| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 7 Oct 2015 09:18:21 +0200 From: Ingo Molnar <mingo@...nel.org> To: Rasmus Villemoes <linux@...musvillemoes.dk> Cc: Linus Torvalds <torvalds@...ux-foundation.org>, Chris Metcalf <cmetcalf@...hip.com>, open list <linux-kernel@...r.kernel.org>, Peter Zijlstra <a.p.zijlstra@...llo.nl>, Thomas Gleixner <tglx@...utronix.de>, "H. Peter Anvin" <hpa@...or.com>, Borislav Petkov <bp@...en8.de> Subject: Re: [PATCH] string: Improve the generic strlcpy() implementation * Rasmus Villemoes <linux@...musvillemoes.dk> wrote: > On Tue, Oct 06 2015, Ingo Molnar <mingo@...nel.org> wrote: > > > * Rasmus Villemoes <linux@...musvillemoes.dk> wrote: > > > >> > >> I'm not against making strlcpy more robust, but I think the theoretical race is > >> far more likely to manifest through a member of the printf family. > > > > So the printf family is generally less frequently used in ABI output than string > > copies, > > Huh? snprintf and friends are often used just to copy or concatenate > strings (essentially, any format string containing no specifiers other > than %s does exactly that) - even if a str*() function could do the same > thing. I see no reason to believe this wouldn't also be done in cases > where the final string ends up being presented to userspace. But 'format string' usually means 'human output', and most of our ABI pertains to system calls where we rarely form human output, we typically generate programmatically actionable data structures. We have procfs and sysfs as well, where format strings are indeed dominant, but are you sure this race exists in snprintf() in that form? I.e. can the return value of snprintf() be different from the true length of the output string, if the source string is modified in parallel? > > So I'd improve it all in the following order: > > > > - fix the strscpy() uninitialized use > > > > - base strlcpy() on strscpy() via the patch I sent. This makes all users faster > > and eliminates the theoretical race. > > I'm not so sure about that part. I'd strongly suspect that the vast > majority of strings handled by strlcpy (and in the future strscpy) are > shorter than 32 bytes, so is all the word_at_a_time and pre/post > alignment yoga really worth it? That's a good question, I'll measure it. Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists