lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20260112122236.22214-1-fushuai.wang@linux.dev>
Date: Mon, 12 Jan 2026 20:22:36 +0800
From: Fushuai Wang <fushuai.wang@...ux.dev>
To: aliceryhl@...gle.com
Cc: akpm@...ux-foundation.org,
	bp@...en8.de,
	brauner@...nel.org,
	cyphar@...har.com,
	dave.hansen@...ux.intel.com,
	fushuai.wang@...ux.dev,
	hpa@...or.com,
	jack@...e.cz,
	kees@...nel.org,
	linux-kernel@...r.kernel.org,
	linux-trace-kernel@...r.kernel.org,
	luto@...nel.org,
	mathieu.desnoyers@...icios.com,
	mhiramat@...nel.org,
	mingo@...hat.com,
	peterz@...radead.org,
	rostedt@...dmis.org,
	tglx@...nel.org,
	vmalik@...hat.com,
	wangfushuai@...du.com,
	x86@...nel.org,
	yury.norov@...il.com
Subject: Re: [PATCH v2 1/6] uaccess: Add copy_from_user_nul helper

> strncpy_from_user() succeeds even if userspace data does not contain a
> nul. Then it reads length bytes.

Yes, but if there is no NUL byte in the user buf, whether you use
strncpy_from_user() or copy_from_user(), you need to manually add
a '\0' in the kernel buf to ensure it is properly NUL-terminated.
like:

	ret = strncpy_from_user(&buffer[0], arg, sizeof(buffer) - 1);
	if (ret < 0) {
		ret = -EFAULT;
		break;
	}
	buffer[sizeof(buffer) - 1] = '\0';

So I do not think copy_from_user() + '\0' can be instead of strncpy_from_user().
I think strncpy_from_user() can only be used without manually appending '\0'
if someone are certain that the user buf contains a NUL byte.

---
Regards,
WANG

> As far as I can tell, when a nul byte is present, none of these kernel
> use-cases use data after the nul byte. So the behavior is identical
> except that copy_from_user_nul() may result in EFAULT if there are
> unmapped bytes between the first nul byte in `src` and `src+len`.
> 
> Alice

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ