| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6e480cac-6273-01e7-e6b9-03ade2f25280@I-love.SAKURA.ne.jp>
Date: Sat, 5 Aug 2023 21:49:23 +0900
From: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
To: Kees Cook <keescook@...omium.org>,
Justin Stitt <justinstitt@...gle.com>
Cc: linux-security-module@...r.kernel.org,
linux-hardening@...r.kernel.org
Subject: Re: [PATCH] tomoyo: refactor deprecated strncpy
Thank you.
Applied to https://scm.osdn.net/gitroot/tomoyo/tomoyo-test1.git .
On 2023/08/04 16:40, Kees Cook wrote:
> On Thu, Aug 03, 2023 at 09:33:44PM +0000, Justin Stitt wrote:
>> `strncpy` is deprecated for use on NUL-terminated destination strings [1].
>>
>> A suitable replacement is `strscpy` [2] due to the fact that it
>> guarantees NUL-termination on its destination buffer argument which is
>> _not_ the case for `strncpy`!
>>
>> It should be noted that the destination buffer is zero-initialized and
>> had a max length of `sizeof(dest) - 1`. There is likely _not_ a bug
>> present in the current implementation. However, by switching to
>> `strscpy` we get the benefit of no longer needing the `- 1`'s from the
>> string copy invocations on top of `strscpy` being a safer interface all
>> together.
>>
>> [1]: www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings
>> [2]: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html
>>
>> Link: https://github.com/KSPP/linux/issues/90
>> Cc: linux-hardening@...r.kernel.org
>> Signed-off-by: Justin Stitt <justinstitt@...gle.com>
>
> Thanks! This looks correct to me.
>
> Reviewed-by: Kees Cook <keescook@...omium.org>
>
Powered by blists - more mailing lists