From: Kees Cook <keescook@chromium.org>
To: Bagas Sanjaya <bagasdotme@gmail.com>
Cc: Geert Uytterhoeven <geert@linux-m68k.org>,
Wolfram Sang <wsa+renesas@sang-engineering.com>,
Nick Desaulniers <ndesaulniers@google.com>,
Guenter Roeck <linux@roeck-us.net>,
Linus Torvalds <torvalds@linux-foundation.org>,
Jonathan Corbet <corbet@lwn.net>, Len Baker <len.baker@gmx.com>,
"Gustavo A. R. Silva" <gustavoars@kernel.org>,
Francis Laniel <laniel_francis@privacyrequired.com>,
Paolo Abeni <pabeni@redhat.com>,
linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH v2] string: Introduce strtomem() and strtomem_pad()
Date: Fri, 2 Sep 2022 13:56:41 -0700 [thread overview]
Message-ID: <202209021352.549A5D5@keescook> (raw)
In-Reply-To: <88e8b096-aa04-2447-cb21-a83b5e57e963@gmail.com>
On Fri, Sep 02, 2022 at 08:53:34AM +0700, Bagas Sanjaya wrote:
> On 9/2/22 02:09, Kees Cook wrote:
> > One of the "legitimate" uses of strncpy() is copying a NUL-terminated
> > string into a fixed-size non-NUL-terminated character array. To avoid
> > the weaknesses and ambiguity of intent when using strncpy(), provide
> > replacement functions that explicitly distinguish between trailing
> > padding and not, and require the destination buffer size be discoverable
> > by the compiler.
> >> For example:
> >
> > struct obj {
> > int foo;
> > char small[4] __nonstring;
> > char big[8] __nonstring;
> > int bar;
> > };
> >
> > struct obj p;
> >
> > /* This will truncate to 4 chars with no trailing NUL */
> > strncpy(p.small, "hello", sizeof(p.small));
> > /* p.small contains 'h', 'e', 'l', 'l' */
> >
> > /* This will NUL pad to 8 chars. */
> > strncpy(p.big, "hello", sizeof(p.big));
> > /* p.big contains 'h', 'e', 'l', 'l', 'o', '\0', '\0', '\0' */
> >
> > When the "__nonstring" attributes are missing, the intent of the
> > programmer becomes ambiguous for whether the lack of a trailing NUL
> > in the p.small copy is a bug. Additionally, it's not clear whether
> > the trailing padding in the p.big copy is _needed_. Both cases
> > become unambiguous with:
> >
> > strtomem(p.small, "hello");
> > strtomem_pad(p.big, "hello", 0);
> >
> > See also https://github.com/KSPP/linux/issues/90
> >
>
> Should'nt strscpy() do the job?
strscpy() will always NUL-terminate. If someone is moving a
NUL-terminated string to a fixed-length buffer (that is _not_
NUL-terminated), using strscpy() will force the final byte to be 0x00,
which will likely be a regression. For example:
struct wifi_driver {
...
char essid[8];
...
};
struct wifi_driver fw;
char *essed = "12345678";
strncpy(fw.essid, essid, sizeof(fw.essid));
fw.essid will contain: 1 2 3 4 5 6 7 8
strscpy(fw.essid, essid, sizeof(fw.essid)):
fw.essid will contain: 1 2 3 4 5 6 7 '\0'
--
Kees Cook
next prev parent reply other threads:[~2022-09-02 20:56 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-01 19:09 [PATCH v2] string: Introduce strtomem() and strtomem_pad() Kees Cook
2022-09-01 19:34 ` Guenter Roeck
2022-09-02 20:52 ` Kees Cook
2022-09-02 21:47 ` Guenter Roeck
2022-09-02 22:37 ` Kees Cook
2022-09-02 1:53 ` Bagas Sanjaya
2022-09-02 20:56 ` Kees Cook [this message]
2022-09-02 4:21 ` Bagas Sanjaya
2022-09-02 21:01 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202209021352.549A5D5@keescook \
--to=keescook@chromium.org \
--cc=bagasdotme@gmail.com \
--cc=corbet@lwn.net \
--cc=geert@linux-m68k.org \
--cc=gustavoars@kernel.org \
--cc=laniel_francis@privacyrequired.com \
--cc=len.baker@gmx.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@roeck-us.net \
--cc=ndesaulniers@google.com \
--cc=pabeni@redhat.com \
--cc=torvalds@linux-foundation.org \
--cc=wsa+renesas@sang-engineering.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.