lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <08A0C3AE-A255-467F-A007-5584E8E44517@linux.dev>
Date: Thu, 20 Feb 2025 08:04:18 +0100
From: Thorsten Blum <thorsten.blum@...ux.dev>
To: Kees Cook <kees@...nel.org>
Cc: Allison Henderson <allison.henderson@...cle.com>,
 "David S. Miller" <davem@...emloft.net>,
 Eric Dumazet <edumazet@...gle.com>,
 Jakub Kicinski <kuba@...nel.org>,
 Paolo Abeni <pabeni@...hat.com>,
 Simon Horman <horms@...nel.org>,
 linux-hardening@...r.kernel.org,
 netdev@...r.kernel.org,
 linux-rdma@...r.kernel.org,
 rds-devel@....oracle.com,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH net-next] net/rds: Replace deprecated strncpy() with
 strscpy_pad()

On 20. Feb 2025, at 03:57, Kees Cook wrote:
> On Wed, Feb 19, 2025 at 11:47:31PM +0100, Thorsten Blum wrote:
>> strncpy() is deprecated for NUL-terminated destination buffers. Use
>> strscpy_pad() instead and remove the manual NUL-termination.
> 
> When doing these conversions, please describe two aspects of
> conversions:
> 
> - Why is it safe to be NUL terminated
> - Why is it safe to be/not-be NUL-padded
> 
> In this case, the latter needs examination. Looking at how ctr is used,
> it is memcpy()ed later, which means this string MUST be NUL padded or it
> will leak stack memory contents.
> 
> So, please use strscpy_pad() here. :)

I am using strscpy_pad() here already because of the NUL-padding.

Did you just miss that?

Thanks,
Thorsten

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ