Re: [PATCH net-next] net/devlink: Use strscpy() to copy strings into arrays

Netdev List
 help / color / mirror / Atom feed

From: Kees Cook <kees@kernel.org>
To: David Laight <david.laight.linux@gmail.com>
Cc: Paolo Abeni <pabeni@redhat.com>,
	linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org,
	netdev@vger.kernel.org, Arnd Bergmann <arnd@kernel.org>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>, Jiri Pirko <jiri@resnulli.us>
Subject: Re: [PATCH net-next] net/devlink: Use strscpy() to copy strings into arrays
Date: Wed, 10 Jun 2026 14:14:24 -0700	[thread overview]
Message-ID: <202606101412.D1AD83829A@keescook> (raw)
In-Reply-To: <20260609161338.2222ff26@pumpkin>

On Tue, Jun 09, 2026 at 04:13:38PM +0100, David Laight wrote:
> My aim is to get to the point where the calling strcpy() is invalid
> unless it is used to copy a string literal into an array.
> If/when all the .c files are changed the .h file change can be committed
> to stop any new potential unbounded copies being added.

Here's what I did a while ago in a test tree of mine, but for strlcat:

---
From d09759b1e51dbf784b503c9b9f5136b81b58560c Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook@chromium.org>
Date: Fri, 5 Apr 2024 11:08:41 -0700
Subject: [PATCH] fortify: Refuse to use strcat() on dynamically sized strings

Limit the use of strcat() to things we can determine at compile time to
be safe.

Signed-off-by: Kees Cook <keescook@chromium.org>
---
 include/linux/fortify-string.h | 6 ++++++
 lib/string_helpers.c           | 2 ++
 2 files changed, 8 insertions(+)

diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
index 171982e53c9a..8797c06b46e1 100644
--- a/include/linux/fortify-string.h
+++ b/include/linux/fortify-string.h
@@ -57,6 +57,7 @@ void __read_overflow2(void) __compiletime_error("detected read beyond size of ob
 void __read_overflow2_field(size_t avail, size_t wanted) __compiletime_warning("detected read beyond size of field (2nd parameter); maybe use struct_group()?");
 void __write_overflow(void) __compiletime_error("detected write beyond size of object (1st parameter)");
 void __write_overflow_field(size_t avail, size_t wanted) __compiletime_warning("detected write beyond size of field (1st parameter); maybe use struct_group()?");
+void __fortify_refuse_strcat(void) __compiletime_warning("Do not use strcat() on dynamically sized destination or source strings");
 
 #define __compiletime_strlen(p)					\
 ({								\
@@ -411,8 +412,13 @@ __FORTIFY_INLINE __diagnose_as(__builtin_strcat, 1, 2)
 char *strcat(char * const POS p, const char *q)
 {
 	const size_t p_size = __member_size(p);
+	const size_t q_size = __member_size(q);
 	const size_t wanted = strlcat(p, q, p_size);
 
+	if (!__builtin_constant_p(p_size) || !__builtin_constant_p(q_size) ||
+	    p_size == SIZE_MAX || q_size == SIZE_MAX)
+		__fortify_refuse_strcat();
+
 	if (p_size <= wanted)
 		fortify_panic(FORTIFY_FUNC_strcat, FORTIFY_WRITE, p_size, wanted + 1, p);
 	return p;
diff --git a/lib/string_helpers.c b/lib/string_helpers.c
index 169eaf583494..27b9d97c60c5 100644
--- a/lib/string_helpers.c
+++ b/lib/string_helpers.c
@@ -1019,6 +1019,8 @@ void __read_overflow2_field(size_t avail, size_t wanted) { }
 EXPORT_SYMBOL(__read_overflow2_field);
 void __write_overflow_field(size_t avail, size_t wanted) { }
 EXPORT_SYMBOL(__write_overflow_field);
+void __fortify_refuse_strcat(void) { }
+EXPORT_SYMBOL(__fortify_refuse_strcat);
 
 static const char * const fortify_func_name[] = {
 #define MAKE_FORTIFY_FUNC_NAME(func)	[MAKE_FORTIFY_FUNC(func)] = #func
-- 
2.34.1


-- 
Kees Cook

next prev parent reply	other threads:[~2026-06-10 21:14 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-08  9:54 [PATCH net-next] net/devlink: Use strscpy() to copy strings into arrays david.laight.linux
2026-06-09 13:39 ` Paolo Abeni
2026-06-09 15:13   ` David Laight
2026-06-10 21:14     ` Kees Cook [this message]
2026-06-10 20:58   ` Kees Cook
2026-06-10 21:52     ` David Laight
  -- strict thread matches above, loose matches on Subject: below --
2026-06-08  9:54 david.laight.linux

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:171982e53c9 dfblob:8797c06b46e dfblob:169eaf58349
dfblob:27b9d97c60c )
 OR (
bs:"fortify: Refuse to use strcat() on dynamically sized strings" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202606101412.D1AD83829A@keescook \
    --to=kees@kernel.org \
    --cc=arnd@kernel.org \
    --cc=davem@davemloft.net \
    --cc=david.laight.linux@gmail.com \
    --cc=edumazet@google.com \
    --cc=jiri@resnulli.us \
    --cc=kuba@kernel.org \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox