Re: [PATCH] greybus: firmware: use strscpy, fix tag size

From: Pranav Tyagi
Date: Wed Jun 18 2025 - 02:27:59 EST

Next message: Ed Tsai (蔡宗軒): "f2fs: possible circular locking dependency detected"
Previous message: Kemeng Shi: "Re: [PATCH 3/4] mm/shmem, swap: improve mthp swapin process"
In reply to: Greg KH: "Re: [PATCH] greybus: firmware: use strscpy, fix tag size"
Next in thread: Dan Carpenter: "Re: [PATCH] greybus: firmware: use strscpy, fix tag size"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jun 17, 2025 at 6:46 PM Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
>
> On Tue, Jun 17, 2025 at 06:21:37PM +0530, Pranav Tyagi wrote:
> > Increase the size of firmware_tag arrays in the following structs from
> > GB_FIRMWARE_U_TAG_MAX_SIZE to GB_FIRMWARE_U_TAG_MAX_SIZE + 1 to
> > accommodate null termination:
> > - fw_mgmt_ioc_intf_load_and_validate
> > - fw_mgmt_ioc_get_backend_version
> > - fw_mgmt_ioc_backend_fw_update
> > - fw_mgmt_ioc_get_intf_version
> >
> > Replace strncpy() with strscpy() to ensure proper null termination as
> > firmware_tag is interpreted as a null-terminated string
> > and printed with %s.
> >
> > Signed-off-by: Pranav Tyagi <pranav.tyagi03@xxxxxxxxx>
> > ---
> > .../greybus/Documentation/firmware/firmware.c | 12 ++++++------
> > drivers/staging/greybus/greybus_firmware.h | 8 ++++----
> > 2 files changed, 10 insertions(+), 10 deletions(-)
> >
> > diff --git a/drivers/staging/greybus/Documentation/firmware/firmware.c b/drivers/staging/greybus/Documentation/firmware/firmware.c
> > index 765d69faa9cc..3b4061f4b34a 100644
> > --- a/drivers/staging/greybus/Documentation/firmware/firmware.c
> > +++ b/drivers/staging/greybus/Documentation/firmware/firmware.c
> > @@ -63,8 +63,8 @@ static int update_intf_firmware(int fd)
> > intf_load.major = 0;
> > intf_load.minor = 0;
> >
> > - strncpy((char *)&intf_load.firmware_tag, firmware_tag,
> > - GB_FIRMWARE_U_TAG_MAX_SIZE);
> > + strscpy((char *)&intf_load.firmware_tag, firmware_tag,
> > + GB_FIRMWARE_U_TAG_MAX_SIZE + 1);
> >
> > ret = ioctl(fd, FW_MGMT_IOC_INTF_LOAD_AND_VALIDATE, &intf_load);
> > if (ret < 0) {
> > @@ -101,8 +101,8 @@ static int update_backend_firmware(int fd)
> > /* Get Backend Firmware Version */
> > printf("Getting Backend Firmware Version\n");
> >
> > - strncpy((char *)&backend_fw_info.firmware_tag, firmware_tag,
> > - GB_FIRMWARE_U_TAG_MAX_SIZE);
> > + strscpy((char *)&backend_fw_info.firmware_tag, firmware_tag,
> > + GB_FIRMWARE_U_TAG_MAX_SIZE + 1);
> >
> > retry_fw_version:
> > ret = ioctl(fd, FW_MGMT_IOC_GET_BACKEND_FW, &backend_fw_info);
> > @@ -129,8 +129,8 @@ static int update_backend_firmware(int fd)
> > /* Try Backend Firmware Update over Unipro */
> > printf("Updating Backend Firmware\n");
> >
> > - strncpy((char *)&backend_update.firmware_tag, firmware_tag,
> > - GB_FIRMWARE_U_TAG_MAX_SIZE);
> > + strscpy((char *)&backend_update.firmware_tag, firmware_tag,
> > + GB_FIRMWARE_U_TAG_MAX_SIZE + 1);
> >
> > retry_fw_update:
> > backend_update.status = 0;
> > diff --git a/drivers/staging/greybus/greybus_firmware.h b/drivers/staging/greybus/greybus_firmware.h
> > index b6042a82ada4..ad5b2c8a6461 100644
> > --- a/drivers/staging/greybus/greybus_firmware.h
> > +++ b/drivers/staging/greybus/greybus_firmware.h
> > @@ -38,20 +38,20 @@
> >
> > /* IOCTL support */
> > struct fw_mgmt_ioc_get_intf_version {
> > - __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE];
> > + __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE + 1];
> > __u16 major;
> > __u16 minor;
> > } __packed;
> >
> > struct fw_mgmt_ioc_get_backend_version {
> > - __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE];
> > + __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE + 1];
> > __u16 major;
> > __u16 minor;
> > __u8 status;
> > } __packed;
> >
> > struct fw_mgmt_ioc_intf_load_and_validate {
> > - __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE];
> > + __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE + 1];
> > __u8 load_method;
> > __u8 status;
> > __u16 major;
> > @@ -59,7 +59,7 @@ struct fw_mgmt_ioc_intf_load_and_validate {
> > } __packed;
> >
> > struct fw_mgmt_ioc_backend_fw_update {
> > - __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE];
> > + __u8 firmware_tag[GB_FIRMWARE_U_TAG_MAX_SIZE + 1];
> > __u8 status;
> > } __packed;
> >
>
> You are changing the size of a userspace structure here, are you SURE
> this is allowed?
>
> How was this tested?
>
> thanks,
>
> greg k-h

Hi,

You're absolutely right — changing the size of a userspace-visible
structure like this is not allowed and I apologize for the oversight.

I did compile and boot the kernel with the patch applied, but I now
realize that I should have also tested it against the actual userspace
tooling to validate ABI compatibility — which I didn’t do. That was a
miss on my part.

Thanks for the review and the guidance. I’ll fix the patch to preserve
structure sizes and ensure safe null termination without breaking the
ABI — likely by using strscpy() with size - 1 and setting the last
byte explicitly if needed.

Apologies for the oversight.

Regards
Pranav Tyagi

Next message: Ed Tsai (蔡宗軒): "f2fs: possible circular locking dependency detected"
Previous message: Kemeng Shi: "Re: [PATCH 3/4] mm/shmem, swap: improve mthp swapin process"
In reply to: Greg KH: "Re: [PATCH] greybus: firmware: use strscpy, fix tag size"
Next in thread: Dan Carpenter: "Re: [PATCH] greybus: firmware: use strscpy, fix tag size"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]