Re: [PATCH] um: refactor deprecated strncpy to strtomem

[Justin Stitt]

On Mon, Aug 7, 2023 at 4:40 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote:
>
> On Mon, Aug 07, 2023 at 03:36:55PM -0700, Bill Wendling wrote:
> > On Mon, Aug 7, 2023 at 2:18 PM Justin Stitt <justinstitt@xxxxxxxxxx> wrote:
> > >
> > > Use `strtomem` here since `console_buf` is not expected to be
> > > NUL-terminated. We should probably also just use `MCONSOLE_MAX_DATA`
>
> How is it known that console_buf is not a C-string?
There are a few clues that led me to believe console_buf was not a C-string:
1)  `n = min((size_t) len, ARRAY_SIZE(console_buf));` means that `n`
can be equal to size of buffer which is then subsequently filled
entirely by the `strncpy` invocation.
2) console_buf looks to be a circular buffer wherein once it's filled
it starts again from the beginning.
3) ARRAY_SIZE is used on it as opposed to strlen or something like
that (but not sure if ARRAY_SIZE is also used on C-strings to be fair)
4) It has `buf` in its name which I loosely associate with non
C-strings char buffers.

All in all, it looks to be a non C-string but honestly it's hard to
tell, especially since if it IS a C-string the previous implementation
had some bugs with strncpy I believe.

>
> > > instead of using `ARRAY_SIZE()` for every iteration of the loop.
> > >
> > Is this change necessary? I have a general preference for ARRAY_SIZE,
> > because a change in size is less likely to be overlooked (unless that
> > goes against the coding standard).
>
> I would prefer this stay either ARRAY_SIZE or sizeof, as it keeps it
> tied to the variable in question.
>
> >
> > > Also mark char buffer as `__nonstring` as per Kees' suggestion here [1]
> > >
> > > Finally, follow checkpatch's recommendation of using `min_t` over `min`
> > >
> > > Link: https://github.com/KSPP/linux/issues/90 [1]
> > > Cc: linux-hardening@xxxxxxxxxxxxxxx
> > > Signed-off-by: Justin Stitt <justinstitt@xxxxxxxxxx>
> > > ---
> > > Notes:
> > > I only build tested this patch.
> > > ---
> > >  arch/um/drivers/mconsole_kern.c | 7 ++++---
> > >  1 file changed, 4 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/arch/um/drivers/mconsole_kern.c b/arch/um/drivers/mconsole_kern.c
> > > index 5026e7b9adfe..fd4c024202ae 100644
> > > --- a/arch/um/drivers/mconsole_kern.c
> > > +++ b/arch/um/drivers/mconsole_kern.c
> > > @@ -4,6 +4,7 @@
> > >   * Copyright (C) 2001 - 2008 Jeff Dike (jdike@{addtoit,linux.intel}.com)
> > >   */
> > >
> > > +#include "linux/compiler_attributes.h"
> >
> > nit: Should this include be in angle brackets?
> >
> > #include <linux/compiler_attributes.h>
>
> True, though this shouldn't need to be included at all. What was
> missing?
>
> >
> > >  #include <linux/console.h>
> > >  #include <linux/ctype.h>
> > >  #include <linux/string.h>
> > > @@ -554,7 +555,7 @@ struct mconsole_output {
> > >
> > >  static DEFINE_SPINLOCK(client_lock);
> > >  static LIST_HEAD(clients);
> > > -static char console_buf[MCONSOLE_MAX_DATA];
> > > +static char console_buf[MCONSOLE_MAX_DATA] __nonstring;
> > >
> > >  static void console_write(struct console *console, const char *string,
> > >                           unsigned int len)
> > > @@ -566,8 +567,8 @@ static void console_write(struct console *console, const char *string,
> > >                 return;
> > >
> > >         while (len > 0) {
> > > -               n = min((size_t) len, ARRAY_SIZE(console_buf));
> > > -               strncpy(console_buf, string, n);
> > > +               n = min_t(size_t, len, MCONSOLE_MAX_DATA);
> > > +               strtomem(console_buf, string);
> > >                 string += n;
> > >                 len -= n;
> > >
> > >
> > > ---
> > > base-commit: c1a515d3c0270628df8ae5f5118ba859b85464a2
> > > change-id: 20230807-arch-um-3ef24413427e
> > >
> > > Best regards,
> > > --
> > > Justin Stitt <justinstitt@xxxxxxxxxx>
> > >
>
> --
> Kees Cook