From: Kees Cook <keescook@chromium.org>
To: "Tobin C. Harding" <tobin@kernel.org>
Cc: Shuah Khan <shuah@kernel.org>, Jann Horn <jannh@google.com>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Randy Dunlap <rdunlap@infradead.org>,
Rasmus Villemoes <linux@rasmusvillemoes.dk>,
Stephen Rothwell <sfr@canb.auug.org.au>,
Andy Lutomirski <luto@amacapital.net>,
Daniel Micay <danielmicay@gmail.com>,
Arnd Bergmann <arnd@arndb.de>,
Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>,
"Gustavo A. R. Silva" <gustavo@embeddedor.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Kernel Hardening <kernel-hardening@lists.openwall.com>,
"open list:KERNEL SELFTEST FRAMEWORK"
<linux-kselftest@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v3 6/7] lib/string: Add strscpy_pad() function
Date: Tue, 2 Apr 2019 14:35:02 -0700 [thread overview]
Message-ID: <CAGXu5j+4hxuOcrm5mqHuUS4TfLZRrR7+uEUOr9YKsK7sAWJJ8A@mail.gmail.com> (raw)
In-Reply-To: <20190306214226.14598-7-tobin@kernel.org>
On Wed, Mar 6, 2019 at 1:43 PM Tobin C. Harding <tobin@kernel.org> wrote:
>
> We have a function to copy strings safely and we have a function to copy
> strings and zero the tail of the destination (if source string is
> shorter than destination buffer) but we do not have a function to do
> both at once. This means developers must write this themselves if they
> desire this functionality. This is a chore, and also leaves us open to
> off by one errors unnecessarily.
>
> Add a function that calls strscpy() then memset()s the tail to zero if
> the source string is shorter than the destination buffer.
>
> Signed-off-by: Tobin C. Harding <tobin@kernel.org>
Lovely. :)
Acked-by: Kees Cook <keescook@chromium.org>
-Kees
> ---
> include/linux/string.h | 4 ++++
> lib/string.c | 47 +++++++++++++++++++++++++++++++++++-------
> 2 files changed, 44 insertions(+), 7 deletions(-)
>
> diff --git a/include/linux/string.h b/include/linux/string.h
> index 7927b875f80c..bfe95bf5d07e 100644
> --- a/include/linux/string.h
> +++ b/include/linux/string.h
> @@ -31,6 +31,10 @@ size_t strlcpy(char *, const char *, size_t);
> #ifndef __HAVE_ARCH_STRSCPY
> ssize_t strscpy(char *, const char *, size_t);
> #endif
> +
> +/* Wraps calls to strscpy()/memset(), no arch specific code required */
> +ssize_t strscpy_pad(char *dest, const char *src, size_t count);
> +
> #ifndef __HAVE_ARCH_STRCAT
> extern char * strcat(char *, const char *);
> #endif
> diff --git a/lib/string.c b/lib/string.c
> index 38e4ca08e757..3a3353512184 100644
> --- a/lib/string.c
> +++ b/lib/string.c
> @@ -159,11 +159,9 @@ EXPORT_SYMBOL(strlcpy);
> * @src: Where to copy the string from
> * @count: Size of destination buffer
> *
> - * Copy the string, or as much of it as fits, into the dest buffer.
> - * The routine returns the number of characters copied (not including
> - * the trailing NUL) or -E2BIG if the destination buffer wasn't big enough.
> - * The behavior is undefined if the string buffers overlap.
> - * The destination buffer is always NUL terminated, unless it's zero-sized.
> + * Copy the string, or as much of it as fits, into the dest buffer. The
> + * behavior is undefined if the string buffers overlap. The destination
> + * buffer is always NUL terminated, unless it's zero-sized.
> *
> * Preferred to strlcpy() since the API doesn't require reading memory
> * from the src string beyond the specified "count" bytes, and since
> @@ -173,8 +171,10 @@ EXPORT_SYMBOL(strlcpy);
> *
> * Preferred to strncpy() since it always returns a valid string, and
> * doesn't unnecessarily force the tail of the destination buffer to be
> - * zeroed. If the zeroing is desired, it's likely cleaner to use strscpy()
> - * with an overflow test, then just memset() the tail of the dest buffer.
> + * zeroed. If zeroing is desired please use strscpy_pad().
> + *
> + * Return: The number of characters copied (not including the trailing
> + * %NUL) or -E2BIG if the destination buffer wasn't big enough.
> */
> ssize_t strscpy(char *dest, const char *src, size_t count)
> {
> @@ -237,6 +237,39 @@ ssize_t strscpy(char *dest, const char *src, size_t count)
> EXPORT_SYMBOL(strscpy);
> #endif
>
> +/**
> + * strscpy_pad() - Copy a C-string into a sized buffer
> + * @dest: Where to copy the string to
> + * @src: Where to copy the string from
> + * @count: Size of destination buffer
> + *
> + * Copy the string, or as much of it as fits, into the dest buffer. The
> + * behavior is undefined if the string buffers overlap. The destination
> + * buffer is always %NUL terminated, unless it's zero-sized.
> + *
> + * If the source string is shorter than the destination buffer, zeros
> + * the tail of the destination buffer.
> + *
> + * For full explanation of why you may want to consider using the
> + * 'strscpy' functions please see the function docstring for strscpy().
> + *
> + * Return: The number of characters copied (not including the trailing
> + * %NUL) or -E2BIG if the destination buffer wasn't big enough.
> + */
> +ssize_t strscpy_pad(char *dest, const char *src, size_t count)
> +{
> + ssize_t written;
> +
> + written = strscpy(dest, src, count);
> + if (written < 0 || written == count - 1)
> + return written;
> +
> + memset(dest + written + 1, 0, count - written - 1);
> +
> + return written;
> +}
> +EXPORT_SYMBOL(strscpy_pad);
> +
> #ifndef __HAVE_ARCH_STRCAT
> /**
> * strcat - Append one %NUL-terminated string to another
> --
> 2.20.1
>
--
Kees Cook
WARNING: multiple messages have this Message-ID (diff)
From: keescook at chromium.org (Kees Cook)
Subject: [PATCH v3 6/7] lib/string: Add strscpy_pad() function
Date: Tue, 2 Apr 2019 14:35:02 -0700 [thread overview]
Message-ID: <CAGXu5j+4hxuOcrm5mqHuUS4TfLZRrR7+uEUOr9YKsK7sAWJJ8A@mail.gmail.com> (raw)
In-Reply-To: <20190306214226.14598-7-tobin@kernel.org>
On Wed, Mar 6, 2019 at 1:43 PM Tobin C. Harding <tobin at kernel.org> wrote:
>
> We have a function to copy strings safely and we have a function to copy
> strings and zero the tail of the destination (if source string is
> shorter than destination buffer) but we do not have a function to do
> both at once. This means developers must write this themselves if they
> desire this functionality. This is a chore, and also leaves us open to
> off by one errors unnecessarily.
>
> Add a function that calls strscpy() then memset()s the tail to zero if
> the source string is shorter than the destination buffer.
>
> Signed-off-by: Tobin C. Harding <tobin at kernel.org>
Lovely. :)
Acked-by: Kees Cook <keescook at chromium.org>
-Kees
> ---
> include/linux/string.h | 4 ++++
> lib/string.c | 47 +++++++++++++++++++++++++++++++++++-------
> 2 files changed, 44 insertions(+), 7 deletions(-)
>
> diff --git a/include/linux/string.h b/include/linux/string.h
> index 7927b875f80c..bfe95bf5d07e 100644
> --- a/include/linux/string.h
> +++ b/include/linux/string.h
> @@ -31,6 +31,10 @@ size_t strlcpy(char *, const char *, size_t);
> #ifndef __HAVE_ARCH_STRSCPY
> ssize_t strscpy(char *, const char *, size_t);
> #endif
> +
> +/* Wraps calls to strscpy()/memset(), no arch specific code required */
> +ssize_t strscpy_pad(char *dest, const char *src, size_t count);
> +
> #ifndef __HAVE_ARCH_STRCAT
> extern char * strcat(char *, const char *);
> #endif
> diff --git a/lib/string.c b/lib/string.c
> index 38e4ca08e757..3a3353512184 100644
> --- a/lib/string.c
> +++ b/lib/string.c
> @@ -159,11 +159,9 @@ EXPORT_SYMBOL(strlcpy);
> * @src: Where to copy the string from
> * @count: Size of destination buffer
> *
> - * Copy the string, or as much of it as fits, into the dest buffer.
> - * The routine returns the number of characters copied (not including
> - * the trailing NUL) or -E2BIG if the destination buffer wasn't big enough.
> - * The behavior is undefined if the string buffers overlap.
> - * The destination buffer is always NUL terminated, unless it's zero-sized.
> + * Copy the string, or as much of it as fits, into the dest buffer. The
> + * behavior is undefined if the string buffers overlap. The destination
> + * buffer is always NUL terminated, unless it's zero-sized.
> *
> * Preferred to strlcpy() since the API doesn't require reading memory
> * from the src string beyond the specified "count" bytes, and since
> @@ -173,8 +171,10 @@ EXPORT_SYMBOL(strlcpy);
> *
> * Preferred to strncpy() since it always returns a valid string, and
> * doesn't unnecessarily force the tail of the destination buffer to be
> - * zeroed. If the zeroing is desired, it's likely cleaner to use strscpy()
> - * with an overflow test, then just memset() the tail of the dest buffer.
> + * zeroed. If zeroing is desired please use strscpy_pad().
> + *
> + * Return: The number of characters copied (not including the trailing
> + * %NUL) or -E2BIG if the destination buffer wasn't big enough.
> */
> ssize_t strscpy(char *dest, const char *src, size_t count)
> {
> @@ -237,6 +237,39 @@ ssize_t strscpy(char *dest, const char *src, size_t count)
> EXPORT_SYMBOL(strscpy);
> #endif
>
> +/**
> + * strscpy_pad() - Copy a C-string into a sized buffer
> + * @dest: Where to copy the string to
> + * @src: Where to copy the string from
> + * @count: Size of destination buffer
> + *
> + * Copy the string, or as much of it as fits, into the dest buffer. The
> + * behavior is undefined if the string buffers overlap. The destination
> + * buffer is always %NUL terminated, unless it's zero-sized.
> + *
> + * If the source string is shorter than the destination buffer, zeros
> + * the tail of the destination buffer.
> + *
> + * For full explanation of why you may want to consider using the
> + * 'strscpy' functions please see the function docstring for strscpy().
> + *
> + * Return: The number of characters copied (not including the trailing
> + * %NUL) or -E2BIG if the destination buffer wasn't big enough.
> + */
> +ssize_t strscpy_pad(char *dest, const char *src, size_t count)
> +{
> + ssize_t written;
> +
> + written = strscpy(dest, src, count);
> + if (written < 0 || written == count - 1)
> + return written;
> +
> + memset(dest + written + 1, 0, count - written - 1);
> +
> + return written;
> +}
> +EXPORT_SYMBOL(strscpy_pad);
> +
> #ifndef __HAVE_ARCH_STRCAT
> /**
> * strcat - Append one %NUL-terminated string to another
> --
> 2.20.1
>
--
Kees Cook
WARNING: multiple messages have this Message-ID (diff)
From: keescook@chromium.org (Kees Cook)
Subject: [PATCH v3 6/7] lib/string: Add strscpy_pad() function
Date: Tue, 2 Apr 2019 14:35:02 -0700 [thread overview]
Message-ID: <CAGXu5j+4hxuOcrm5mqHuUS4TfLZRrR7+uEUOr9YKsK7sAWJJ8A@mail.gmail.com> (raw)
Message-ID: <20190402213502.VWNLFapkM9ni8tnln00zdWv9twWNMOO81fiEPYoLpzg@z> (raw)
In-Reply-To: <20190306214226.14598-7-tobin@kernel.org>
On Wed, Mar 6, 2019@1:43 PM Tobin C. Harding <tobin@kernel.org> wrote:
>
> We have a function to copy strings safely and we have a function to copy
> strings and zero the tail of the destination (if source string is
> shorter than destination buffer) but we do not have a function to do
> both at once. This means developers must write this themselves if they
> desire this functionality. This is a chore, and also leaves us open to
> off by one errors unnecessarily.
>
> Add a function that calls strscpy() then memset()s the tail to zero if
> the source string is shorter than the destination buffer.
>
> Signed-off-by: Tobin C. Harding <tobin at kernel.org>
Lovely. :)
Acked-by: Kees Cook <keescook at chromium.org>
-Kees
> ---
> include/linux/string.h | 4 ++++
> lib/string.c | 47 +++++++++++++++++++++++++++++++++++-------
> 2 files changed, 44 insertions(+), 7 deletions(-)
>
> diff --git a/include/linux/string.h b/include/linux/string.h
> index 7927b875f80c..bfe95bf5d07e 100644
> --- a/include/linux/string.h
> +++ b/include/linux/string.h
> @@ -31,6 +31,10 @@ size_t strlcpy(char *, const char *, size_t);
> #ifndef __HAVE_ARCH_STRSCPY
> ssize_t strscpy(char *, const char *, size_t);
> #endif
> +
> +/* Wraps calls to strscpy()/memset(), no arch specific code required */
> +ssize_t strscpy_pad(char *dest, const char *src, size_t count);
> +
> #ifndef __HAVE_ARCH_STRCAT
> extern char * strcat(char *, const char *);
> #endif
> diff --git a/lib/string.c b/lib/string.c
> index 38e4ca08e757..3a3353512184 100644
> --- a/lib/string.c
> +++ b/lib/string.c
> @@ -159,11 +159,9 @@ EXPORT_SYMBOL(strlcpy);
> * @src: Where to copy the string from
> * @count: Size of destination buffer
> *
> - * Copy the string, or as much of it as fits, into the dest buffer.
> - * The routine returns the number of characters copied (not including
> - * the trailing NUL) or -E2BIG if the destination buffer wasn't big enough.
> - * The behavior is undefined if the string buffers overlap.
> - * The destination buffer is always NUL terminated, unless it's zero-sized.
> + * Copy the string, or as much of it as fits, into the dest buffer. The
> + * behavior is undefined if the string buffers overlap. The destination
> + * buffer is always NUL terminated, unless it's zero-sized.
> *
> * Preferred to strlcpy() since the API doesn't require reading memory
> * from the src string beyond the specified "count" bytes, and since
> @@ -173,8 +171,10 @@ EXPORT_SYMBOL(strlcpy);
> *
> * Preferred to strncpy() since it always returns a valid string, and
> * doesn't unnecessarily force the tail of the destination buffer to be
> - * zeroed. If the zeroing is desired, it's likely cleaner to use strscpy()
> - * with an overflow test, then just memset() the tail of the dest buffer.
> + * zeroed. If zeroing is desired please use strscpy_pad().
> + *
> + * Return: The number of characters copied (not including the trailing
> + * %NUL) or -E2BIG if the destination buffer wasn't big enough.
> */
> ssize_t strscpy(char *dest, const char *src, size_t count)
> {
> @@ -237,6 +237,39 @@ ssize_t strscpy(char *dest, const char *src, size_t count)
> EXPORT_SYMBOL(strscpy);
> #endif
>
> +/**
> + * strscpy_pad() - Copy a C-string into a sized buffer
> + * @dest: Where to copy the string to
> + * @src: Where to copy the string from
> + * @count: Size of destination buffer
> + *
> + * Copy the string, or as much of it as fits, into the dest buffer. The
> + * behavior is undefined if the string buffers overlap. The destination
> + * buffer is always %NUL terminated, unless it's zero-sized.
> + *
> + * If the source string is shorter than the destination buffer, zeros
> + * the tail of the destination buffer.
> + *
> + * For full explanation of why you may want to consider using the
> + * 'strscpy' functions please see the function docstring for strscpy().
> + *
> + * Return: The number of characters copied (not including the trailing
> + * %NUL) or -E2BIG if the destination buffer wasn't big enough.
> + */
> +ssize_t strscpy_pad(char *dest, const char *src, size_t count)
> +{
> + ssize_t written;
> +
> + written = strscpy(dest, src, count);
> + if (written < 0 || written == count - 1)
> + return written;
> +
> + memset(dest + written + 1, 0, count - written - 1);
> +
> + return written;
> +}
> +EXPORT_SYMBOL(strscpy_pad);
> +
> #ifndef __HAVE_ARCH_STRCAT
> /**
> * strcat - Append one %NUL-terminated string to another
> --
> 2.20.1
>
--
Kees Cook
next prev parent reply other threads:[~2019-04-02 21:40 UTC|newest]
Thread overview: 98+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-06 21:42 [PATCH v3 0/7] lib/string: Add strscpy_pad() function Tobin C. Harding
2019-03-06 21:42 ` Tobin C. Harding
2019-03-06 21:42 ` tobin
2019-03-06 21:42 ` [PATCH v3 1/7] lib/test_printf: Add empty module_exit function Tobin C. Harding
2019-03-06 21:42 ` Tobin C. Harding
2019-03-06 21:42 ` tobin
2019-04-02 21:24 ` Kees Cook
2019-04-02 21:24 ` Kees Cook
2019-04-02 21:24 ` Kees Cook
2019-04-02 21:24 ` keescook
2019-03-06 21:42 ` [PATCH v3 2/7] kselftest: Add test runner creation script Tobin C. Harding
2019-03-06 21:42 ` Tobin C. Harding
2019-03-06 21:42 ` tobin
2019-04-02 21:27 ` Kees Cook
2019-04-02 21:27 ` Kees Cook
2019-04-02 21:27 ` Kees Cook
2019-04-02 21:27 ` keescook
2019-04-02 21:33 ` Randy Dunlap
2019-04-02 21:33 ` Randy Dunlap
2019-04-02 21:33 ` Randy Dunlap
2019-04-02 21:33 ` rdunlap
2019-04-04 23:16 ` Tobin C. Harding
2019-04-04 23:16 ` Tobin C. Harding
2019-04-04 23:16 ` Tobin C. Harding
2019-04-04 23:16 ` me
2019-03-06 21:42 ` [PATCH v3 3/7] kselftest/lib: Use new shell runner to define tests Tobin C. Harding
2019-03-06 21:42 ` Tobin C. Harding
2019-03-06 21:42 ` tobin
2019-04-02 21:29 ` Kees Cook
2019-04-02 21:29 ` Kees Cook
2019-04-02 21:29 ` Kees Cook
2019-04-02 21:29 ` keescook
2019-04-02 21:45 ` Kees Cook
2019-04-02 21:45 ` Kees Cook
2019-04-02 21:45 ` Kees Cook
2019-04-02 21:45 ` keescook
2019-04-02 21:51 ` Kees Cook
2019-04-02 21:51 ` Kees Cook
2019-04-02 21:51 ` Kees Cook
2019-04-02 21:51 ` keescook
2019-03-06 21:42 ` [PATCH v3 4/7] kselftest: Add test module framework header Tobin C. Harding
2019-03-06 21:42 ` Tobin C. Harding
2019-03-06 21:42 ` tobin
2019-04-02 21:31 ` Kees Cook
2019-04-02 21:31 ` Kees Cook
2019-04-02 21:31 ` Kees Cook
2019-04-02 21:31 ` keescook
2019-03-06 21:42 ` [PATCH v3 5/7] lib: Use new kselftest header Tobin C. Harding
2019-03-06 21:42 ` Tobin C. Harding
2019-03-06 21:42 ` tobin
2019-04-02 21:32 ` Kees Cook
2019-04-02 21:32 ` Kees Cook
2019-04-02 21:32 ` Kees Cook
2019-04-02 21:32 ` keescook
2019-03-06 21:42 ` [PATCH v3 6/7] lib/string: Add strscpy_pad() function Tobin C. Harding
2019-03-06 21:42 ` Tobin C. Harding
2019-03-06 21:42 ` tobin
2019-04-02 21:35 ` Kees Cook [this message]
2019-04-02 21:35 ` Kees Cook
2019-04-02 21:35 ` Kees Cook
2019-04-02 21:35 ` keescook
2019-03-06 21:42 ` [PATCH v3 7/7] lib: Add test module for strscpy_pad Tobin C. Harding
2019-03-06 21:42 ` Tobin C. Harding
2019-03-06 21:42 ` tobin
2019-04-02 21:36 ` Kees Cook
2019-04-02 21:36 ` Kees Cook
2019-04-02 21:36 ` Kees Cook
2019-04-02 21:36 ` keescook
2019-03-06 21:49 ` [PATCH v3 0/7] lib/string: Add strscpy_pad() function Tobin C. Harding
2019-03-06 21:49 ` Tobin C. Harding
2019-03-06 21:49 ` me
2019-03-07 21:18 ` Tobin C. Harding
2019-03-07 21:18 ` Tobin C. Harding
2019-03-07 21:18 ` me
2019-03-07 22:43 ` Kees Cook
2019-03-07 22:43 ` Kees Cook
2019-03-07 22:43 ` Kees Cook
2019-03-07 22:43 ` keescook
2019-03-08 5:23 ` Tobin C. Harding
2019-03-08 5:23 ` Tobin C. Harding
2019-03-08 5:23 ` Tobin C. Harding
2019-03-08 5:23 ` me
2019-03-08 16:18 ` Kees Cook
2019-03-08 16:18 ` Kees Cook
2019-03-08 16:18 ` Kees Cook
2019-03-08 16:18 ` keescook
2019-04-02 21:37 ` Kees Cook
2019-04-02 21:37 ` Kees Cook
2019-04-02 21:37 ` Kees Cook
2019-04-02 21:37 ` keescook
2019-04-03 0:25 ` Tobin C. Harding
2019-04-03 0:25 ` Tobin C. Harding
2019-04-03 0:25 ` Tobin C. Harding
2019-04-03 0:25 ` me
2019-04-03 0:29 ` shuah
2019-04-03 0:29 ` shuah
2019-04-03 0:29 ` shuah
2019-04-03 0:29 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAGXu5j+4hxuOcrm5mqHuUS4TfLZRrR7+uEUOr9YKsK7sAWJJ8A@mail.gmail.com \
--to=keescook@chromium.org \
--cc=alexander.shishkin@linux.intel.com \
--cc=andriy.shevchenko@linux.intel.com \
--cc=arnd@arndb.de \
--cc=danielmicay@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=gustavo@embeddedor.com \
--cc=jannh@google.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux@rasmusvillemoes.dk \
--cc=luto@amacapital.net \
--cc=miguel.ojeda.sandonis@gmail.com \
--cc=rdunlap@infradead.org \
--cc=sfr@canb.auug.org.au \
--cc=shuah@kernel.org \
--cc=tobin@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.