From: David Laight <david.laight.linux@gmail.com>
To: Kees Cook <kees@kernel.org>
Cc: linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH next 2/3] fortify: Optimise strnlen()
Date: Fri, 3 Apr 2026 09:50:08 +0100 [thread overview]
Message-ID: <20260403095008.6efbaf11@pumpkin> (raw)
In-Reply-To: <202603311650.A59396A@keescook>
On Tue, 31 Mar 2026 16:51:26 -0700
Kees Cook <kees@kernel.org> wrote:
> On Tue, Mar 31, 2026 at 11:09:14PM +0100, David Laight wrote:
> > Any uses should be replaced by __builtin_strlen().
>
> When I looked at this before, __builtin_strlen() flip to run-time strlen
> on non-constant strings, which is why I had to jump through all the
> hoops to avoid calling it in those cases.
>
Thinks further.
Can you remember anywhere where:
len = __builtin_strlen(x);
if (__builtin_constant_p(len))
...
actually called strlen() for a non-constant string.
I did do some tests and it was always optimised away.
I might try getting all this code to use a renamed strlen() and
then scan the entire kernel for references to strlen() itself.
There might be a small number of valid ones, but I'd expect most
would come from the compiler.
(Or get the compiler to generate 'rep scasb' and look for that.)
I suspect it might be enough to check that both str and str[0]
are constant before calling __builtin_strlen() and then check
the returned length is constant.
All the checks might be needed for:
str = cond ? "four" : "f\0ur";
since the compile might realise that str[0] is always 'f' and
str[4] always 0 - but strlen differs.
However I suspect that __builtin_constant_p(array[index]) currently
requires that both the array and index are constant.
So testing array[0] is equivalent.
Given it needs all the separate paths, writing strscpy with:
if (__builtin_constant_p(src[0]) {
len = __builtin_strlen(src);
if (__builtin_constant_p(len)) {
/* code for constant length */
return xxx;
}
}
/* code for non-constant length */
One thing I did notice is that for:
char src[32];
char dst[32];
void func(void)
{
strscpy(dst, src, 32);
}
it seems to generate a call to strnlen() followed by a call to
strscpy_sized().
That seems wrong, since all three lengths are 32 it should be
safe to just call strscpy_sized().
And having done the strnlen() it ought to use memcpy().
But, really most of that ought to be moved into the called function.
So you want:
int strcpy_sized(char *dst, const char *src, size_t dst_len, size_t src_len);
where the wrapper fills in src_len.
David
next prev parent reply other threads:[~2026-04-03 8:50 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-30 13:20 [PATCH next 0/3] fortify: Minor changes to strlen() and strnlen() david.laight.linux
2026-03-30 13:20 ` [PATCH next 1/3] fortify: replace __compiletime_lessthan() with statically_true() david.laight.linux
2026-03-30 23:50 ` Kees Cook
2026-03-30 13:20 ` [PATCH next 2/3] fortify: Optimise strnlen() david.laight.linux
2026-03-30 23:54 ` Kees Cook
2026-03-31 22:09 ` David Laight
2026-03-31 23:51 ` Kees Cook
2026-04-01 13:48 ` David Laight
2026-04-03 8:50 ` David Laight [this message]
2026-04-16 14:22 ` David Laight
2026-03-31 6:36 ` Kees Cook
2026-03-31 10:14 ` David Laight
2026-03-31 14:55 ` David Laight
2026-03-31 15:56 ` Kees Cook
2026-04-01 0:15 ` kernel test robot
2026-04-03 8:23 ` David Laight
2026-03-30 13:20 ` [PATCH next 3/3] fortify: Simplify strlen() logic david.laight.linux
2026-03-31 6:07 ` Kees Cook
2026-03-31 8:58 ` David Laight
2026-03-31 6:18 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260403095008.6efbaf11@pumpkin \
--to=david.laight.linux@gmail.com \
--cc=kees@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.