tracing: Replace all non-returning strlcpy with strscpy

strlcpy() reads the entire source buffer first.
This read may exceed the destination size limit.
This is both inefficient and can lead to linear read
overflows if a source string is not NUL-terminated [1].
In an effort to remove strlcpy() completely [2], replace
strlcpy() here with strscpy().

No return values were used, so direct replacement with strlcpy is safe.

[1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy
[2] https://github.com/KSPP/linux/issues/89

Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20230516143956.1367827-1-azeemshaikh38@gmail.com

authored by

Azeem Shaikh and committed by

Kees Cook 3 years ago c7dce4c5 7afbe5de

+10 -10

5 changed files

expand all

kernel

trace

trace.c

trace_events.c

trace_events_inject.c

trace_kprobe.c

trace_probe.c

+4 -4

kernel/trace/trace.c

··· 196 196 197 197 static int __init set_cmdline_ftrace(char *str) 198 198 { 199 - strlcpy(bootup_tracer_buf, str, MAX_TRACER_SIZE); 199 + strscpy(bootup_tracer_buf, str, MAX_TRACER_SIZE); 200 200 default_bootup_tracer = bootup_tracer_buf; 201 201 /* We are using ftrace early, expand it */ 202 202 ring_buffer_expanded = true; ··· 281 281 282 282 static int __init set_trace_boot_options(char *str) 283 283 { 284 - strlcpy(trace_boot_options_buf, str, MAX_TRACER_SIZE); 284 + strscpy(trace_boot_options_buf, str, MAX_TRACER_SIZE); 285 285 return 1; 286 286 } 287 287 __setup("trace_options=", set_trace_boot_options); ··· 291 291 292 292 static int __init set_trace_boot_clock(char *str) 293 293 { 294 - strlcpy(trace_boot_clock_buf, str, MAX_TRACER_SIZE); 294 + strscpy(trace_boot_clock_buf, str, MAX_TRACER_SIZE); 295 295 trace_boot_clock = trace_boot_clock_buf; 296 296 return 1; 297 297 } ··· 2521 2521 if (map != NO_CMDLINE_MAP) { 2522 2522 tpid = savedcmd->map_cmdline_to_pid[map]; 2523 2523 if (tpid == pid) { 2524 - strlcpy(comm, get_saved_cmdlines(map), TASK_COMM_LEN); 2524 + strscpy(comm, get_saved_cmdlines(map), TASK_COMM_LEN); 2525 2525 return; 2526 2526 } 2527 2527 }

+2 -2

kernel/trace/trace_events.c

··· 2831 2831 char *buf; 2832 2832 int i; 2833 2833 2834 - strlcpy(bootup_trigger_buf, str, COMMAND_LINE_SIZE); 2834 + strscpy(bootup_trigger_buf, str, COMMAND_LINE_SIZE); 2835 2835 ring_buffer_expanded = true; 2836 2836 disable_tracing_selftest("running event triggers"); 2837 2837 ··· 3621 3621 3622 3622 static __init int setup_trace_event(char *str) 3623 3623 { 3624 - strlcpy(bootup_event_buf, str, COMMAND_LINE_SIZE); 3624 + strscpy(bootup_event_buf, str, COMMAND_LINE_SIZE); 3625 3625 ring_buffer_expanded = true; 3626 3626 disable_tracing_selftest("running event tracing"); 3627 3627

+2 -2

kernel/trace/trace_events_inject.c

··· 217 217 char *addr = (char *)(unsigned long) val; 218 218 219 219 if (field->filter_type == FILTER_STATIC_STRING) { 220 - strlcpy(entry + field->offset, addr, field->size); 220 + strscpy(entry + field->offset, addr, field->size); 221 221 } else if (field->filter_type == FILTER_DYN_STRING || 222 222 field->filter_type == FILTER_RDYN_STRING) { 223 223 int str_len = strlen(addr) + 1; ··· 232 232 } 233 233 entry = *pentry; 234 234 235 - strlcpy(entry + (entry_size - str_len), addr, str_len); 235 + strscpy(entry + (entry_size - str_len), addr, str_len); 236 236 str_item = (u32 *)(entry + field->offset); 237 237 if (field->filter_type == FILTER_RDYN_STRING) 238 238 str_loc -= field->offset + field->size;

+1 -1

kernel/trace/trace_kprobe.c

··· 30 30 31 31 static int __init set_kprobe_boot_events(char *str) 32 32 { 33 - strlcpy(kprobe_boot_events_buf, str, COMMAND_LINE_SIZE); 33 + strscpy(kprobe_boot_events_buf, str, COMMAND_LINE_SIZE); 34 34 disable_tracing_selftest("running kprobe events"); 35 35 36 36 return 1;

+1 -1

kernel/trace/trace_probe.c

··· 254 254 trace_probe_log_err(offset, GROUP_TOO_LONG); 255 255 return -EINVAL; 256 256 } 257 - strlcpy(buf, event, slash - event + 1); 257 + strscpy(buf, event, slash - event + 1); 258 258 if (!is_good_system_name(buf)) { 259 259 trace_probe_log_err(offset, BAD_GROUP_NAME); 260 260 return -EINVAL;

Configure Feed

Configure Feed