| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 1 Sep 2022 11:35:17 -0700
From: Kees Cook <keescook@...omium.org>
To: Geert Uytterhoeven <geert@...ux-m68k.org>
Cc: Wolfram Sang <wsa+renesas@...g-engineering.com>,
Nick Desaulniers <ndesaulniers@...gle.com>,
Guenter Roeck <linux@...ck-us.net>,
Paolo Abeni <pabeni@...hat.com>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
linux-hardening@...r.kernel.org,
Linus Torvalds <torvalds@...ux-foundation.org>
Subject: Re: [PATCH] string: Introduce strtomem() and strtomem_pad()
On Thu, Sep 01, 2022 at 10:39:19AM +0200, Geert Uytterhoeven wrote:
> [...]
> > When the "__nonstring" attributes are missing, the intent of the
> > programmer becomes ambiguous for whether the lack of a trailing NUL
> > in the p.small copy is a bug. Additionally, it's not clear whether
> > the trailing padding in the p.big copy is _needed_. Both cases
> > become unambiguous with:
> >
> > strtomem(p.small, "hello");
> > strtomem_pad(p.big, "hello");
>
> strtomem_pad(p.big, "hello", 0);
Oops, thanks. I will adjust the example. And actually, instead of these
notes just living in commit logs, I realize I can update the kerndoc
for strncpy with a "here's now to pick a replacement" table...
> > See also https://github.com/KSPP/linux/issues/90
> >
> > Expand the memcpy KUnit tests to include these functions.
> >
> > Cc: Wolfram Sang <wsa+renesas@...g-engineering.com>
> > Cc: Nick Desaulniers <ndesaulniers@...gle.com>
> > Cc: Geert Uytterhoeven <geert@...ux-m68k.org>
> > Cc: Guenter Roeck <linux@...ck-us.net>
> > Signed-off-by: Kees Cook <keescook@...omium.org>
>
> The idea looks good to me, but I guess Linus has something to
> say, too.
>
> > --- a/include/linux/string.h
> > +++ b/include/linux/string.h
> > @@ -260,6 +260,49 @@ static inline const char *kbasename(const char *path)
> > void memcpy_and_pad(void *dest, size_t dest_len, const void *src, size_t count,
> > int pad);
> >
> > +/**
> > + * strtomem_pad - Copy NUL-terminated string to non-NUL-terminated buffer
> > + *
> > + * @dest: Pointer of destination character array (marked as __nonstring)
> > + * @src: Pointer to NUL-terminated string
> > + * @pad: Padding character to fill any remaining bytes of @dest after copy
> > + *
> > + * This is a replacement for strncpy() uses where the destination is not
> > + * a NUL-terminated string, but with bounds checking on the source size, and
> > + * an explicit padding character. If padding is not required, use strtomem().
> > + *
> > + * Note that the size of @dest is not an argument, as the length of @dest
> > + * must be discoverable by the compiler.
> > + */
> > +#define strtomem_pad(dest, src, pad) do { \
> > + const size_t _dest_len = __builtin_object_size(dest, 1); \
> > + \
> > + BUILD_BUG_ON(!__builtin_constant_p(_dest_len) || \
> > + _dest_len == (size_t)-1); \
>
> I think you want to include __must_be_array(dest) here.
I didn't do that for the cases where we may be writing to non-array
destinations (e.g. see the cast from u64 in the strncpy use in
tools/perf/arch/x86/util/intel-pt.c). Since what we need to know is the
object size, it does not strictly need to be an array.
> > [...]
> > + memset(&wrap, 0xFF, sizeof(wrap));
> > + KUNIT_EXPECT_EQ_MSG(test, wrap.canary1, -1UL,
>
> -1L or ULONG_MAX (everywhere)
Yeah, ULONG_MAX looks best. Thanks!
>
> > + "bad initial canary value");
> > + KUNIT_EXPECT_EQ_MSG(test, wrap.canary2, -1UL,
> > + "bad initial canary value");
> > +
> > + /* Check unpadded copy leaves surroundings untouched. */
> > + strtomem(wrap.output, input);
> > + KUNIT_EXPECT_EQ(test, wrap.canary1, -1UL);
> > + KUNIT_EXPECT_EQ(test, wrap.output[0], input[0]);
> > + KUNIT_EXPECT_EQ(test, wrap.output[1], input[1]);
> > + for (int i = 2; i < sizeof(wrap.output); i++)
>
> unsigned int i (everywhere)
I guess, but why? This could even be u8.
Thanks for the review!
--
Kees Cook
Powered by blists - more mailing lists