rpmsg_cb, NULL, chinfo);
 	if (!pg->ept)
diff --git a/drivers/misc/lkdtm/fortify.c b/drivers/misc/lkdtm/fortify.c
index 7615a02dfc..9a9159a120 100644
--- a/drivers/misc/lkdtm/fortify.c
+++ b/drivers/misc/lkdtm/fortify.c
@@ -174,11 +174,7 @@ static void lkdtm_FORTIFY_STRSCPY(void)
 	/* Restore src to its initial value. */
 	src[3] = 'b';

-	/*
-	 * Use strlen here so size cannot be known at compile time and there is
-	 * a runtime write overflow.
-	 */
-	strscpy(dst, src, strlen(src));
+	strscpy(dst, src);

 	pr_err("FAIL: strscpy() overflow not detected!\n");
 	pr_expected_config(CONFIG_FORTIFY_SOURCE);
diff --git a/sound/soc/codecs/fs210x.c b/sound/soc/codecs/fs210x.c
index e6195b71ad..eda716f817 100644
--- a/sound/soc/codecs/fs210x.c
+++ b/sound/soc/codecs/fs210x.c
@@ -968,7 +968,7 @@ static int fs210x_effect_scene_info(struct snd_kcontrol *kcontrol,
 	if (scene->name)
 		name = scene->name;

-	strscpy(uinfo->value.enumerated.name, name, strlen(name) + 1);
+	strscpy(uinfo->value.enumerated.name, name);

 	return 0;
 }
--
2.54.0