From: Kees Cook <keescook@chromium.org>
To: "Russell King (Oracle)" <linux@armlinux.org.uk>
Cc: Azeem Shaikh <azeemshaikh38@gmail.com>,
linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org,
David Airlie <airlied@gmail.com>, Daniel Vetter <daniel@ffwll.ch>,
dri-devel@lists.freedesktop.org
Subject: Re: [PATCH] drm/i2c: tda998x: Replace all non-returning strlcpy with strscpy
Date: Mon, 22 May 2023 10:22:21 -0700 [thread overview]
Message-ID: <202305221014.70326C3@keescook> (raw)
In-Reply-To: <ZGuSeZcLfXNyCqtv@shell.armlinux.org.uk>
On Mon, May 22, 2023 at 05:04:09PM +0100, Russell King (Oracle) wrote:
> On Mon, May 22, 2023 at 03:53:50PM +0000, Azeem Shaikh wrote:
> > strlcpy() reads the entire source buffer first.
> > This read may exceed the destination size limit.
> > This is both inefficient and can lead to linear read
> > overflows if a source string is not NUL-terminated [1].
> > In an effort to remove strlcpy() completely [2], replace
> > strlcpy() here with strscpy().
> > No return values were used, so direct replacement is safe.
> ...
> > memset(&cec_info, 0, sizeof(cec_info));
> > - strlcpy(cec_info.type, "tda9950", sizeof(cec_info.type));
> > + strscpy(cec_info.type, "tda9950", sizeof(cec_info.type));
>
> Please explain how:
>
> 1) a C string can not be NUL terminated.
> 2) this source string could be longer than I2C_NAME_SIZE (20 bytes)
> which is unlikely to ever shrink.
Yes, in this case, obviously none of those can happen.
> I'm not saying I disagree with the patch, but the boilerplate commit
> message isn't correct for this change, and is actually misleading
> for what the patch actually is.
One of the common code patterns in the kernel is copying fixed sized
strings (like here), but Linus refused (probably correctly) to allow an
API for that, since we already had "too many" string functions.
The long-term goal here is to replace all use of strlcpy(),
strncpy(), and strcpy() and replace them with strscpy(). The strscpy()
wrapper is already optimized to short-cut for fixed-size dest/src:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/fortify-string.h?h=v6.3#n337
Perhaps this goal needs to be stated in the commit log to be more clear
about cases like this?
-Kees
--
Kees Cook
next prev parent reply other threads:[~2023-05-22 17:22 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-22 15:53 [PATCH] drm/i2c: tda998x: Replace all non-returning strlcpy with strscpy Azeem Shaikh
2023-05-22 16:04 ` Russell King (Oracle)
2023-05-22 17:22 ` Kees Cook [this message]
2023-05-22 20:16 ` Kees Cook
2023-05-30 23:06 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202305221014.70326C3@keescook \
--to=keescook@chromium.org \
--cc=airlied@gmail.com \
--cc=azeemshaikh38@gmail.com \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@armlinux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox