On Mon, Jun 27, 2022 at 11:38 AM Yangxi Xiang xyangxi5@gmail.com wrote:
Which architectures do you mean? I don't see any architecture using asm-generic/uaccess.h without setting GENERIC_STRNCPY_FROM_USER before commit 98b861a30431 or the prior release.
I am a user of LibOS, which uses this __strncpy_from_user.
Ok, got it. This should be part of the changelog then when you send a patch for stable kernels. You should also indicate that the code was removed in mainline kernels and what the fix was there, as well as which of the older kernels need the fix.
Also, I think the implementation relied on strncpy() setting a zero pad at the end of the string, so the ckeck would only be needed for a count value that starts out negative? Is there another way this can actually cause problems?
In kernel there is a common calling pattern is strncpy_from_user(buf, user_ptr, sizeof(buf)), as I mentioned before. If the size of user_ptr is greater than the buffer in the kernel, no zero attaches to the end of copied string (see the implementation in lib/string.c). So the checking of the count variable in this boolean condition does not protect the tmp buffer in the last iteration of this loop in the __strncpy_from_user.
Ah right, of course.
Arnd