[v2] cx231xx: card->driver "Conexant cx231xx Audio" too long

  card->driver is 15 characters and a NULL, the original code could 
cause a buffer overflow.
 
Signed-off-by: Dan Carpenter <error27@gmail.com>
---
In version 2, I used a better name that Takashi Iwai suggested.

--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
  

On Mon, 2010-03-22 at 18:39 +0300, Dan Carpenter wrote:
> card->driver is 15 characters and a NULL, the original code could 
> cause a buffer overflow.

> In version 2, I used a better name that Takashi Iwai suggested.

Perhaps it's better to use strncpy as well.


--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
  

At Mon, 22 Mar 2010 08:43:47 -0700,
Joe Perches wrote:
> 
> On Mon, 2010-03-22 at 18:39 +0300, Dan Carpenter wrote:
> > card->driver is 15 characters and a NULL, the original code could 
> > cause a buffer overflow.
> 
> > In version 2, I used a better name that Takashi Iwai suggested.
> 
> Perhaps it's better to use strncpy as well.

strlcpy() would be safer :)

But, in such a case, we want rather that the error is notified at
build time.

Maybe a macro like below would be helpful to catch such bugs?

#define COPY_STRING(buf, src)						\
	do {								\
		if (__builtin_constant_p(src))				\
			BUILD_BUG_ON(strlen(src) >= sizeof(buf));	\
		strcpy(buf, src);					\
	} while (0)

and used like:

struct foo {
	char foo[5];
} x;

COPY_STRING(x.foo, "OK"); // OK
COPY_STRING(x.foo, "1234567890"); // NG


Takashi
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
  

On Mon, Mar 22, 2010 at 05:04:55PM +0100, Takashi Iwai wrote:
> At Mon, 22 Mar 2010 08:43:47 -0700,
> Joe Perches wrote:
> > 
> > On Mon, 2010-03-22 at 18:39 +0300, Dan Carpenter wrote:
> > > card->driver is 15 characters and a NULL, the original code could 
> > > cause a buffer overflow.
> > 
> > > In version 2, I used a better name that Takashi Iwai suggested.
> > 
> > Perhaps it's better to use strncpy as well.
> 
> strlcpy() would be safer :)
> 
> But, in such a case, we want rather that the error is notified at
> build time.
> 
> Maybe a macro like below would be helpful to catch such bugs?
> 
> #define COPY_STRING(buf, src)						\
> 	do {								\
> 		if (__builtin_constant_p(src))				\
> 			BUILD_BUG_ON(strlen(src) >= sizeof(buf));	\
> 		strcpy(buf, src);					\
> 	} while (0)
> 
> and used like:
> 
> struct foo {
> 	char foo[5];
> } x;
> 
> COPY_STRING(x.foo, "OK"); // OK
> COPY_STRING(x.foo, "1234567890"); // NG
> 

I can do the same thing with Smatch.  The smatch check can also find 
bugs like this:

	buf = kmalloc(10, GFP_KERNEL);
	strcpy(buf, "1234567890"); 

I used smatch to find this bug and 5 others on my allmodconfig w/ staging.
I also found 19 other places that use strcpy() to copy from a large buffer
into a smaller buffer.

Your idea is nice, but I think anyone who deliberately uses the new
macro is not going to have the bug in the first place.  ;)

regards,
dan carpenter

> 
> Takashi
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
  

At Mon, 22 Mar 2010 19:54:30 +0300,
Dan Carpenter wrote:
> 
> On Mon, Mar 22, 2010 at 05:04:55PM +0100, Takashi Iwai wrote:
> > At Mon, 22 Mar 2010 08:43:47 -0700,
> > Joe Perches wrote:
> > > 
> > > On Mon, 2010-03-22 at 18:39 +0300, Dan Carpenter wrote:
> > > > card->driver is 15 characters and a NULL, the original code could 
> > > > cause a buffer overflow.
> > > 
> > > > In version 2, I used a better name that Takashi Iwai suggested.
> > > 
> > > Perhaps it's better to use strncpy as well.
> > 
> > strlcpy() would be safer :)
> > 
> > But, in such a case, we want rather that the error is notified at
> > build time.
> > 
> > Maybe a macro like below would be helpful to catch such bugs?
> > 
> > #define COPY_STRING(buf, src)						\
> > 	do {								\
> > 		if (__builtin_constant_p(src))				\
> > 			BUILD_BUG_ON(strlen(src) >= sizeof(buf));	\
> > 		strcpy(buf, src);					\
> > 	} while (0)
> > 
> > and used like:
> > 
> > struct foo {
> > 	char foo[5];
> > } x;
> > 
> > COPY_STRING(x.foo, "OK"); // OK
> > COPY_STRING(x.foo, "1234567890"); // NG
> > 
> 
> I can do the same thing with Smatch.  The smatch check can also find 
> bugs like this:
> 
> 	buf = kmalloc(10, GFP_KERNEL);
> 	strcpy(buf, "1234567890"); 
> 
> I used smatch to find this bug and 5 others on my allmodconfig w/ staging.
> I also found 19 other places that use strcpy() to copy from a large buffer
> into a smaller buffer.

Ah, nice.

> Your idea is nice, but I think anyone who deliberately uses the new
> macro is not going to have the bug in the first place.  ;)

Yeah, in theory, such a code should be never committed because it
can be caught at build time ;)


Takashi
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
  

At Mon, 22 Mar 2010 18:39:09 +0300,
Dan Carpenter wrote:
> 
> card->driver is 15 characters and a NULL, the original code could 
> cause a buffer overflow.
>  
> Signed-off-by: Dan Carpenter <error27@gmail.com>
> ---
> In version 2, I used a better name that Takashi Iwai suggested.

Acked-by: Takashi Iwai <tiwai@suse.de>

Could you fix em28xx in the same way, too?


thanks,

Takashi

> diff --git a/drivers/media/video/cx231xx/cx231xx-audio.c b/drivers/media/video/cx231xx/cx231xx-audio.c
> index 7793d60..7cae95a 100644
> --- a/drivers/media/video/cx231xx/cx231xx-audio.c
> +++ b/drivers/media/video/cx231xx/cx231xx-audio.c
> @@ -495,7 +495,7 @@ static int cx231xx_audio_init(struct cx231xx *dev)
>  	pcm->info_flags = 0;
>  	pcm->private_data = dev;
>  	strcpy(pcm->name, "Conexant cx231xx Capture");
> -	strcpy(card->driver, "Conexant cx231xx Audio");
> +	strcpy(card->driver, "Cx231xx-Audio");
>  	strcpy(card->shortname, "Cx231xx Audio");
>  	strcpy(card->longname, "Conexant cx231xx Audio");
>  
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
  

On Mon, Mar 22, 2010 at 05:04:55PM +0100, Takashi Iwai wrote:
> At Mon, 22 Mar 2010 08:43:47 -0700,
> Joe Perches wrote:
> > 
> > On Mon, 2010-03-22 at 18:39 +0300, Dan Carpenter wrote:
> > > card->driver is 15 characters and a NULL, the original code could 
> > > cause a buffer overflow.
> > 
> > > In version 2, I used a better name that Takashi Iwai suggested.
> > 
> > Perhaps it's better to use strncpy as well.
> 
> strlcpy() would be safer :)
> 
> But, in such a case, we want rather that the error is notified at
> build time.
> 
> Maybe a macro like below would be helpful to catch such bugs?
> 
> #define COPY_STRING(buf, src)						\
> 	do {								\
> 		if (__builtin_constant_p(src))				\
> 			BUILD_BUG_ON(strlen(src) >= sizeof(buf));	\
> 		strcpy(buf, src);					\
> 	} while (0)
> 
> and used like:
> 
> struct foo {
> 	char foo[5];
> } x;
> 
> COPY_STRING(x.foo, "OK"); // OK
> COPY_STRING(x.foo, "1234567890"); // NG

why not define strcpy this way?

Marcin
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html