From: Mykyta Yatsenko Date: Tue, 22 Apr 2025 13:14:49 +0000 (+0100) Subject: maccess: fix strncpy_from_user_nofault() empty string handling X-Git-Tag: v6.16-rc1~91^2~38 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3dc32adf98147b36b25dc579bb438c9ea086b1b4;p=thirdparty%2Flinux.git maccess: fix strncpy_from_user_nofault() empty string handling strncpy_from_user_nofault() should return the length of the copied string including the trailing NUL, but if the argument unsafe_addr points to an empty string ({'\0'}), the return value is 0. This happens as strncpy_from_user() copies terminal symbol into dst and returns 0 (as expected), but strncpy_from_user_nofault does not modify ret as it is not equal to count and not greater than 0, so 0 is returned, which contradicts the contract. Link: https://lkml.kernel.org/r/20250422131449.57177-1-mykyta.yatsenko5@gmail.com Signed-off-by: Mykyta Yatsenko Reviewed-by: Andrii Nakryiko Cc: "Masami Hiramatsu (Google)" Cc: Steven Rostedt Cc: Kees Cook Signed-off-by: Andrew Morton --- diff --git a/mm/maccess.c b/mm/maccess.c index 8f0906180a944..831b4dd7296c0 100644 --- a/mm/maccess.c +++ b/mm/maccess.c @@ -196,7 +196,7 @@ long strncpy_from_user_nofault(char *dst, const void __user *unsafe_addr, if (ret >= count) { ret = count; dst[ret - 1] = '\0'; - } else if (ret > 0) { + } else if (ret >= 0) { ret++; }