Replace the deprecated[1] strncpy() with strnlen() on the source followed by memcpy_and_pad().
This function is a chunk callback for UML's strncpy_from_user() implementation, called by buffer_op() to process userspace memory one page at a time. The source is a kernel-mapped userspace address that is not guaranteed to be NUL-terminated; "len" bounds how many bytes to read from it. By measuring the source string length first with strnlen(), we avoid reading past the NUL terminator in the source. memcpy_and_pad() then copies the string content and zero-fills the remainder of the chunk, preserving the original strncpy() behavior exactly: copy up to the first NUL, then pad with zeros to the full length. strtomem_pad() would be the idiomatic helper for this strnlen() + memcpy_and_pad() pattern, but it requires a compile-time-determinable destination size (via ARRAY_SIZE()). Here the destination is a char * into a caller-provided buffer and the chunk length is a runtime value, so the explicit two-step is necessary. No behavioral change: the same bytes are written to the destination (string content followed by zero padding), the pointer advances by the same amount, and the NUL-found return condition is unchanged. Link: https://github.com/KSPP/linux/issues/90 [1] Signed-off-by: Kees Cook <[email protected]> --- arch/um/kernel/skas/uaccess.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/um/kernel/skas/uaccess.c b/arch/um/kernel/skas/uaccess.c index 198269e384c4..caef1deef795 100644 --- a/arch/um/kernel/skas/uaccess.c +++ b/arch/um/kernel/skas/uaccess.c @@ -170,8 +170,8 @@ static int strncpy_chunk_from_user(unsigned long from, int len, void *arg) char **to_ptr = arg, *to = *to_ptr; int n; - strncpy(to, (void *) from, len); - n = strnlen(to, len); + n = strnlen((void *) from, len); + memcpy_and_pad(to, len, (void *) from, n, 0); *to_ptr += n; if (n < len) -- 2.34.1
