Re: [PATCH] Fix possible strscpy() buffer overflows

[David Laight]

On Sun, 10 May 2026 20:24:41 +0200
"Alexander A. Klimov" <grandmaster@xxxxxxxxxxxx> wrote:

> In the changed files, strings were copied like this:
> 
>      strscpy(DST, SRC, strlen(SRC));
> 
> A buffer overflow would happen if strlen(SRC) > sizeof(DST).
> Actually, strscpy() must be used this way:
> 
>      strscpy(DST, SRC, sizeof(DST));
>      strscpy(DST, SRC); // defaults to sizeof(DST)

Nak.

This is test code and deliberately doing things 'wrong'.

-- David

> 
> Signed-off-by: Alexander A. Klimov <grandmaster@xxxxxxxxxxxx>
> ---
>   drivers/edac/versalnet_edac.c | 3 +--
>   drivers/misc/lkdtm/fortify.c  | 6 +-----
>   sound/soc/codecs/fs210x.c     | 2 +-
>   3 files changed, 3 insertions(+), 8 deletions(-)
> 
> diff --git a/drivers/edac/versalnet_edac.c b/drivers/edac/versalnet_edac.c
> index ec13155824..daa140f4db 100644
> --- a/drivers/edac/versalnet_edac.c
> +++ b/drivers/edac/versalnet_edac.c
> @@ -728,8 +728,7 @@ static int rpmsg_probe(struct rpmsg_device *rpdev)
>   	pg = (struct mc_priv *)amd_rpmsg_id_table[0].driver_data;
>   	chinfo.src = RPMSG_ADDR_ANY;
>   	chinfo.dst = rpdev->dst;
> -	strscpy(chinfo.name, amd_rpmsg_id_table[0].name,
> -		strlen(amd_rpmsg_id_table[0].name));
> +	strscpy(chinfo.name, amd_rpmsg_id_table[0].name);
> 
>   	pg->ept = rpmsg_create_ept(rpdev, rpmsg_cb, NULL, chinfo);
>   	if (!pg->ept)
> diff --git a/drivers/misc/lkdtm/fortify.c b/drivers/misc/lkdtm/fortify.c
> index 7615a02dfc..9a9159a120 100644
> --- a/drivers/misc/lkdtm/fortify.c
> +++ b/drivers/misc/lkdtm/fortify.c
> @@ -174,11 +174,7 @@ static void lkdtm_FORTIFY_STRSCPY(void)
>   	/* Restore src to its initial value. */
>   	src[3] = 'b';
> 
> -	/*
> -	 * Use strlen here so size cannot be known at compile time and there is
> -	 * a runtime write overflow.
> -	 */
> -	strscpy(dst, src, strlen(src));
> +	strscpy(dst, src);
> 
>   	pr_err("FAIL: strscpy() overflow not detected!\n");
>   	pr_expected_config(CONFIG_FORTIFY_SOURCE);
> diff --git a/sound/soc/codecs/fs210x.c b/sound/soc/codecs/fs210x.c
> index e6195b71ad..eda716f817 100644
> --- a/sound/soc/codecs/fs210x.c
> +++ b/sound/soc/codecs/fs210x.c
> @@ -968,7 +968,7 @@ static int fs210x_effect_scene_info(struct snd_kcontrol *kcontrol,
>   	if (scene->name)
>   		name = scene->name;
> 
> -	strscpy(uinfo->value.enumerated.name, name, strlen(name) + 1);
> +	strscpy(uinfo->value.enumerated.name, name);
> 
>   	return 0;
>   }