kernfs: Convert kernfs_name_locked() from strlcpy() to strscpy()

kees · gregkh · commit 5b56bf5cdb8b · 2023-12-15T17:25:10.000+01:00
strlcpy() reads the entire source buffer first. This read may exceed the destination size limit. This is both inefficient and can lead to linear read overflows if a source string is not NUL-terminated[1]. Additionally, it returns the size of the source string, not the resulting size of the destination string. In an effort to remove strlcpy() completely[2], replace strlcpy() here with strscpy(). Nothing actually checks the return value coming from kernfs_name_locked(), so this has no impact on error paths. The caller hierarchy is: kernfs_name_locked() kernfs_name() pr_cont_kernfs_name() return value ignored cgroup_name() current_css_set_cg_links_read() return value ignored print_page_owner_memcg() return value ignored Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy [1] Link: KSPP#89 [2] Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Tejun Heo <tj@kernel.org> Cc: Azeem Shaikh <azeemshaikh38@gmail.com> Link: https://lore.kernel.org/r/20231116192127.1558276-2-keescook@chromium.org Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20231212211741.164376-2-keescook@chromium.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c
@@ -54,9 +54,9 @@ static bool kernfs_lockdep(struct kernfs_node *kn)
 static int kernfs_name_locked(struct kernfs_node *kn, char *buf, size_t buflen)
 {
 	if (!kn)
-		return strlcpy(buf, "(null)", buflen);
+		return strscpy(buf, "(null)", buflen);
 
-	return strlcpy(buf, kn->parent ? kn->name : "/", buflen);
+	return strscpy(buf, kn->parent ? kn->name : "/", buflen);
 }
 
 /* kernfs_node_depth - compute depth from @from to @to */
@@ -182,12 +182,12 @@ static int kernfs_path_from_node_locked(struct kernfs_node *kn_to,
  * @buflen: size of @buf
  *
  * Copies the name of @kn into @buf of @buflen bytes.  The behavior is
- * similar to strlcpy().
+ * similar to strscpy().
  *
  * Fills buffer with "(null)" if @kn is %NULL.
  *
- * Return: the length of @kn's name and if @buf isn't long enough,
- * it's filled up to @buflen-1 and nul terminated.
+ * Return: the resulting length of @buf. If @buf isn't long enough,
+ * it's filled up to @buflen-1 and nul terminated, and returns -E2BIG.
  *
  * This function can be called from any context.
  */

Original file line number	Diff line number	Diff line change
`@@ -54,9 +54,9 @@ static bool kernfs_lockdep(struct kernfs_node *kn)`
`54`	`54`	`static int kernfs_name_locked(struct kernfs_node kn, char buf, size_t buflen)`
`55`	`55`	`{`
`56`	`56`	`if (!kn)`
`57`		`- return strlcpy(buf, "(null)", buflen);`
	`57`	`+ return strscpy(buf, "(null)", buflen);`
`58`	`58`
`59`		`- return strlcpy(buf, kn->parent ? kn->name : "/", buflen);`
	`59`	`+ return strscpy(buf, kn->parent ? kn->name : "/", buflen);`
`60`	`60`	`}`
`61`	`61`
`62`	`62`	`/* kernfs_node_depth - compute depth from @from to @to */`
`@@ -182,12 +182,12 @@ static int kernfs_path_from_node_locked(struct kernfs_node *kn_to,`
`182`	`182`	`* @buflen: size of @buf`
`183`	`183`	`*`
`184`	`184`	`* Copies the name of @kn into @buf of @buflen bytes. The behavior is`
`185`		`- * similar to strlcpy().`
	`185`	`+ * similar to strscpy().`
`186`	`186`	`*`
`187`	`187`	`* Fills buffer with "(null)" if @kn is %NULL.`
`188`	`188`	`*`
`189`		`- * Return: the length of @kn's name and if @buf isn't long enough,`
`190`		`- * it's filled up to @buflen-1 and nul terminated.`
	`189`	`+ * Return: the resulting length of @buf. If @buf isn't long enough,`
	`190`	`+ * it's filled up to @buflen-1 and nul terminated, and returns -E2BIG.`
`191`	`191`	`*`
`192`	`192`	`* This function can be called from any context.`
`193`	`193`	`*/`