tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

apparmor: fix use of strcpy in policy_unpack_test

Replace the use of strcpy() in build_aa_ext_struct() in
policy_unpack_test.c with strscpy().

strscpy() is the safer method to use to ensure the buffer does not
overflow. This was found by kernel test robot:
https://lore.kernel.org/all/202301040348.NbfVsXO0-lkp@intel.com/.

Reported-by: kernel test robot <lkp@intel.com>

Signed-off-by: Rae Moar <rmoar@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

authored by

Rae Moar and committed by
John Johansen b54aebd4 76862af5

+6 -7
+6 -7
security/apparmor/policy_unpack_test.c
··· 69 69 70 70 *buf = AA_NAME; 71 71 *(buf + 1) = strlen(TEST_STRING_NAME) + 1; 72 - strcpy(buf + 3, TEST_STRING_NAME); 72 + strscpy(buf + 3, TEST_STRING_NAME, e->end - (void *)(buf + 3)); 73 73 74 74 buf = e->start + TEST_STRING_BUF_OFFSET; 75 75 *buf = AA_STRING; 76 76 *(buf + 1) = strlen(TEST_STRING_DATA) + 1; 77 - strcpy(buf + 3, TEST_STRING_DATA); 78 - 77 + strscpy(buf + 3, TEST_STRING_DATA, e->end - (void *)(buf + 3)); 79 78 buf = e->start + TEST_NAMED_U32_BUF_OFFSET; 80 79 *buf = AA_NAME; 81 80 *(buf + 1) = strlen(TEST_U32_NAME) + 1; 82 - strcpy(buf + 3, TEST_U32_NAME); 81 + strscpy(buf + 3, TEST_U32_NAME, e->end - (void *)(buf + 3)); 83 82 *(buf + 3 + strlen(TEST_U32_NAME) + 1) = AA_U32; 84 83 *((u32 *)(buf + 3 + strlen(TEST_U32_NAME) + 2)) = TEST_U32_DATA; 85 84 86 85 buf = e->start + TEST_NAMED_U64_BUF_OFFSET; 87 86 *buf = AA_NAME; 88 87 *(buf + 1) = strlen(TEST_U64_NAME) + 1; 89 - strcpy(buf + 3, TEST_U64_NAME); 88 + strscpy(buf + 3, TEST_U64_NAME, e->end - (void *)(buf + 3)); 90 89 *(buf + 3 + strlen(TEST_U64_NAME) + 1) = AA_U64; 91 90 *((u64 *)(buf + 3 + strlen(TEST_U64_NAME) + 2)) = TEST_U64_DATA; 92 91 93 92 buf = e->start + TEST_NAMED_BLOB_BUF_OFFSET; 94 93 *buf = AA_NAME; 95 94 *(buf + 1) = strlen(TEST_BLOB_NAME) + 1; 96 - strcpy(buf + 3, TEST_BLOB_NAME); 95 + strscpy(buf + 3, TEST_BLOB_NAME, e->end - (void *)(buf + 3)); 97 96 *(buf + 3 + strlen(TEST_BLOB_NAME) + 1) = AA_BLOB; 98 97 *(buf + 3 + strlen(TEST_BLOB_NAME) + 2) = TEST_BLOB_DATA_SIZE; 99 98 memcpy(buf + 3 + strlen(TEST_BLOB_NAME) + 6, ··· 101 102 buf = e->start + TEST_NAMED_ARRAY_BUF_OFFSET; 102 103 *buf = AA_NAME; 103 104 *(buf + 1) = strlen(TEST_ARRAY_NAME) + 1; 104 - strcpy(buf + 3, TEST_ARRAY_NAME); 105 + strscpy(buf + 3, TEST_ARRAY_NAME, e->end - (void *)(buf + 3)); 105 106 *(buf + 3 + strlen(TEST_ARRAY_NAME) + 1) = AA_ARRAY; 106 107 *((u16 *)(buf + 3 + strlen(TEST_ARRAY_NAME) + 2)) = TEST_ARRAY_SIZE; 107 108