From: Solar Designer <solar@openwall.com>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: linux-kernel@vger.kernel.org, linux-acpi@vger.kernel.org,
devel@acpica.org, kernel-hardening@lists.openwall.com,
Kees Cook <keescook@chromium.org>, Dave Jones <davej@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [patch] lib: check for strcpy() overflows to fixed length buffers
Date: Thu, 1 May 2014 08:06:02 +0400 [thread overview]
Message-ID: <20140501040602.GA24961@openwall.com> (raw)
In-Reply-To: <20140430150844.GA10621@mwanda>
On Wed, Apr 30, 2014 at 06:08:44PM +0300, Dan Carpenter wrote:
> There are sometimes where we know that we are doing an strcpy() into a
> fixed length buffer. In those cases, we could verify that the strcpy()
> doesn't overflow. This patch introduces DEBUG_STRICT_SLOW_STRCPY_CHECKS
> if you want to check for that.
FWIW, I had posted similar macros for userland strcpy() and friends to
the security-audit list (now defunct) in 1998. Someone preserved a copy
here (although the indentation is lost):
http://www.opennet.ru/soft/0432.html
In (weird) use, with proper indentation:
http://www.merit.edu/mail.archives/nanog/2000-02/msg00366.html
https://github.com/tureba/trinoo/blob/master/strfix.h
Personally, I was using this at the time for building known-broken
software like wu-ftpd, where the risk of false positives felt lower than
the risk of buffer overflow bugs being in fact present in the code.
I used gcc's Statement Exprs extension, which is also used in the Linux
kernel a lot:
http://gcc.gnu.org/onlinedocs/gcc/Statement-Exprs.html
So maybe you should, too. (That is, if you want to go ahead with this
approach for code that isn't meant to be as broken as wu-ftpd was.)
This lets us propagate the original return value.
To determine the destination buffer size, I simply used sizeof() and
skipped my added protection in case the size looked like that of a
pointer. Now you have those nice new gcc features instead. :-)
> The downside is that it makes strcpy slower.
I guess the slowdown is mostly from the added strlen(). I avoided it by
using strncat(), so I had truncation instead of detection. It is
unclear which is better.
Other functions I did this for are strcat(), sprintf(), vsprintf().
Alexander
next prev parent reply other threads:[~2014-05-01 4:06 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-30 15:08 [patch] lib: check for strcpy() overflows to fixed length buffers Dan Carpenter
2014-04-30 15:33 ` Kees Cook
2014-04-30 16:19 ` Dan Carpenter
2014-04-30 16:44 ` Kees Cook
2014-04-30 19:49 ` Rafael J. Wysocki
2014-04-30 20:15 ` Dan Carpenter
2014-05-05 0:19 ` Zheng, Lv
2014-05-06 12:41 ` Dan Carpenter
2014-05-01 4:06 ` Solar Designer [this message]
2014-05-01 7:45 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140501040602.GA24961@openwall.com \
--to=solar@openwall.com \
--cc=akpm@linux-foundation.org \
--cc=dan.carpenter@oracle.com \
--cc=davej@redhat.com \
--cc=devel@acpica.org \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-acpi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).