Re: [PATCH v3 1/3] string: Make stpcpy() possible to use

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Kees Cook <keescook@chromium.org>
To: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Nick Desaulniers <ndesaulniers@google.com>,
	Francis Laniel <laniel_francis@privacyrequired.com>,
	Petr Mladek <pmladek@suse.com>,
	linux-kernel@vger.kernel.org, Andy Shevchenko <andy@kernel.org>,
	Steven Rostedt <rostedt@goodmis.org>,
	Sergey Senozhatsky <senozhatsky@chromium.org>,
	Rasmus Villemoes <linux@rasmusvillemoes.dk>,
	kernel test robot <lkp@intel.com>,
	Nathan Chancellor <natechancellor@gmail.com>
Subject: Re: [PATCH v3 1/3] string: Make stpcpy() possible to use
Date: Wed, 26 Jan 2022 13:09:58 -0800	[thread overview]
Message-ID: <202201261300.68D0EEB8@keescook> (raw)
In-Reply-To: <YfGPBi2VWlRHqxXe@smile.fi.intel.com>

On Wed, Jan 26, 2022 at 08:12:22PM +0200, Andy Shevchenko wrote:
> On Wed, Jan 26, 2022 at 09:49:38AM -0800, Nick Desaulniers wrote:
> > On Wed, Jan 26, 2022 at 6:19 AM Andy Shevchenko
> > <andriy.shevchenko@linux.intel.com> wrote:
> > >
> > > It is a good rule to avoid submitting code without users.
> > > Currently the stpcpy() is unusable due to missed declaration.
> > > Any attempts to use it will bring something like:
> > >
> > >   error: implicit declaration of function ‘stpcpy’ [-Werror=implicit-function-declaration]
> > >
> > > Move declaration to the header and guard it as other string functions.
> 
> ...
> 
> > Recall the discussion from Kees:
> > https://lore.kernel.org/lkml/CAK7LNAQXo5-5W6hvNMEVPBPf3tRWaf-pQdSR-0OHyi4RCGhjsQ@mail.gmail.com/
> > and
> > https://lore.kernel.org/lkml/202008150921.B70721A359@keescook/
> 
> For the record :-)
> https://lore.kernel.org/lkml/CAHp75VfniSw3AFTyyDk2OoAChGx7S6wF7sZKpJXNHmk97BoRXA@mail.gmail.com/
> [...
> strcpy() is not a bad API for the cases when you know what you are
> doing. A problem that most of the developers do not know what they are
> doing.
> No need to split everything to bad and good by its name or semantics,
> each API has its own pros and cons and programmers must use their
> brains.
> ...]

Developers should not need to remember to avoid foot-guns; the toolchain
should be doing all of that. The trouble is that C (and its standard
libs) are filled with foot-guns.

I do not want to add another foot-gun API to the kernel; we've been
working very hard to _remove_ them. :) If the kernel's stpcpy() _only_
worked on all known-size strings, etc, so that memory safety could be
determined at compile-time, then I'd have no objection.

What's not clear to me is if such macro versions would be workable for
the reason stpcpy() was added in the first place, which was the compiler
transforming other calls stuff into library calls it thinks are defined.

Totally untested:

#define stpcpy(dst, src) ({					\
	size_t _stp__dst = __builtin_object_size(dst, 1);	\
	size_t _stp__src = __builtin_object_size(src, 1);	\
								\
	BUILD_BUG_ON(_stp__dst == -1 || _stp__src == -1);	\
	BUILD_BUG_ON(_stp__src > _stp__dst);			\
								\
	__builtin_stpcpy(dst, src);				\
})

(Is there even a __builtin_stpcpy()?)

-- 
Kees Cook

     prev parent reply	other threads:[~2022-01-26 21:10 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-01-26 14:19 [PATCH v3 1/3] string: Make stpcpy() possible to use Andy Shevchenko
2022-01-26 14:19 ` [PATCH v3 2/3] vsprintf: Fix potential unaligned access Andy Shevchenko
2022-01-26 14:19 ` [PATCH v3 3/3] vsprintf: Move space out of string literals in fourcc_string() Andy Shevchenko
2022-01-26 21:22   ` Kees Cook
2022-01-27 11:04     ` Sakari Ailus
2022-01-27 14:57     ` Andy Shevchenko
2022-01-26 16:38 ` [PATCH v3 1/3] string: Make stpcpy() possible to use Nathan Chancellor
2022-01-26 18:04   ` Andy Shevchenko
2022-01-26 17:49 ` Nick Desaulniers
2022-01-26 18:07   ` Andy Shevchenko
2022-01-26 18:12   ` Andy Shevchenko
2022-01-26 21:09     ` Kees Cook [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202201261300.68D0EEB8@keescook \
    --to=keescook@chromium.org \
    --cc=andriy.shevchenko@linux.intel.com \
    --cc=andy@kernel.org \
    --cc=laniel_francis@privacyrequired.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux@rasmusvillemoes.dk \
    --cc=lkp@intel.com \
    --cc=natechancellor@gmail.com \
    --cc=ndesaulniers@google.com \
    --cc=pmladek@suse.com \
    --cc=rostedt@goodmis.org \
    --cc=senozhatsky@chromium.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).