From: David Laight <david.laight.linux@gmail.com>
To: "Theodore Ts'o" <tytso@mit.edu>
Cc: Kees Cook <kees@kernel.org>,
Ethan Carter Edwards <ethan@ethancedwards.com>,
Andreas Dilger <adilger.kernel@dilger.ca>,
linux-ext4@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH v2] ext4: replace strcpy() with '.' assignment
Date: Fri, 23 May 2025 13:31:00 +0100 [thread overview]
Message-ID: <20250523133100.1b023a6e@pumpkin> (raw)
In-Reply-To: <20250519145930.GB38098@mit.edu>
On Mon, 19 May 2025 10:59:30 -0400
"Theodore Ts'o" <tytso@mit.edu> wrote:
> On Mon, May 19, 2025 at 06:52:13AM -0700, Kees Cook wrote:
> > > --- a/fs/ext4/inline.c
> > > +++ b/fs/ext4/inline.c
> > > @@ -1314,7 +1314,7 @@ int ext4_inlinedir_to_tree(struct file *dir_file,
> > > if (pos == 0) {
> > > fake.inode = cpu_to_le32(inode->i_ino);
> > > fake.name_len = 1;
> > > - strcpy(fake.name, ".");
> > > + fake.name[0] = ".";
> >
> > This means the trailing NUL byte isn't being copied any more? That seems
> > like a big change, even if name_len is being used for length tracking.
>
> Yeah, and so that's something that needs to be tested (and not just
> build tested to catch the obvious FTBFS bug).
The compiler (or headers files) can also allow strcpy() of constant
length strings into arrays (known size). Erroring requests that are too long.
The strcpy() is then converted to a memcpy() which can then be optimised
into writes of constants.
So using strcpy() under those conditions 'isn't all bad' and can generate
better (and less bug prone) code than trying to hand-optimise it.
So even through strcpy() is usually a bad idea, there is not need to
remove the calls that the compiler can validate as safe.
David
> However, note how we
> handle normal filenames, as opposed to "." and "..". From
> ext4_insert_dentry():
>
> de->inode = cpu_to_le32(inode->i_ino);
> ext4_set_de_type(inode->i_sb, de, inode->i_mode);
> de->name_len = fname_len(fname);
> memcpy(de->name, fname_name(fname), fname_len(fname));
>
> Or were you commenting on the "no functional changes intended" line in
> the commit description? I agree that this is probably no longer
> accurate. :-)
>
> - Ted
>
next prev parent reply other threads:[~2025-05-23 12:31 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-19 3:54 [PATCH v2] ext4: replace strcpy() with '.' assignment Ethan Carter Edwards
2025-05-19 5:58 ` kernel test robot
2025-05-19 13:56 ` Theodore Ts'o
2025-05-19 5:58 ` kernel test robot
2025-05-19 13:52 ` Kees Cook
2025-05-19 14:59 ` Theodore Ts'o
2025-05-23 12:31 ` David Laight [this message]
2025-05-23 14:24 ` Theodore Ts'o
2025-05-23 17:14 ` Kees Cook
2025-05-23 22:07 ` Theodore Ts'o
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250523133100.1b023a6e@pumpkin \
--to=david.laight.linux@gmail.com \
--cc=adilger.kernel@dilger.ca \
--cc=ethan@ethancedwards.com \
--cc=kees@kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox