All of lore.kernel.org
 help / color / mirror / Atom feed
From: Kees Cook <keescook@chromium.org>
To: Joe Perches <joe@perches.com>
Cc: "Russell King (Oracle)" <linux@armlinux.org.uk>,
	"Len Baker" <len.baker@gmx.com>,
	"Dmitry Torokhov" <dmitry.torokhov@gmail.com>,
	"Lee Jones" <lee.jones@linaro.org>,
	"Uwe Kleine-König" <u.kleine-koenig@pengutronix.de>,
	linux-hardening@vger.kernel.org, linux-input@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH] drivers/input: Remove all strcpy() uses in favor of strscpy()
Date: Mon, 2 Aug 2021 09:13:08 -0700	[thread overview]
Message-ID: <202108020912.3807510B4B@keescook> (raw)
In-Reply-To: <4962ac72a94bc5826960dab855b5e2f47a4d1b9a.camel@perches.com>

On Sun, Aug 01, 2021 at 09:55:28AM -0700, Joe Perches wrote:
> On Sun, 2021-08-01 at 09:39 -0700, Joe Perches wrote:
> > On Sun, 2021-08-01 at 16:00 +0100, Russell King (Oracle) wrote:
> > > On Sun, Aug 01, 2021 at 04:43:16PM +0200, Len Baker wrote:
> > > > strcpy() performs no bounds checking on the destination buffer. This
> > > > could result in linear overflows beyond the end of the buffer, leading
> > > > to all kinds of misbehaviors. The safe replacement is strscpy().
> []
> > > So if the string doesn't fit, it's fine to silently truncate it?
> > > 
> > > Rather than converting every single strcpy() in the kernel to
> > > strscpy(), maybe there should be some consideration given to how the
> > > issue of a strcpy() that overflows the buffer should be handled.
> > > E.g. in the case of a known string such as the above, if it's longer
> > > than the destination, should we find a way to make the compiler issue
> > > a warning at compile time?
> 
> (apologies for the earlier blank reply, sometimes I dislike my email client)
> 
> stracpy could do that with a trivial addition like below:
> 
> Old lkml references:
> 
> https://lore.kernel.org/lkml/cover.1563889130.git.joe@perches.com/
> and
> https://lore.kernel.org/lkml/56dc4de7e0db153cb10954ac251cb6c27c33da4a.camel@perches.com/
> 
> But Linus T wants a copy_string mechanism instead:
> https://lore.kernel.org/lkml/CAHk-=wgqQKoAnhmhGE-2PBFt7oQs9LLAATKbYa573UO=DPBE0Q@mail.gmail.com/
> 
> /**
>  * stracpy - Copy a C-string into an array of char/u8/s8 or equivalent
>  * @dest: Where to copy the string, must be an array of char and not a pointer
>  * @src: String to copy, may be a pointer or const char array
>  *
>  * Helper for strscpy().
>  * Copies a maximum of sizeof(@dest) bytes of @src with %NUL termination.
>  *
>  * A BUILD_BUG_ON is used for cases where @dest is not a char array or
>  * @src is a char array and is larger than @dest.
>  *
>  * Returns:
>  * * The number of characters copied (not including the trailing %NUL)
>  * * -E2BIG if @dest is a zero size array or @src was truncated.
>  */
> #define stracpy(dest, src)						\
> ({									\
> 	BUILD_BUG_ON(!(__same_type(dest, char[]) ||			\
> 		       __same_type(dest, unsigned char[]) ||		\
> 		       __same_type(dest, signed char[])));		\
> 	BUILD_BUG_ON((__same_type(src, char[]) ||			\
> 		      __same_type(src, unsigned char[]) ||		\
> 		      __same_type(src, signed char[])) &&		\
> 		     ARRAY_SIZE(src) > ARRAY_SIZE(dest));		\
> 									\
> 	strscpy(dest, src, ARRAY_SIZE(dest));				\
> })

I'm wondering, instead, if we could convert strcpy() into this instead
of adding another API? I.e. convert all the places that warn (if this
were strcpy), and then land the conversion.

-- 
Kees Cook

  reply	other threads:[~2021-08-02 16:13 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-01 14:43 [PATCH] drivers/input: Remove all strcpy() uses in favor of strscpy() Len Baker
2021-08-01 15:00 ` Russell King (Oracle)
2021-08-01 15:57   ` Len Baker
2021-08-01 16:44     ` Kees Cook
2021-08-01 17:19       ` Dmitry Torokhov
2021-08-02 16:17         ` Kees Cook
2021-08-03  7:07       ` Kees Cook
2021-08-03  7:18         ` Hans Verkuil
2021-08-07 14:02       ` Len Baker
2021-08-07 15:17         ` Joe Perches
2021-08-08 11:30           ` Len Baker
2021-08-01 16:39   ` Joe Perches
2021-08-01 16:55     ` Joe Perches
2021-08-02 16:13       ` Kees Cook [this message]
2021-08-02 18:57         ` Joe Perches
2021-08-07 14:10           ` Len Baker

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202108020912.3807510B4B@keescook \
    --to=keescook@chromium.org \
    --cc=dmitry.torokhov@gmail.com \
    --cc=joe@perches.com \
    --cc=lee.jones@linaro.org \
    --cc=len.baker@gmx.com \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-input@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux@armlinux.org.uk \
    --cc=u.kleine-koenig@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.