From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-wr1-f46.google.com (mail-wr1-f46.google.com [209.85.221.46])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 794122EB0F
	for <linux-kernel@vger.kernel.org>; Fri,  3 Apr 2026 08:50:11 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.46
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1775206212; cv=none; b=foEwzeSz9OU8DA9k2coum3CzbrRUthVJFP8Pa7VmS0YwE1U8jH1DhSJTGtzqqA0IFrfo9PfCUN8/n5g5CkyNrxzc516fLqoLYQEA7s5UIXm0drcfbQ7QhP8aXQt4P7pSw3GPhtnTQLHgzFFTvSUpKUm5Nu6AN6ev6v86QG1GPW0=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1775206212; c=relaxed/simple;
	bh=hy2zUWeMdJ1K/kIi6HKf3axkCNQJZGK0oFl8TkvORNY=;
	h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type; b=kK7C+ZzslKkpCP0jBfMW2mXt+5Mt7nVxPkjoIp/fVL5ujUMqC2K+AceppzmDeK0ttOpO/AvQXw7DH0zlhnCwX00rrZYu+6vMiSiN+kRu/80qTKiSQLpYfIc18aOjAN1hOljKo27FA5T9KctDAyKIZSB04uHqecvbeahHlzJFcEI=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=pLhhFGwX; arc=none smtp.client-ip=209.85.221.46
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="pLhhFGwX"
Received: by mail-wr1-f46.google.com with SMTP id ffacd0b85a97d-43cf5d14d6eso1286157f8f.0
        for <linux-kernel@vger.kernel.org>; Fri, 03 Apr 2026 01:50:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1775206210; x=1775811010; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date:from:to:cc:subject:date
         :message-id:reply-to;
        bh=I/Umu3SxI4DFSety103HcrpvKbCjXU4zAVEmvlKEgUI=;
        b=pLhhFGwXSW9JIRWrWoIRhtlf0VJZwBPcw6MOC3vt5ff4ggkCUASmg6WmzQ8abXTTDL
         JngRKpwGq39mNBL0NWvNFgnbjErXe6RR2H+uoRtoaN9NoyZtrNWtmEziLo0iN2FxfgC2
         ujc0trEwruLhe4TkEoSe69XnUmXhq8tg14N3rDQMR+90TQkI+d4+WVShZlNc+0155boi
         N65kTxtIVBSQUcFkquL9gKO/vDq/iz9VLp3ZCL+xc2Z8vWiVsrvu/6kjotLSSh9IT/bc
         HtmjVyPTQnqeVkRvZ7WzZOAsFeWbIxou+0kP6/Y0vTO0MoJtjgAaP8Y1vCL09XxWJT/Y
         nEAA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1775206210; x=1775811010;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=I/Umu3SxI4DFSety103HcrpvKbCjXU4zAVEmvlKEgUI=;
        b=HxLH5Lbl217mHq4akRrn74UFhHL5p8CiV5LKj0JN/1FfRhaLDjTsfQWZKo7OmW4vQs
         cWq5IlanZakLerPrrTTP8WbYPH6/mTgET9iWxAa7/nYQLWcOXfOZYBGPdF1+aYZue7AO
         VCbSi1CGXVfTdrFj1bGnluNfW9kNMNX1PmDr/DwlLrdbhTLgBMYFPeY++wx6eqyHwd/p
         1CVszzNl9R12ymGCSxirtS0TtoTgRwHrmlxd4vq5yqoZa4AHPHHTbVnmCjMT6bUtzIA/
         GmNbvi9TYd16uNLm60J82xPvXWJLB9KXxevgd2vgwGSuqFE5rV4RGu/qveA5dHeSKJTg
         +G/Q==
X-Forwarded-Encrypted: i=1; AJvYcCVA/rxdQUiwhnMcGWSMvPhn5tdP8GgmztCO/gMckKYp7aCfNe2FJciB4Il4lDxSFmzg4Hf8wAiao5DVxz4=@vger.kernel.org
X-Gm-Message-State: AOJu0Yz1oTuidM8K2FMnCdeXW0XjdgxIat7N6D2Je2e4HFNS8DIniiyI
	w4BbKEaorEjF68WvXlb39I9JTsywZuVqYUHvDbKEFr3+aawgtkSXgf/O
X-Gm-Gg: AeBDiesGl0YBnpqO+3c0jBbBJFquEPjS2vVqlY9ZX8RPJH3bRk43YDD2eebMoe0gNlC
	PgrqaLyDM5DyZb3X28078YFWNSmpw+zB9fZ5FC9G6nHwz832JajPov4nRALLAyAGOyI8UAZoG15
	s6YoP7fwdfN7yggzcWeEW0XJvxRksQQi7XsHk6KKkdYysn+ACd10nE+CTChI1LLWUDd2C49hnni
	/em/Qhve9IUIy2HB7KTSvZFPWakesHvEhJKoTZ4dMrTutZT8s0R7lfRvZEPaM/+CXqqeN7oH0+6
	3H4W4osOuZvPk4MCEuyb8xp/VwGuKgUhIXkPYrotsnGzfeRaOapGB0QhRS5hDpXokV5RnGUaVt5
	mnfmRuA+fuK1SF4yPiskZgJaxSgIkREt37lNimizjJAJ1VszhK/6bEZQQ4W5dD4pDLxY9uP8ON0
	6Mm4bXpmM/6dSnI2Fo+e5jMghQB4JkXAixbIGeOhuh8mKVs/7zvJl0NL1BPNut
X-Received: by 2002:a05:6000:240b:b0:439:ccd7:cdb6 with SMTP id ffacd0b85a97d-43d29276590mr3514350f8f.14.1775206209702;
        Fri, 03 Apr 2026 01:50:09 -0700 (PDT)
Received: from pumpkin (82-69-66-36.dsl.in-addr.zen.co.uk. [82.69.66.36])
        by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43d1e4e56fesm14512578f8f.27.2026.04.03.01.50.09
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 03 Apr 2026 01:50:09 -0700 (PDT)
Date: Fri, 3 Apr 2026 09:50:08 +0100
From: David Laight <david.laight.linux@gmail.com>
To: Kees Cook <kees@kernel.org>
Cc: linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH next 2/3] fortify: Optimise strnlen()
Message-ID: <20260403095008.6efbaf11@pumpkin>
In-Reply-To: <202603311650.A59396A@keescook>
References: <20260330132003.3379-1-david.laight.linux@gmail.com>
	<20260330132003.3379-3-david.laight.linux@gmail.com>
	<202603301650.E7C1536632@keescook>
	<20260331230914.43698e74@pumpkin>
	<202603311650.A59396A@keescook>
X-Mailer: Claws Mail 4.1.1 (GTK 3.24.38; arm-unknown-linux-gnueabihf)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Tue, 31 Mar 2026 16:51:26 -0700
Kees Cook <kees@kernel.org> wrote:

> On Tue, Mar 31, 2026 at 11:09:14PM +0100, David Laight wrote:
> > Any uses should be replaced by __builtin_strlen().  
> 
> When I looked at this before, __builtin_strlen() flip to run-time strlen
> on non-constant strings, which is why I had to jump through all the
> hoops to avoid calling it in those cases.
> 

Thinks further.
Can you remember anywhere where:
	len = __builtin_strlen(x);
	if (__builtin_constant_p(len))
		...
actually called strlen() for a non-constant string.
I did do some tests and it was always optimised away.

I might try getting all this code to use a renamed strlen() and
then scan the entire kernel for references to strlen() itself.
There might be a small number of valid ones, but I'd expect most
would come from the compiler.
(Or get the compiler to generate 'rep scasb' and look for that.)

I suspect it might be enough to check that both str and str[0]
are constant before calling __builtin_strlen() and then check
the returned length is constant.
All the checks might be needed for:
	str = cond ? "four" : "f\0ur";
since the compile might realise that str[0] is always 'f' and
str[4] always 0 - but strlen differs.

However I suspect that __builtin_constant_p(array[index]) currently
requires that both the array and index are constant.
So testing array[0] is equivalent.

Given it needs all the separate paths, writing strscpy with:
	if (__builtin_constant_p(src[0]) {
		len = __builtin_strlen(src);
		if (__builtin_constant_p(len)) {
			/* code for constant length */
			return xxx;
		}
	}
	/* code for non-constant length */

One thing I did notice is that for:
char src[32];
char dst[32];

void func(void)
{
	strscpy(dst, src, 32);
}

it seems to generate a call to strnlen() followed by a call to
strscpy_sized().
That seems wrong, since all three lengths are 32 it should be
safe to just call strscpy_sized().
And having done the strnlen() it ought to use memcpy().
But, really most of that ought to be moved into the called function.
So you want:
int strcpy_sized(char *dst, const char *src, size_t dst_len, size_t src_len);
where the wrapper fills in src_len.

	David