| Message ID | 20230807-arch-um-v1-1-86dbbfb59709@google.com |
|---|---|
| State | Superseded |
| Headers | show |
| Series | um: refactor deprecated strncpy to strtomem | expand |
On Mon, Aug 7, 2023 at 2:18 PM Justin Stitt <justinstitt@google.com> wrote: > > Use `strtomem` here since `console_buf` is not expected to be > NUL-terminated. We should probably also just use `MCONSOLE_MAX_DATA` > instead of using `ARRAY_SIZE()` for every iteration of the loop. > Is this change necessary? I have a general preference for ARRAY_SIZE, because a change in size is less likely to be overlooked (unless that goes against the coding standard). > Also mark char buffer as `__nonstring` as per Kees' suggestion here [1] > > Finally, follow checkpatch's recommendation of using `min_t` over `min` > > Link: https://github.com/KSPP/linux/issues/90 [1] > Cc: linux-hardening@vger.kernel.org > Signed-off-by: Justin Stitt <justinstitt@google.com> > --- > Notes: > I only build tested this patch. > --- > arch/um/drivers/mconsole_kern.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > > diff --git a/arch/um/drivers/mconsole_kern.c b/arch/um/drivers/mconsole_kern.c > index 5026e7b9adfe..fd4c024202ae 100644 > --- a/arch/um/drivers/mconsole_kern.c > +++ b/arch/um/drivers/mconsole_kern.c > @@ -4,6 +4,7 @@ > * Copyright (C) 2001 - 2008 Jeff Dike (jdike@{addtoit,linux.intel}.com) > */ > > +#include "linux/compiler_attributes.h" nit: Should this include be in angle brackets? #include <linux/compiler_attributes.h> > #include <linux/console.h> > #include <linux/ctype.h> > #include <linux/string.h> > @@ -554,7 +555,7 @@ struct mconsole_output { > > static DEFINE_SPINLOCK(client_lock); > static LIST_HEAD(clients); > -static char console_buf[MCONSOLE_MAX_DATA]; > +static char console_buf[MCONSOLE_MAX_DATA] __nonstring; > > static void console_write(struct console *console, const char *string, > unsigned int len) > @@ -566,8 +567,8 @@ static void console_write(struct console *console, const char *string, > return; > > while (len > 0) { > - n = min((size_t) len, ARRAY_SIZE(console_buf)); > - strncpy(console_buf, string, n); > + n = min_t(size_t, len, MCONSOLE_MAX_DATA); > + strtomem(console_buf, string); > string += n; > len -= n; > > > --- > base-commit: c1a515d3c0270628df8ae5f5118ba859b85464a2 > change-id: 20230807-arch-um-3ef24413427e > > Best regards, > -- > Justin Stitt <justinstitt@google.com> >
On Mon, Aug 7, 2023 at 4:40 PM Kees Cook <keescook@chromium.org> wrote: > > On Mon, Aug 07, 2023 at 03:36:55PM -0700, Bill Wendling wrote: > > On Mon, Aug 7, 2023 at 2:18 PM Justin Stitt <justinstitt@google.com> wrote: > > > > > > Use `strtomem` here since `console_buf` is not expected to be > > > NUL-terminated. We should probably also just use `MCONSOLE_MAX_DATA` > > How is it known that console_buf is not a C-string? There are a few clues that led me to believe console_buf was not a C-string: 1) `n = min((size_t) len, ARRAY_SIZE(console_buf));` means that `n` can be equal to size of buffer which is then subsequently filled entirely by the `strncpy` invocation. 2) console_buf looks to be a circular buffer wherein once it's filled it starts again from the beginning. 3) ARRAY_SIZE is used on it as opposed to strlen or something like that (but not sure if ARRAY_SIZE is also used on C-strings to be fair) 4) It has `buf` in its name which I loosely associate with non C-strings char buffers. All in all, it looks to be a non C-string but honestly it's hard to tell, especially since if it IS a C-string the previous implementation had some bugs with strncpy I believe. > > > > instead of using `ARRAY_SIZE()` for every iteration of the loop. > > > > > Is this change necessary? I have a general preference for ARRAY_SIZE, > > because a change in size is less likely to be overlooked (unless that > > goes against the coding standard). > > I would prefer this stay either ARRAY_SIZE or sizeof, as it keeps it > tied to the variable in question. > > > > > > Also mark char buffer as `__nonstring` as per Kees' suggestion here [1] > > > > > > Finally, follow checkpatch's recommendation of using `min_t` over `min` > > > > > > Link: https://github.com/KSPP/linux/issues/90 [1] > > > Cc: linux-hardening@vger.kernel.org > > > Signed-off-by: Justin Stitt <justinstitt@google.com> > > > --- > > > Notes: > > > I only build tested this patch. > > > --- > > > arch/um/drivers/mconsole_kern.c | 7 ++++--- > > > 1 file changed, 4 insertions(+), 3 deletions(-) > > > > > > diff --git a/arch/um/drivers/mconsole_kern.c b/arch/um/drivers/mconsole_kern.c > > > index 5026e7b9adfe..fd4c024202ae 100644 > > > --- a/arch/um/drivers/mconsole_kern.c > > > +++ b/arch/um/drivers/mconsole_kern.c > > > @@ -4,6 +4,7 @@ > > > * Copyright (C) 2001 - 2008 Jeff Dike (jdike@{addtoit,linux.intel}.com) > > > */ > > > > > > +#include "linux/compiler_attributes.h" > > > > nit: Should this include be in angle brackets? > > > > #include <linux/compiler_attributes.h> > > True, though this shouldn't need to be included at all. What was > missing? > > > > > > #include <linux/console.h> > > > #include <linux/ctype.h> > > > #include <linux/string.h> > > > @@ -554,7 +555,7 @@ struct mconsole_output { > > > > > > static DEFINE_SPINLOCK(client_lock); > > > static LIST_HEAD(clients); > > > -static char console_buf[MCONSOLE_MAX_DATA]; > > > +static char console_buf[MCONSOLE_MAX_DATA] __nonstring; > > > > > > static void console_write(struct console *console, const char *string, > > > unsigned int len) > > > @@ -566,8 +567,8 @@ static void console_write(struct console *console, const char *string, > > > return; > > > > > > while (len > 0) { > > > - n = min((size_t) len, ARRAY_SIZE(console_buf)); > > > - strncpy(console_buf, string, n); > > > + n = min_t(size_t, len, MCONSOLE_MAX_DATA); > > > + strtomem(console_buf, string); > > > string += n; > > > len -= n; > > > > > > > > > --- > > > base-commit: c1a515d3c0270628df8ae5f5118ba859b85464a2 > > > change-id: 20230807-arch-um-3ef24413427e > > > > > > Best regards, > > > -- > > > Justin Stitt <justinstitt@google.com> > > > > > -- > Kees Cook
diff --git a/arch/um/drivers/mconsole_kern.c b/arch/um/drivers/mconsole_kern.c index 5026e7b9adfe..fd4c024202ae 100644 --- a/arch/um/drivers/mconsole_kern.c +++ b/arch/um/drivers/mconsole_kern.c @@ -4,6 +4,7 @@ * Copyright (C) 2001 - 2008 Jeff Dike (jdike@{addtoit,linux.intel}.com) */ +#include "linux/compiler_attributes.h" #include <linux/console.h> #include <linux/ctype.h> #include <linux/string.h> @@ -554,7 +555,7 @@ struct mconsole_output { static DEFINE_SPINLOCK(client_lock); static LIST_HEAD(clients); -static char console_buf[MCONSOLE_MAX_DATA]; +static char console_buf[MCONSOLE_MAX_DATA] __nonstring; static void console_write(struct console *console, const char *string, unsigned int len) @@ -566,8 +567,8 @@ static void console_write(struct console *console, const char *string, return; while (len > 0) { - n = min((size_t) len, ARRAY_SIZE(console_buf)); - strncpy(console_buf, string, n); + n = min_t(size_t, len, MCONSOLE_MAX_DATA); + strtomem(console_buf, string); string += n; len -= n;
Use `strtomem` here since `console_buf` is not expected to be NUL-terminated. We should probably also just use `MCONSOLE_MAX_DATA` instead of using `ARRAY_SIZE()` for every iteration of the loop. Also mark char buffer as `__nonstring` as per Kees' suggestion here [1] Finally, follow checkpatch's recommendation of using `min_t` over `min` Link: https://github.com/KSPP/linux/issues/90 [1] Cc: linux-hardening@vger.kernel.org Signed-off-by: Justin Stitt <justinstitt@google.com> --- Notes: I only build tested this patch. --- arch/um/drivers/mconsole_kern.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) --- base-commit: c1a515d3c0270628df8ae5f5118ba859b85464a2 change-id: 20230807-arch-um-3ef24413427e Best regards, -- Justin Stitt <justinstitt@google.com>