From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: David Yang <mmyangfl@gmail.com>, linux-block@vger.kernel.org
Cc: Jens Axboe <axboe@kernel.dk>, Xu Panda <xu.panda@zte.com.cn>,
Justin Stitt <justinstitt@google.com>,
Yang Yang <yang.yang29@zte.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] block: fix buf size for strscpy()
Date: Fri, 03 May 2024 08:36:56 -0400 [thread overview]
Message-ID: <288e65c39f355531c91761b330e530a6336631dd.camel@HansenPartnership.com> (raw)
In-Reply-To: <20240503074845.12181-1-mmyangfl@gmail.com>
On Fri, 2024-05-03 at 15:48 +0800, David Yang wrote:
> strscpy() takes the total size of destination buffer as the argument,
> including the space for the terminating null character.
>
> The actual length of the buffer should be len(str) + 1, which can be
> seen from the indexes where null characters are written in the code
> before the commit in question, and 'sizeof(buf) - 1' right above
> the problematic codes.
>
> Without the additional 1 size and the absence of checkes against -
> E2BIG, strscpy() will angrily eat the last character of the source
> string. In my situation, strscpy() will take away one character
> before the comma "," (which is presumably the right bracket ")") in
> parse_parts(), making parse_subpart() unable to 'strchr(++partdef,
> ')')' and producing the following error message:
>
> cmdline partition format is invalid.
This is the same problem we brought up with the strscpy conversions in
scsi:
https://lore.kernel.org/all/784db8a20a3ddeb6c0498f2b31719e5198da6581.camel@HansenPartnership.com/
strscpy doesn't correctly replace a function of strncpy we used to get
a zero termination for a possibly unterminated string with a
destination that's one byte larger than the source. The current
proposed fix is this one:
https://lore.kernel.org/all/20240410021833.work.750-kees@kernel.org/
James
prev parent reply other threads:[~2024-05-03 12:36 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-03 7:48 [PATCH] block: fix buf size for strscpy() David Yang
2024-05-03 12:36 ` James Bottomley [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=288e65c39f355531c91761b330e530a6336631dd.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=axboe@kernel.dk \
--cc=justinstitt@google.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mmyangfl@gmail.com \
--cc=xu.panda@zte.com.cn \
--cc=yang.yang29@zte.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).