[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <202209021352.549A5D5@keescook>
Date: Fri, 2 Sep 2022 13:56:41 -0700
From: Kees Cook <keescook@...omium.org>
To: Bagas Sanjaya <bagasdotme@...il.com>
Cc: Geert Uytterhoeven <geert@...ux-m68k.org>,
Wolfram Sang <wsa+renesas@...g-engineering.com>,
Nick Desaulniers <ndesaulniers@...gle.com>,
Guenter Roeck <linux@...ck-us.net>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Jonathan Corbet <corbet@....net>,
Len Baker <len.baker@....com>,
"Gustavo A. R. Silva" <gustavoars@...nel.org>,
Francis Laniel <laniel_francis@...vacyrequired.com>,
Paolo Abeni <pabeni@...hat.com>, linux-kernel@...r.kernel.org,
linux-doc@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH v2] string: Introduce strtomem() and strtomem_pad()
On Fri, Sep 02, 2022 at 08:53:34AM +0700, Bagas Sanjaya wrote:
> On 9/2/22 02:09, Kees Cook wrote:
> > One of the "legitimate" uses of strncpy() is copying a NUL-terminated
> > string into a fixed-size non-NUL-terminated character array. To avoid
> > the weaknesses and ambiguity of intent when using strncpy(), provide
> > replacement functions that explicitly distinguish between trailing
> > padding and not, and require the destination buffer size be discoverable
> > by the compiler.
> >> For example:
> >
> > struct obj {
> > int foo;
> > char small[4] __nonstring;
> > char big[8] __nonstring;
> > int bar;
> > };
> >
> > struct obj p;
> >
> > /* This will truncate to 4 chars with no trailing NUL */
> > strncpy(p.small, "hello", sizeof(p.small));
> > /* p.small contains 'h', 'e', 'l', 'l' */
> >
> > /* This will NUL pad to 8 chars. */
> > strncpy(p.big, "hello", sizeof(p.big));
> > /* p.big contains 'h', 'e', 'l', 'l', 'o', '\0', '\0', '\0' */
> >
> > When the "__nonstring" attributes are missing, the intent of the
> > programmer becomes ambiguous for whether the lack of a trailing NUL
> > in the p.small copy is a bug. Additionally, it's not clear whether
> > the trailing padding in the p.big copy is _needed_. Both cases
> > become unambiguous with:
> >
> > strtomem(p.small, "hello");
> > strtomem_pad(p.big, "hello", 0);
> >
> > See also https://github.com/KSPP/linux/issues/90
> >
>
> Should'nt strscpy() do the job?
strscpy() will always NUL-terminate. If someone is moving a
NUL-terminated string to a fixed-length buffer (that is _not_
NUL-terminated), using strscpy() will force the final byte to be 0x00,
which will likely be a regression. For example:
struct wifi_driver {
...
char essid[8];
...
};
struct wifi_driver fw;
char *essed = "12345678";
strncpy(fw.essid, essid, sizeof(fw.essid));
fw.essid will contain: 1 2 3 4 5 6 7 8
strscpy(fw.essid, essid, sizeof(fw.essid)):
fw.essid will contain: 1 2 3 4 5 6 7 '\0'
--
Kees Cook
Powered by blists - more mailing lists