lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <202305161331.6BA62FD@keescook>
Date:   Tue, 16 May 2023 13:37:16 -0700
From:   Kees Cook <keescook@...omium.org>
To:     Christian Brauner <brauner@...nel.org>
Cc:     Azeem Shaikh <azeemshaikh38@...il.com>,
        linux-hardening@...r.kernel.org, linux-fsdevel@...r.kernel.org,
        linux-kernel@...r.kernel.org,
        Alexander Viro <viro@...iv.linux.org.uk>
Subject: Re: [PATCH] vfs: Replace all non-returning strlcpy with strscpy

On Mon, May 15, 2023 at 09:50:25AM +0200, Christian Brauner wrote:
> On Wed, 10 May 2023 22:11:19 +0000, Azeem Shaikh wrote:
> > strlcpy() reads the entire source buffer first.
> > This read may exceed the destination size limit.
> > This is both inefficient and can lead to linear read
> > overflows if a source string is not NUL-terminated [1].
> > In an effort to remove strlcpy() completely [2], replace
> > strlcpy() here with strscpy().
> > No return values were used, so direct replacement is safe.
> > 
> > [...]
> 
> I sincerely hope we'll be done with swapping out various string
> functions for one another at some point. Such patches always seems
> benign and straightforward but the potential for subtle bugs is
> feels rather high...

Agreed. The long-term goal is to remove "strlcpy"[1] and "strncpy"[2]
completely from the kernel, leaving only "strscpy". From there, I hope
to do a treewide change to scrub the kernel of the pattern:
	strscpy(fixed-sized-dest, fixed-sized-source, sizeof(fixed-size-dest))
and replace it with a much stricter "strcpy" that refuses to work on
dynamically sized arguments. This will get us away from the pointless
exercise of duplicating sizeof() arguments when the compiler can very
happily do it itself.

But doing the return value transitions (and padding checks) for strlcpy
and strncpy need to happen first. It's a long road.

> Applied to the vfs.misc branch of the vfs/vfs.git tree.
> Patches in the vfs.misc branch should appear in linux-next soon.

Thanks!

-Kees

[1] https://github.com/KSPP/linux/issues/89
[2] https://github.com/KSPP/linux/issues/90

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ