releases/4.19.85/soc-qcom-apr-avoid-string-overflow.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From b2f3810d7619c5ad71f83cd40855f81c6de83ad9 Mon Sep 17 00:00:00 2001
 From: Sasha Levin <sashal@kernel.org>
 Date: Wed, 29 Aug 2018 09:57:22 +0200
 Subject: soc: qcom: apr: Avoid string overflow

 From: Niklas Cassel <niklas.cassel@linaro.org>

 [ Upstream commit 4fadb26574cb74e5de079dd384f25f44f4fb3ec3 ]

 'adev->name' is used as a NUL-terminated string, but using strncpy() with the
 length equal to the buffer size may result in lack of the termination:

 In function 'apr_add_device',
     inlined from 'of_register_apr_devices' at drivers//soc/qcom/apr.c:264:7,
     inlined from 'apr_probe' at drivers//soc/qcom/apr.c:290:2:
 drivers//soc/qcom/apr.c:222:3: warning: 'strncpy' specified bound 32 equals destination size [-Wstringop-truncation]
    strncpy(adev->name, np->name, APR_NAME_SIZE);
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 This changes it to use the safer strscpy() instead.

 Signed-off-by: Niklas Cassel <niklas.cassel@linaro.org>
 Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
 Signed-off-by: Andy Gross <andy.gross@linaro.org>
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
  drivers/soc/qcom/apr.c | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)

 diff --git a/drivers/soc/qcom/apr.c b/drivers/soc/qcom/apr.c
 index 57af8a5373325..ee9197f5aae96 100644
 --- a/drivers/soc/qcom/apr.c
 +++ b/drivers/soc/qcom/apr.c
 @@ -219,9 +219,9 @@ static int apr_add_device(struct device *dev, struct device_node *np,
  	adev->domain_id = id->domain_id;
  	adev->version = id->svc_version;
  	if (np)
 -		strncpy(adev->name, np->name, APR_NAME_SIZE);
 +		strscpy(adev->name, np->name, APR_NAME_SIZE);
  	else
 -		strncpy(adev->name, id->name, APR_NAME_SIZE);
 +		strscpy(adev->name, id->name, APR_NAME_SIZE);

  	dev_set_name(&adev->dev, "aprsvc:%s:%x:%x", adev->name,
  		     id->domain_id, id->svc_id);
 --
 2.20.1
	From b2f3810d7619c5ad71f83cd40855f81c6de83ad9 Mon Sep 17 00:00:00 2001
	From: Sasha Levin <sashal@kernel.org>
	Date: Wed, 29 Aug 2018 09:57:22 +0200
	Subject: soc: qcom: apr: Avoid string overflow

	From: Niklas Cassel <niklas.cassel@linaro.org>

	[ Upstream commit 4fadb26574cb74e5de079dd384f25f44f4fb3ec3 ]

	'adev->name' is used as a NUL-terminated string, but using strncpy() with the
	length equal to the buffer size may result in lack of the termination:

	In function 'apr_add_device',
	inlined from 'of_register_apr_devices' at drivers//soc/qcom/apr.c:264:7,
	inlined from 'apr_probe' at drivers//soc/qcom/apr.c:290:2:
	drivers//soc/qcom/apr.c:222:3: warning: 'strncpy' specified bound 32 equals destination size [-Wstringop-truncation]
	strncpy(adev->name, np->name, APR_NAME_SIZE);
	^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

	This changes it to use the safer strscpy() instead.

	Signed-off-by: Niklas Cassel <niklas.cassel@linaro.org>
	Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
	Signed-off-by: Andy Gross <andy.gross@linaro.org>
	Signed-off-by: Sasha Levin <sashal@kernel.org>
	---
	drivers/soc/qcom/apr.c \| 4 ++--
	1 file changed, 2 insertions(+), 2 deletions(-)

	diff --git a/drivers/soc/qcom/apr.c b/drivers/soc/qcom/apr.c
	index 57af8a5373325..ee9197f5aae96 100644
	--- a/drivers/soc/qcom/apr.c
	+++ b/drivers/soc/qcom/apr.c
	@@ -219,9 +219,9 @@ static int apr_add_device(struct device dev, struct device_node np,
	adev->domain_id = id->domain_id;
	adev->version = id->svc_version;
	if (np)
	- strncpy(adev->name, np->name, APR_NAME_SIZE);
	+ strscpy(adev->name, np->name, APR_NAME_SIZE);
	else
	- strncpy(adev->name, id->name, APR_NAME_SIZE);
	+ strscpy(adev->name, id->name, APR_NAME_SIZE);

	dev_set_name(&adev->dev, "aprsvc:%s:%x:%x", adev->name,
	id->domain_id, id->svc_id);
	--
	2.20.1