On Thu, Dec 07, 2023 at 09:42:22PM +0000, Justin Stitt wrote:
> strncpy() is deprecated for use on NUL-terminated destination strings
> [1] and as such we should prefer more robust and less ambiguous string
> interfaces.
>
> We expect fw_info->fw_file_name to be NUL-terminated based on its use
> within _request_firmware_prepare() wherein `name` refers to it:
> | if (firmware_request_builtin_buf(firmware, name, dbuf, size)) {
> | dev_dbg(device, "using built-in %s\n", name);
> | return 0; /* assigned */
> | }
> ... and with firmware_request_builtin() also via `name`:
> | if (strcmp(name, b_fw->name) == 0) {
>
> There is no evidence that NUL-padding is required.
>
> Additionally replace size macro (QLC_FW_FILE_NAME_LEN) with
> sizeof(fw_info->fw_file_name) to more directly tie the maximum buffer
> size to the destination buffer:
>
> Considering the above, a suitable replacement is `strscpy` [2] due to
> the fact that it guarantees NUL-termination on the destination buffer
> without unnecessarily NUL-padding.
>
> Link:
> https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings
> [1]
> Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html
> [2]
> Link: https://github.com/KSPP/linux/issues/90
> Cc: linux-hardening@vger.kernel.org
> Signed-off-by: Justin Stitt <justinst...@google.com>
Thanks for the refresh!
Reviewed-by: Kees Cook <keesc...@chromium.org>
--
Kees Cook
