Re: the nul-terminated string helper desk chair rearrangement

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Kees Cook <keescook@chromium.org>
To: Christoph Hellwig <hch@lst.de>
Cc: Justin Stitt <justinstitt@google.com>,
	Keith Busch <kbusch@kernel.org>, Jens Axboe <axboe@kernel.dk>,
	Sagi Grimberg <sagi@grimberg.me>,
	linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org,
	linux-hardening@vger.kernel.org, ksummit@lists.linux.dev
Subject: Re: the nul-terminated string helper desk chair rearrangement
Date: Wed, 18 Oct 2023 23:01:54 -0700	[thread overview]
Message-ID: <202310182248.9E197FFD5@keescook> (raw)
In-Reply-To: <20231019054642.GF14346@lst.de>

On Thu, Oct 19, 2023 at 07:46:42AM +0200, Christoph Hellwig wrote:
> On Wed, Oct 18, 2023 at 10:48:49PM +0000, Justin Stitt wrote:
> > strncpy() is deprecated for use on NUL-terminated destination strings
> > [1] and as such we should prefer more robust and less ambiguous string
> > interfaces.
> 
> If we want that we need to stop pretendening direct manipulation of
> nul-terminate strings is a good idea.  I suspect the churn of replacing
> one helper with another, maybe slightly better, one probably
> introduces more bugs than it fixes.
> 
> If we want to attack the issue for real we need to use something
> better.
> 
> lib/seq_buf.c is a good start for a lot of simple cases that just
> append to strings including creating complex ones.  Kent had a bunch
> of good ideas on how to improve it, but couldn't be convinced to
> contribute to it instead of duplicating the functionality which
> is a bit sad, but I think we need to switch to something like
> seq_buf that actually has a counted string instead of all this messing
> around with the null-terminated strings.

When doing more complex string creation, I agree. I spent some time
doing this while I was looking at removing strcat() and strlcat(); this
is where seq_buf shines. (And seq_buf is actually both: it maintains its
%NUL termination _and_ does the length counting.) The only thing clunky
about it was initialization, but all the conversions I experimented with
were way cleaner using seq_buf. I even added a comment to strlcat()'s
kern-doc to aim folks at seq_buf. :)

/**
 * strlcat - Append a string to an existing string
...
 * Do not use this function. While FORTIFY_SOURCE tries to avoid
 * read and write overflows, this is only possible when the sizes
 * of @p and @q are known to the compiler. Prefer building the
 * string with formatting, via scnprintf(), seq_buf, or similar.

Almost all of the remaining strncpy() usage is just string to string
copying, but the corner cases that are being spun out that aren't
strscpy() or strscpy_pad() are covered by strtomem(), kmemdup_nul(),
and memcpy(). Each of these are a clear improvement since they remove
the ambiguity of the intended behavior. Using seq_buf ends up being way
more overhead than is needed.

-Kees

-- 
Kees Cook

next prev parent reply	other threads:[~2023-10-19  6:01 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-18 22:48 [PATCH] nvme-fabrics: replace deprecated strncpy with strscpy Justin Stitt
2023-10-19  5:46 ` the nul-terminated string helper desk chair rearrangement, was: " Christoph Hellwig
2023-10-19  6:01   ` Kees Cook [this message]
2023-10-19  7:01     ` the nul-terminated string helper desk chair rearrangement Willy Tarreau
2023-10-19 11:40       ` Alexey Dobriyan
2023-10-19 12:00         ` Willy Tarreau
2023-10-20  4:46     ` Christoph Hellwig
2023-10-20 17:40       ` Justin Stitt
2023-10-20 17:56         ` Linus Torvalds
2023-10-20 18:22           ` Kees Cook
2023-10-20 18:30         ` Kees Cook
2023-10-26 10:01           ` Christoph Hellwig
2023-10-26 11:39             ` James Bottomley
2023-10-26 13:52               ` Steven Rostedt
2023-10-26 13:59                 ` Geert Uytterhoeven
2023-10-27 18:32                   ` Alexey Dobriyan
2023-10-26 14:05                 ` Jonathan Corbet
2023-10-27  7:08                   ` Kalle Valo
2023-10-26 13:44             ` Andrew Lunn
2023-10-26 13:51               ` Laurent Pinchart
2023-10-26 14:27               ` James Bottomley
2023-10-19  5:47 ` [PATCH] nvme-fabrics: replace deprecated strncpy with strscpy Kees Cook
2023-11-30 22:00 ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202310182248.9E197FFD5@keescook \
    --to=keescook@chromium.org \
    --cc=axboe@kernel.dk \
    --cc=hch@lst.de \
    --cc=justinstitt@google.com \
    --cc=kbusch@kernel.org \
    --cc=ksummit@lists.linux.dev \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-nvme@lists.infradead.org \
    --cc=sagi@grimberg.me \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.