diff mbox series

[v1,18/19] ACPICA: Replace strncpy() with memcpy()

Message ID 1910878.atdPhlSkOF@rjwysocki.net
State New
Headers show
Series ACPICA: ACPICA 20250404 | expand

Commit Message

Rafael J. Wysocki April 25, 2025, 7:32 p.m. UTC 
From: Ahmed Salem <x0rw3ll@gmail.com>

ACPICA commit 83019b471e1902151e67c588014ba2d09fa099a3

strncpy() is deprecated for NUL-terminated destination buffers[1].

Use memcpy() for length-bounded destinations.

Link: https://github.com/KSPP/linux/issues/90 [1]
Link: https://github.com/acpica/acpica/commit/83019b47
Signed-off-by: Ahmed Salem <x0rw3ll@gmail.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
---
 drivers/acpi/acpica/exconvrt.c  | 4 ++--
 drivers/acpi/acpica/tbfind.c    | 4 ++--
 drivers/acpi/acpica/utnonansi.c | 2 +-
 include/acpi/actypes.h          | 2 +-
 4 files changed, 6 insertions(+), 6 deletions(-)

Comments

kernel test robot May 7, 2025, 5:42 a.m. UTC | #1 
Hello,

kernel test robot noticed "BUG:KASAN:global-out-of-bounds_in_acpi_ut_safe_strncpy" on:

commit: 42d0e849d2f0848ac665486c5b38b5321bce299e ("[PATCH v1 18/19] ACPICA: Replace strncpy() with memcpy()")
url: https://github.com/intel-lab-lkp/linux/commits/Rafael-J-Wysocki/ACPICA-Drop-stale-comment-about-the-header-file-content/20250426-034340
base: https://git.kernel.org/cgit/linux/kernel/git/rafael/linux-pm.git linux-next
patch link: https://lore.kernel.org/all/1910878.atdPhlSkOF@rjwysocki.net/
patch subject: [PATCH v1 18/19] ACPICA: Replace strncpy() with memcpy()

in testcase: boot

config: x86_64-randconfig-103-20250426
compiler: gcc-12
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G

(please refer to attached dmesg/kmsg for entire log/backtrace)


+--------------------------------------------------------+------------+------------+
|                                                        | 2d3714d918 | 42d0e849d2 |
+--------------------------------------------------------+------------+------------+
| BUG:KASAN:global-out-of-bounds_in_acpi_ut_safe_strncpy | 0          | 18         |
+--------------------------------------------------------+------------+------------+


If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202505071055.2de34dd7-lkp@intel.com


[ 11.237174][ T1] BUG: KASAN: global-out-of-bounds in acpi_ut_safe_strncpy (kbuild/obj/consumer/x86_64-randconfig-103-20250426/drivers/acpi/acpica/utnonansi.c:172) 
[   11.237174][    T1] Read of size 16 at addr ffffffffb92c19e0 by task swapper/0/1
[   11.237174][    T1]
[   11.237174][    T1] CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.15.0-rc3-00082-g42d0e849d2f0 #1 PREEMPTLAZY
[   11.237174][    T1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[   11.237174][    T1] Call Trace:
[   11.237174][    T1]  <TASK>
[ 11.237174][ T1] dump_stack_lvl (kbuild/obj/consumer/x86_64-randconfig-103-20250426/lib/dump_stack.c:123) 
[ 11.237174][ T1] print_address_description+0x33/0x3d0 
[ 11.237174][ T1] print_report (kbuild/obj/consumer/x86_64-randconfig-103-20250426/mm/kasan/report.c:522) 
[ 11.237174][ T1] ? acpi_ut_safe_strncpy (kbuild/obj/consumer/x86_64-randconfig-103-20250426/drivers/acpi/acpica/utnonansi.c:172) 
[ 11.237174][ T1] ? kasan_addr_to_slab (kbuild/obj/consumer/x86_64-randconfig-103-20250426/mm/kasan/common.c:37) 
[ 11.237174][ T1] ? acpi_ut_safe_strncpy (kbuild/obj/consumer/x86_64-randconfig-103-20250426/drivers/acpi/acpica/utnonansi.c:172) 
[ 11.237174][ T1] kasan_report (kbuild/obj/consumer/x86_64-randconfig-103-20250426/mm/kasan/report.c:636) 
[ 11.237174][ T1] ? acpi_ut_safe_strncpy (kbuild/obj/consumer/x86_64-randconfig-103-20250426/drivers/acpi/acpica/utnonansi.c:172) 
[ 11.237174][ T1] kasan_check_range (kbuild/obj/consumer/x86_64-randconfig-103-20250426/mm/kasan/generic.c:183 kbuild/obj/consumer/x86_64-randconfig-103-20250426/mm/kasan/generic.c:189) 
[ 11.237174][ T1] __asan_memcpy (kbuild/obj/consumer/x86_64-randconfig-103-20250426/mm/kasan/shadow.c:105) 
[ 11.237174][ T1] acpi_ut_safe_strncpy (kbuild/obj/consumer/x86_64-randconfig-103-20250426/drivers/acpi/acpica/utnonansi.c:172) 
[ 11.237174][ T1] acpi_ps_alloc_op (kbuild/obj/consumer/x86_64-randconfig-103-20250426/drivers/acpi/acpica/psutils.c:122) 
[ 11.237174][ T1] acpi_ps_create_scope_op (kbuild/obj/consumer/x86_64-randconfig-103-20250426/drivers/acpi/acpica/psutils.c:34) 
[ 11.237174][ T1] acpi_ps_execute_table (kbuild/obj/consumer/x86_64-randconfig-103-20250426/drivers/acpi/acpica/psxface.c:249) 
[ 11.237174][ T1] ? acpi_ns_get_normalized_pathname (kbuild/obj/consumer/x86_64-randconfig-103-20250426/drivers/acpi/acpica/nsnames.c:321 (discriminator 1)) 
[ 11.237174][ T1] acpi_ns_execute_table (kbuild/obj/consumer/x86_64-randconfig-103-20250426/drivers/acpi/acpica/nsparse.c:120 (discriminator 5)) 
[ 11.237174][ T1] ? acpi_ns_get_attached_data (kbuild/obj/consumer/x86_64-randconfig-103-20250426/drivers/acpi/acpica/nsparse.c:45) 
[ 11.237174][ T1] ? acpi_ut_add_address_range (kbuild/obj/consumer/x86_64-randconfig-103-20250426/include/linux/sched.h:2268 kbuild/obj/consumer/x86_64-randconfig-103-20250426/drivers/acpi/acpica/utaddress.c:56) 
[ 11.237174][ T1] ? acpi_os_signal_semaphore (kbuild/obj/consumer/x86_64-randconfig-103-20250426/drivers/acpi/osl.c:1334) 
[ 11.237174][ T1] ? __sanitizer_cov_trace_const_cmp4 (kbuild/obj/consumer/x86_64-randconfig-103-20250426/kernel/kcov.c:316) 
[ 11.237174][ T1] ? acpi_ut_status_exit (kbuild/obj/consumer/x86_64-randconfig-103-20250426/drivers/acpi/acpica/utdebug.c:474) 
[ 11.237174][ T1] acpi_ns_parse_table (kbuild/obj/consumer/x86_64-randconfig-103-20250426/drivers/acpi/acpica/nsparse.c:270 (discriminator 5)) 
[ 11.237174][ T1] acpi_ns_load_table (kbuild/obj/consumer/x86_64-randconfig-103-20250426/drivers/acpi/acpica/nsload.c:72) 
[ 11.237174][ T1] acpi_tb_load_namespace (kbuild/obj/consumer/x86_64-randconfig-103-20250426/drivers/acpi/acpica/tbxfload.c:159) 
[ 11.237174][ T1] ? acpi_ev_install_region_handlers (kbuild/obj/consumer/x86_64-randconfig-103-20250426/drivers/acpi/acpica/evhandler.c:101 (discriminator 1)) 
[ 11.237174][ T1] acpi_load_tables (kbuild/obj/consumer/x86_64-randconfig-103-20250426/drivers/acpi/acpica/tbxfload.c:63) 
[ 11.237174][ T1] acpi_bus_init (kbuild/obj/consumer/x86_64-randconfig-103-20250426/drivers/acpi/bus.c:1344) 
[ 11.237174][ T1] ? acpi_sleep_proc_init (kbuild/obj/consumer/x86_64-randconfig-103-20250426/drivers/acpi/bus.c:1337) 
[ 11.237174][ T1] ? kset_create_and_add (kbuild/obj/consumer/x86_64-randconfig-103-20250426/lib/kobject.c:412) 
[ 11.237174][ T1] ? __kasan_kmalloc (kbuild/obj/consumer/x86_64-randconfig-103-20250426/mm/kasan/common.c:377 kbuild/obj/consumer/x86_64-randconfig-103-20250426/mm/kasan/common.c:394) 
[ 11.237174][ T1] ? __sanitizer_cov_trace_const_cmp4 (kbuild/obj/consumer/x86_64-randconfig-103-20250426/kernel/kcov.c:316) 
[ 11.237174][ T1] acpi_init (kbuild/obj/consumer/x86_64-randconfig-103-20250426/drivers/acpi/bus.c:1455) 
[ 11.237174][ T1] ? acpi_arch_init+0x20/0x20 
[ 11.237174][ T1] ? fb_console_init (kbuild/obj/consumer/x86_64-randconfig-103-20250426/drivers/video/fbdev/core/fbcon.c:3368) 
[ 11.237174][ T1] ? acpi_arch_init+0x20/0x20 
[ 11.237174][ T1] do_one_initcall (kbuild/obj/consumer/x86_64-randconfig-103-20250426/init/main.c:1257) 
[ 11.237174][ T1] ? rdinit_setup (kbuild/obj/consumer/x86_64-randconfig-103-20250426/init/main.c:1303) 
[ 11.237174][ T1] ? trace_event_raw_event_initcall_level (kbuild/obj/consumer/x86_64-randconfig-103-20250426/init/main.c:1248) 
[ 11.237174][ T1] ? __kmalloc_noprof (kbuild/obj/consumer/x86_64-randconfig-103-20250426/include/trace/events/kmem.h:54 kbuild/obj/consumer/x86_64-randconfig-103-20250426/mm/slub.c:4342 kbuild/obj/consumer/x86_64-randconfig-103-20250426/mm/slub.c:4353) 
[ 11.237174][ T1] do_initcalls (kbuild/obj/consumer/x86_64-randconfig-103-20250426/init/main.c:1318 kbuild/obj/consumer/x86_64-randconfig-103-20250426/init/main.c:1335) 
[ 11.237174][ T1] kernel_init_freeable (kbuild/obj/consumer/x86_64-randconfig-103-20250426/init/main.c:1569) 
[ 11.237174][ T1] ? rest_init (kbuild/obj/consumer/x86_64-randconfig-103-20250426/init/main.c:1449) 
[ 11.237174][ T1] kernel_init (kbuild/obj/consumer/x86_64-randconfig-103-20250426/init/main.c:1459) 
[ 11.237174][ T1] ? rest_init (kbuild/obj/consumer/x86_64-randconfig-103-20250426/init/main.c:1449) 
[ 11.237174][ T1] ret_from_fork (kbuild/obj/consumer/x86_64-randconfig-103-20250426/arch/x86/kernel/process.c:153) 
[ 11.237174][ T1] ? rest_init (kbuild/obj/consumer/x86_64-randconfig-103-20250426/init/main.c:1449) 
[ 11.237174][ T1] ret_from_fork_asm (kbuild/obj/consumer/x86_64-randconfig-103-20250426/arch/x86/entry/entry_64.S:255) 
[   11.237174][    T1] RIP: 2e66:0x0
[ 11.237174][ T1] Code: Unable to access opcode bytes at 0xffffffffffffffd6.

Code starting with the faulting instruction
===========================================
[   11.237174][    T1] RSP: 0084:0000000000000000 EFLAGS: 841f0f2e660000 ORIG_RAX: 2e66000000000084
[   11.237174][    T1] RAX: 0000000000000000 RBX: 2e66000000000084 RCX: 0000000000841f0f
[   11.237174][    T1] RDX: 000000841f0f2e66 RSI: 00841f0f2e660000 RDI: 1f0f2e6600000000
[   11.237174][    T1] RBP: 1f0f2e6600000000 R08: 1f0f2e6600000000 R09: 00841f0f2e660000
[   11.237174][    T1] R10: 000000841f0f2e66 R11: 0000000000841f0f R12: 00841f0f2e660000
[   11.237174][    T1] R13: 000000841f0f2e66 R14: 0000000000841f0f R15: 2e66000000000084
[   11.237174][    T1]  </TASK>
[   11.237174][    T1]
[   11.237174][    T1] The buggy address belongs to the variable:
[ 11.237174][ T1] _acpi_module_name+0x240/0x20c0 
[   11.237174][    T1]
[   11.237174][    T1] The buggy address belongs to the physical page:
[   11.237174][    T1] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x890c1
[   11.237174][    T1] flags: 0x100000000002000(reserved|node=0|zone=1)
[   11.237174][    T1] raw: 0100000000002000 ffffea0002243048 ffffea0002243048 0000000000000000
[   11.237174][    T1] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[   11.237174][    T1] page dumped because: kasan: bad access detected
[   11.237174][    T1] page_owner info is not present (never set?)
[   11.237174][    T1]
[   11.237174][    T1] Memory state around the buggy address:
[   11.237174][    T1]  ffffffffb92c1880: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 00 02 f9 f9
[   11.237174][    T1]  ffffffffb92c1900: f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 00 03 f9 f9
[   11.237174][    T1] >ffffffffb92c1980: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9
[   11.237174][    T1]                                                        ^
[   11.237174][    T1]  ffffffffb92c1a00: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
[   11.237174][    T1]  ffffffffb92c1a80: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9
[   11.237174][    T1] ==================================================================


The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20250507/202505071055.2de34dd7-lkp@intel.com
diff mbox series

Patch

diff --git a/drivers/acpi/acpica/exconvrt.c b/drivers/acpi/acpica/exconvrt.c
index bb1be42daee1..399c005aa57b 100644
--- a/drivers/acpi/acpica/exconvrt.c
+++ b/drivers/acpi/acpica/exconvrt.c
@@ -226,8 +226,8 @@  acpi_ex_convert_to_buffer(union acpi_operand_object *obj_desc,
 		/* Copy the string to the buffer */
 
 		new_buf = return_desc->buffer.pointer;
-		strncpy((char *)new_buf, (char *)obj_desc->string.pointer,
-			obj_desc->string.length);
+		memcpy((char *)new_buf, (char *)obj_desc->string.pointer,
+		       obj_desc->string.length);
 		break;
 
 	default:
diff --git a/drivers/acpi/acpica/tbfind.c b/drivers/acpi/acpica/tbfind.c
index 1c1b2e284bd9..35f72dffc250 100644
--- a/drivers/acpi/acpica/tbfind.c
+++ b/drivers/acpi/acpica/tbfind.c
@@ -57,8 +57,8 @@  acpi_tb_find_table(char *signature,
 
 	memset(&header, 0, sizeof(struct acpi_table_header));
 	ACPI_COPY_NAMESEG(header.signature, signature);
-	strncpy(header.oem_id, oem_id, ACPI_OEM_ID_SIZE);
-	strncpy(header.oem_table_id, oem_table_id, ACPI_OEM_TABLE_ID_SIZE);
+	memcpy(header.oem_id, oem_id, ACPI_OEM_ID_SIZE);
+	memcpy(header.oem_table_id, oem_table_id, ACPI_OEM_TABLE_ID_SIZE);
 
 	/* Search for the table */
 
diff --git a/drivers/acpi/acpica/utnonansi.c b/drivers/acpi/acpica/utnonansi.c
index ff0802ace19b..803e3e893825 100644
--- a/drivers/acpi/acpica/utnonansi.c
+++ b/drivers/acpi/acpica/utnonansi.c
@@ -168,7 +168,7 @@  void acpi_ut_safe_strncpy(char *dest, char *source, acpi_size dest_size)
 {
 	/* Always terminate destination string */
 
-	strncpy(dest, source, dest_size);
+	memcpy(dest, source, dest_size);
 	dest[dest_size - 1] = 0;
 }
 
diff --git a/include/acpi/actypes.h b/include/acpi/actypes.h
index 5b9f9a612548..e90ca342d7de 100644
--- a/include/acpi/actypes.h
+++ b/include/acpi/actypes.h
@@ -522,7 +522,7 @@  typedef u64 acpi_integer;
 #define ACPI_COPY_NAMESEG(dest,src)     (*ACPI_CAST_PTR (u32, (dest)) = *ACPI_CAST_PTR (u32, (src)))
 #else
 #define ACPI_COMPARE_NAMESEG(a,b)       (!strncmp (ACPI_CAST_PTR (char, (a)), ACPI_CAST_PTR (char, (b)), ACPI_NAMESEG_SIZE))
-#define ACPI_COPY_NAMESEG(dest,src)     (strncpy (ACPI_CAST_PTR (char, (dest)), ACPI_CAST_PTR (char, (src)), ACPI_NAMESEG_SIZE))
+#define ACPI_COPY_NAMESEG(dest,src)     (memcpy (ACPI_CAST_PTR (char, (dest)), ACPI_CAST_PTR (char, (src)), ACPI_NAMESEG_SIZE))
 #endif
 
 /* Support for the special RSDP signature (8 characters) */