| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAMuHMdX=2FnC1OzxcQp4RMG=Bk3aiQ4OprYjLde3qUP6XH7yog@mail.gmail.com>
Date: Fri, 7 Mar 2025 10:28:13 +0100
From: Geert Uytterhoeven <geert@...ux-m68k.org>
To: Finn Thain <fthain@...ux-m68k.org>
Cc: Thorsten Blum <thorsten.blum@...ux.dev>,
Jean-Michel Hautbois <jeanmichel.hautbois@...eli.org>, linux-m68k@...ts.linux-m68k.org,
linux-kernel@...r.kernel.org, Kees Cook <kees@...nel.org>
Subject: Re: [PATCH] m68k: mm: Remove size argument when calling strscpy()
Hi Finn,
On Fri, 7 Mar 2025 at 09:58, Finn Thain <fthain@...ux-m68k.org> wrote:
> On Fri, 7 Mar 2025, Geert Uytterhoeven wrote:
> > On Fri, 7 Mar 2025 at 00:24, Finn Thain <fthain@...ux-m68k.org> wrote:
> > > On Thu, 6 Mar 2025, Geert Uytterhoeven wrote:
> > > > On Mon, 3 Mar 2025 at 00:07, Thorsten Blum <thorsten.blum@...ux.dev> wrote:
> > > > > The size parameter of strscpy() is optional and specifying the
> > > > > size of the destination buffer is unnecessary. Remove it to
> > > > > simplify the code.
> > > > >
> > > > > Signed-off-by: Thorsten Blum <thorsten.blum@...ux.dev>
> > > >
> > > > Reviewed-by: Geert Uytterhoeven <geert@...ux-m68k.org> i.e. will
> > > > queue in the m68k tree for v6.15.
> > >
> > > The commit message says "simplify the code" which is only true if you
> > > never scratch the surface (i.e. it's simple code if the reader is
> > > simple too...)
> >
> > The code is simpler in the sense that the API is simpler to use, and
> > harder to abuse (i.e. to get it wrong).
> >
> > > Commit 30035e45753b ("string: provide strscpy()") was a good idea. It
> > > was easily auditable. But that's not what we have now.
> > >
> > > Patches like this one (which appear across the whole tree) need
> > > reviewers (lots of them) that know what kind of a bounds check you end
> > > up with when you ask an arbitary compiler to evaluate this:
> > >
> > > sizeof(dst) + __must_be_array(dst) + __must_be_cstr(dst) +
> > > __must_be_cstr(src)
> > >
> > > Frankly, I can't be sure. But it's a serious question, and not what
> > > I'd call a "simple" one.
> >
> > All the __must_be_*() macros evaluate to zero when true, and cause a
> > build failure when false.
>
> It seems to me that the code review problem could be solved either by not
> churning the whole tree, or if we must have the churn, by short-circuiting
> the recursive search by reviewers for macro definitions.
>
> Can we do something like this?
>
> sizeof(dst) * !!__must_be_array(dst) * !!__must_be_cstr(dst) * !!__must_be_cstr(src)
x * !!0 = 0
So either the above should be changed to
sizeof(dst) * !__must_be_array(dst) * !__must_be_cstr(dst) *
!__must_be_cstr(src)
or all __must_be_*() macros should be changed to invert their return values...
> At first glance multiplication appears to be safe (unlike all the addition
> terms that we have) because the limit of the string copy is either
> unchanged or zeroed.
>
> Yes, I know you said "zero when true". That looks like another design flaw
> to me. But maybe I'm missing something that's more important than
> readability and ease of review.
We had
#define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]) +
__must_be_array(arr))
for ages...
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@...ux-m68k.org
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds
Powered by blists - more mailing lists