uml: Replace all non-returning strlcpy with strscpy

Message ID	20230530164004.986750-1-azeemshaikh38@gmail.com
State	Superseded
Headers	show Return-Path: <linux-um-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> From: Azeem Shaikh <azeemshaikh38@gmail.com> To: Maxim Krasnyansky <maxk@qti.qualcomm.com> Cc: linux-hardening@vger.kernel.org, Azeem Shaikh <azeemshaikh38@gmail.com>, linux-kernel@vger.kernel.org, Richard Weinberger <richard@nod.at>, Anton Ivanov <anton.ivanov@cambridgegreys.com>, Johannes Berg <johannes@sipsolutions.net>, linux-um@lists.infradead.org Subject: [PATCH] uml: Replace all non-returning strlcpy with strscpy Date: Tue, 30 May 2023 16:40:04 +0000 Message-ID: <20230530164004.986750-1-azeemshaikh38@gmail.com> MIME-Version: 1.0 preview: strlcpy() reads the entire source buffer first. This read may exceed the destination size limit. This is both inefficient and can lead to linear read overflows if a source string is not NUL-terminated [...] Content analysis details: (0.1 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:d2b listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [azeemshaikh38[at]gmail.com] 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit [azeemshaikh38[at]gmail.com] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-um" <linux-um-bounces@lists.infradead.org> Errors-To: linux-um-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org
Series	uml: Replace all non-returning strlcpy with strscpy \| expand uml: Replace all non-returning strlcpy with strscpy

Azeem Shaikh May 30, 2023, 4:40 p.m. UTC

strlcpy() reads the entire source buffer first.
This read may exceed the destination size limit.
This is both inefficient and can lead to linear read
overflows if a source string is not NUL-terminated [1].
In an effort to remove strlcpy() completely [2], replace
strlcpy() here with strscpy().
No return values were used, so direct replacement is safe.

[1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy
[2] https://github.com/KSPP/linux/issues/89

Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com>
---
 arch/um/os-Linux/drivers/tuntap_user.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

kernel test robot May 31, 2023, 3:18 a.m. UTC | #1

Hi Azeem,

kernel test robot noticed the following build errors:

[auto build test ERROR on uml/next]
[also build test ERROR on uml/fixes wireless-next/main wireless/main linus/master v6.4-rc4 next-20230530]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Azeem-Shaikh/uml-Replace-all-non-returning-strlcpy-with-strscpy/20230531-004115
base:   git://git.kernel.org/pub/scm/linux/kernel/git/uml/linux next
patch link:    https://lore.kernel.org/r/20230530164004.986750-1-azeemshaikh38%40gmail.com
patch subject: [PATCH] uml: Replace all non-returning strlcpy with strscpy
config: um-i386_defconfig (https://download.01.org/0day-ci/archive/20230531/202305311135.zGMT1gYR-lkp@intel.com/config)
compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
reproduce (this is a W=1 build):
        # https://github.com/intel-lab-lkp/linux/commit/c51d7beb37cfbda321feb3811bbe0e381f804899
        git remote add linux-review https://github.com/intel-lab-lkp/linux
        git fetch --no-tags linux-review Azeem-Shaikh/uml-Replace-all-non-returning-strlcpy-with-strscpy/20230531-004115
        git checkout c51d7beb37cfbda321feb3811bbe0e381f804899
        # save the config file
        mkdir build_dir && cp config build_dir/.config
        make W=1 O=build_dir ARCH=um SUBARCH=i386 olddefconfig
        make W=1 O=build_dir ARCH=um SUBARCH=i386 SHELL=/bin/bash

If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202305311135.zGMT1gYR-lkp@intel.com/

All errors (new ones prefixed by >>):

   arch/um/os-Linux/drivers/tuntap_user.c: In function 'tuntap_open':
>> arch/um/os-Linux/drivers/tuntap_user.c:149:17: error: implicit declaration of function 'strscpy'; did you mean 'strncpy'? [-Werror=implicit-function-declaration]
     149 |                 strscpy(ifr.ifr_name, pri->dev_name, sizeof(ifr.ifr_name));
         |                 ^~~~~~~
         |                 strncpy
   cc1: some warnings being treated as errors


vim +149 arch/um/os-Linux/drivers/tuntap_user.c

   127	
   128	static int tuntap_open(void *data)
   129	{
   130		struct ifreq ifr;
   131		struct tuntap_data *pri = data;
   132		char *output, *buffer;
   133		int err, fds[2], len, used;
   134	
   135		err = tap_open_common(pri->dev, pri->gate_addr);
   136		if (err < 0)
   137			return err;
   138	
   139		if (pri->fixed_config) {
   140			pri->fd = os_open_file("/dev/net/tun",
   141					       of_cloexec(of_rdwr(OPENFLAGS())), 0);
   142			if (pri->fd < 0) {
   143				printk(UM_KERN_ERR "Failed to open /dev/net/tun, "
   144				       "err = %d\n", -pri->fd);
   145				return pri->fd;
   146			}
   147			memset(&ifr, 0, sizeof(ifr));
   148			ifr.ifr_flags = IFF_TAP | IFF_NO_PI;
 > 149			strscpy(ifr.ifr_name, pri->dev_name, sizeof(ifr.ifr_name));
   150			if (ioctl(pri->fd, TUNSETIFF, &ifr) < 0) {
   151				err = -errno;
   152				printk(UM_KERN_ERR "TUNSETIFF failed, errno = %d\n",
   153				       errno);
   154				close(pri->fd);
   155				return err;
   156			}
   157		}
   158		else {
   159			err = socketpair(AF_UNIX, SOCK_DGRAM, 0, fds);
   160			if (err) {
   161				err = -errno;
   162				printk(UM_KERN_ERR "tuntap_open : socketpair failed - "
   163				       "errno = %d\n", errno);
   164				return err;
   165			}
   166	
   167			buffer = get_output_buffer(&len);
   168			if (buffer != NULL)
   169				len--;
   170			used = 0;
   171	
   172			err = tuntap_open_tramp(pri->gate_addr, &pri->fd, fds[0],
   173						fds[1], buffer, len, &used);
   174	
   175			output = buffer;
   176			if (err < 0) {
   177				printk("%s", output);
   178				free_output_buffer(buffer);
   179				printk(UM_KERN_ERR "tuntap_open_tramp failed - "
   180				       "err = %d\n", -err);
   181				return err;
   182			}
   183	
   184			pri->dev_name = uml_strdup(buffer);
   185			output += IFNAMSIZ;
   186			printk("%s", output);
   187			free_output_buffer(buffer);
   188	
   189			close(fds[0]);
   190			iter_addresses(pri->dev, open_addr, pri->dev_name);
   191		}
   192	
   193		return pri->fd;
   194	}
   195

Kees Cook May 31, 2023, 4:41 a.m. UTC | #2

On May 30, 2023 8:18:42 PM PDT, kernel test robot <lkp@intel.com> wrote:
>Hi Azeem,
>
>kernel test robot noticed the following build errors:
>
>[auto build test ERROR on uml/next]
>[also build test ERROR on uml/fixes wireless-next/main wireless/main linus/master v6.4-rc4 next-20230530]
>[If your patch is applied to the wrong git tree, kindly drop us a note.
>And when submitting patch, we suggest to use '--base' as documented in
>https://git-scm.com/docs/git-format-patch#_base_tree_information]
>
>url:    https://github.com/intel-lab-lkp/linux/commits/Azeem-Shaikh/uml-Replace-all-non-returning-strlcpy-with-strscpy/20230531-004115
>base:   git://git.kernel.org/pub/scm/linux/kernel/git/uml/linux next
>patch link:    https://lore.kernel.org/r/20230530164004.986750-1-azeemshaikh38%40gmail.com
>patch subject: [PATCH] uml: Replace all non-returning strlcpy with strscpy
>config: um-i386_defconfig (https://download.01.org/0day-ci/archive/20230531/202305311135.zGMT1gYR-lkp@intel.com/config)
>compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
>reproduce (this is a W=1 build):
>        # https://github.com/intel-lab-lkp/linux/commit/c51d7beb37cfbda321feb3811bbe0e381f804899
>        git remote add linux-review https://github.com/intel-lab-lkp/linux
>        git fetch --no-tags linux-review Azeem-Shaikh/uml-Replace-all-non-returning-strlcpy-with-strscpy/20230531-004115
>        git checkout c51d7beb37cfbda321feb3811bbe0e381f804899
>        # save the config file
>        mkdir build_dir && cp config build_dir/.config
>        make W=1 O=build_dir ARCH=um SUBARCH=i386 olddefconfig
>        make W=1 O=build_dir ARCH=um SUBARCH=i386 SHELL=/bin/bash
>
>If you fix the issue, kindly add following tag where applicable
>| Reported-by: kernel test robot <lkp@intel.com>
>| Closes: https://lore.kernel.org/oe-kbuild-all/202305311135.zGMT1gYR-lkp@intel.com/
>
>All errors (new ones prefixed by >>):
>
>   arch/um/os-Linux/drivers/tuntap_user.c: In function 'tuntap_open':
>>> arch/um/os-Linux/drivers/tuntap_user.c:149:17: error: implicit declaration of function 'strscpy'; did you mean 'strncpy'? [-Werror=implicit-function-declaration]
>     149 |                 strscpy(ifr.ifr_name, pri->dev_name, sizeof(ifr.ifr_name));
>         |                 ^~~~~~~
>         |                 strncpy
>   cc1: some warnings being treated as errors

Ah, yeah, this is another "not actually in the kernel" cases. Let's ignore this strlcpy for now.

-Keed

Johannes Berg May 31, 2023, 6:18 a.m. UTC | #3

> -		strlcpy(ifr.ifr_name, pri->dev_name,
> sizeof(ifr.ifr_name));
> +		strscpy(ifr.ifr_name, pri->dev_name,
> sizeof(ifr.ifr_name));
> 

> >   arch/um/os-Linux/drivers/tuntap_user.c: In function 'tuntap_open':
> > > > arch/um/os-Linux/drivers/tuntap_user.c:149:17: error: implicit declaration of function 'strscpy'; did you mean 'strncpy'? [-Werror=implicit-function-declaration]
> >     149 |                 strscpy(ifr.ifr_name, pri->dev_name, sizeof(ifr.ifr_name));
> >         |                 ^~~~~~~
> >         |                 strncpy
> >   cc1: some warnings being treated as errors
> 
> Ah, yeah, this is another "not actually in the kernel" cases. Let's ignore this strlcpy for now.
> 

Well, strlcpy() isn't part of libc either, so all this would need is to
add it to user.h just like strlcpy() is now?

johannes

Richard Weinberger May 31, 2023, 6:23 a.m. UTC | #4

----- Ursprüngliche Mail -----
>>>> arch/um/os-Linux/drivers/tuntap_user.c:149:17: error: implicit declaration of
>>>> function 'strscpy'; did you mean 'strncpy'?
>>>> [-Werror=implicit-function-declaration]
>>     149 |                 strscpy(ifr.ifr_name, pri->dev_name,
>>     sizeof(ifr.ifr_name));
>>         |                 ^~~~~~~
>>         |                 strncpy
>>   cc1: some warnings being treated as errors
> 
> Ah, yeah, this is another "not actually in the kernel" cases. Let's ignore this
> strlcpy for now.

Well, actually it's another case of "not even compile tested". :-(

Thanks,
//richard

Richard Weinberger May 31, 2023, 6:26 a.m. UTC | #5

----- Ursprüngliche Mail -----
>> Ah, yeah, this is another "not actually in the kernel" cases. Let's ignore this
>> strlcpy for now.
>> 
> 
> Well, strlcpy() isn't part of libc either, so all this would need is to
> add it to user.h just like strlcpy() is now?

I think so.
Azeem, can you please test your changes with this fixup applied?

diff --git a/arch/um/include/shared/user.h b/arch/um/include/shared/user.h
index bda66e5a9d4e3..e5d3fbbafe4d2 100644
--- a/arch/um/include/shared/user.h
+++ b/arch/um/include/shared/user.h
@@ -52,6 +52,7 @@ static inline int printk(const char *fmt, ...)
 extern int in_aton(char *str);
 extern size_t strlcpy(char *, const char *, size_t);
 extern size_t strlcat(char *, const char *, size_t);
+extern ssize_t strscpy(char *, const char *, size_t);
 
 /* Copied from linux/compiler-gcc.h since we can't include it directly */
 #define barrier() __asm__ __volatile__("": : :"memory")

Thanks,
//richard

Geert Uytterhoeven May 31, 2023, 8:05 a.m. UTC | #6

On Wed, May 31, 2023 at 8:23 AM Richard Weinberger <richard@nod.at> wrote:
> ----- Ursprüngliche Mail -----
> >>>> arch/um/os-Linux/drivers/tuntap_user.c:149:17: error: implicit declaration of
> >>>> function 'strscpy'; did you mean 'strncpy'?
> >>>> [-Werror=implicit-function-declaration]
> >>     149 |                 strscpy(ifr.ifr_name, pri->dev_name,
> >>     sizeof(ifr.ifr_name));
> >>         |                 ^~~~~~~
> >>         |                 strncpy
> >>   cc1: some warnings being treated as errors
> >
> > Ah, yeah, this is another "not actually in the kernel" cases. Let's ignore this
> > strlcpy for now.
>
> Well, actually it's another case of "not even compile tested". :-(

"But the AI said it was correct?!?" ;-)

Gr{oetje,eeting}s,

                        Geert

Azeem Shaikh May 31, 2023, 2:48 p.m. UTC | #7

Thanks Geert and Richard for the review.

On Wed, May 31, 2023 at 4:05 AM Geert Uytterhoeven <geert@linux-m68k.org> wrote:
>
> On Wed, May 31, 2023 at 8:23 AM Richard Weinberger <richard@nod.at> wrote:
> > ----- Ursprüngliche Mail -----
> > >>>> arch/um/os-Linux/drivers/tuntap_user.c:149:17: error: implicit declaration of
> > >>>> function 'strscpy'; did you mean 'strncpy'?
> > >>>> [-Werror=implicit-function-declaration]
> > >>     149 |                 strscpy(ifr.ifr_name, pri->dev_name,
> > >>     sizeof(ifr.ifr_name));
> > >>         |                 ^~~~~~~
> > >>         |                 strncpy
> > >>   cc1: some warnings being treated as errors
> > >
> > > Ah, yeah, this is another "not actually in the kernel" cases. Let's ignore this
> > > strlcpy for now.
> >
> > Well, actually it's another case of "not even compile tested". :-(

Argh, my test script wasn't cross-compiling for um. Sorry about that :(

> > Well, strlcpy() isn't part of libc either, so all this would need is to
> > add it to user.h just like strlcpy() is now?
>
> I think so.
> Azeem, can you please test your changes with this fixup applied?
>
> diff --git a/arch/um/include/shared/user.h b/arch/um/include/shared/user.h
> index bda66e5a9d4e3..e5d3fbbafe4d2 100644
> --- a/arch/um/include/shared/user.h
> +++ b/arch/um/include/shared/user.h
> @@ -52,6 +52,7 @@ static inline int printk(const char *fmt, ...)
>  extern int in_aton(char *str);
>  extern size_t strlcpy(char *, const char *, size_t);
>  extern size_t strlcat(char *, const char *, size_t);
> +extern ssize_t strscpy(char *, const char *, size_t);
>
>  /* Copied from linux/compiler-gcc.h since we can't include it directly */
>  #define barrier() __asm__ __volatile__("": : :"memory")
>

Tested with this fixup, and it builds successfully on ARCH=um
SUBARCH=i386. Let me know if I need to test with any other
cross-compilation options before I send out v2.

>
> Ah, yeah, this is another "not actually in the kernel" cases. Let's ignore this strlcpy for now.
>
> -Keed

Planning to send out v2 with the fixup from Richard applied. Let me
know if that's ok.

Richard Weinberger June 5, 2023, 8:07 p.m. UTC | #8

----- Ursprüngliche Mail -----
> Von: "Azeem Shaikh" <azeemshaikh38@gmail.com>
> Planning to send out v2 with the fixup from Richard applied. Let me
> know if that's ok.

Fine by me. :-)

Thanks,
//richard

uml: Replace all non-returning strlcpy with strscpy

Commit Message

Comments

Patch