summaryrefslogtreecommitdiffstats
path: root/fs/kernfs
diff options
context:
space:
mode:
authorKees Cook <keescook@chromium.org>2023-12-12 22:17:38 +0100
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2023-12-15 17:25:10 +0100
commit792e04768efbf2a1b49a7162a9fa06c1fa584723 (patch)
tree8ec9ab11606dda974095e14ffefff12047ad374a /fs/kernfs
parentinitramfs: Expose retained initrd as sysfs file (diff)
downloadlinux-792e04768efbf2a1b49a7162a9fa06c1fa584723.tar.xz
linux-792e04768efbf2a1b49a7162a9fa06c1fa584723.zip
kernfs: Convert kernfs_walk_ns() from strlcpy() to strscpy()
strlcpy() reads the entire source buffer first. This read may exceed the destination size limit. This is both inefficient and can lead to linear read overflows if a source string is not NUL-terminated[1]. Additionally, it returns the size of the source string, not the resulting size of the destination string. In an effort to remove strlcpy() completely[2], replace strlcpy() here with strscpy(). Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy [1] Link: https://github.com/KSPP/linux/issues/89 [2] Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Tejun Heo <tj@kernel.org> Cc: Azeem Shaikh <azeemshaikh38@gmail.com> Link: https://lore.kernel.org/r/20231116192127.1558276-1-keescook@chromium.org Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20231212211741.164376-1-keescook@chromium.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'fs/kernfs')
-rw-r--r--fs/kernfs/dir.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c
index 62d39ecf0a46..fa9077576e02 100644
--- a/fs/kernfs/dir.c
+++ b/fs/kernfs/dir.c
@@ -862,16 +862,16 @@ static struct kernfs_node *kernfs_walk_ns(struct kernfs_node *parent,
const unsigned char *path,
const void *ns)
{
- size_t len;
+ ssize_t len;
char *p, *name;
lockdep_assert_held_read(&kernfs_root(parent)->kernfs_rwsem);
spin_lock_irq(&kernfs_pr_cont_lock);
- len = strlcpy(kernfs_pr_cont_buf, path, sizeof(kernfs_pr_cont_buf));
+ len = strscpy(kernfs_pr_cont_buf, path, sizeof(kernfs_pr_cont_buf));
- if (len >= sizeof(kernfs_pr_cont_buf)) {
+ if (len < 0) {
spin_unlock_irq(&kernfs_pr_cont_lock);
return NULL;
}