On Mon, 02 Nov 2020, David Laight wrote: > From: Lee Jones > > Sent: 02 November 2020 11:12 > > > > strncpy() may not provide a NUL terminator, which means that a 1-byte > > leak would be possible *if* this was ever copied to userspace. Ensure > > the buffer will always be NUL terminated by using the kernel's > > strscpy() which a) uses the destination (instead of the source) size > > as the bytes to copy and b) is *always* NUL terminated. > > > > Cc: Rodolfo Giometti <[email protected]> > > Cc: "Eurotech S.p.A" <[email protected]> > > Reported-by: Geert Uytterhoeven <[email protected]> > > Acked-by: Arnd Bergmann <[email protected]> > > Signed-off-by: Lee Jones <[email protected]> > > --- > > drivers/misc/c2port/core.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/drivers/misc/c2port/core.c b/drivers/misc/c2port/core.c > > index 80d87e8a0bea9..b96444ec94c7e 100644 > > --- a/drivers/misc/c2port/core.c > > +++ b/drivers/misc/c2port/core.c > > @@ -923,7 +923,7 @@ struct c2port_device *c2port_device_register(char *name, > > } > > dev_set_drvdata(c2dev->dev, c2dev); > > > > - strncpy(c2dev->name, name, C2PORT_NAME_LEN - 1); > > + strscpy(c2dev->name, name, sizeof(c2dev->name)); > > strscpy() doesn't zero fill so if the memory isn't zeroed > and a 'blind' copy to user of the structure is done > then more data is leaked. > > strscpy() may be better, but rational isn't right.
The original patch zeroed the data too, but I was asked to remove that part [0]. In your opinion, should it be reinstated? [0] https://lore.kernel.org/patchwork/patch/1272290/ -- Lee Jones [李琼斯] Senior Technical Lead - Developer Services Linaro.org │ Open source software for Arm SoCs Follow Linaro: Facebook | Twitter | Blog
