Re: [PATCH v3] tools/libs/stat: fix broken build

From: "Jürgen Groß" <jgross@suse.com>
To: Jan Beulich <jbeulich@suse.com>
Cc: Bertrand Marquis <Bertrand.Marquis@arm.com>,
	"open list:X86" <xen-devel@lists.xenproject.org>,
	Ian Jackson <iwj@xenproject.org>, Wei Liu <wl@xen.org>
Subject: Re: [PATCH v3] tools/libs/stat: fix broken build
Date: Fri, 2 Oct 2020 09:25:26 +0200	[thread overview]
Message-ID: <558774ab-92cb-90ae-3936-4f9cc9d56fd0@suse.com> (raw)
In-Reply-To: <90a39759-63c1-28b9-f112-d8b3cc083565@suse.com>

On 02.10.20 08:59, Jan Beulich wrote:
> On 02.10.2020 08:51, Jürgen Groß wrote:
>> On 02.10.20 08:20, Jan Beulich wrote:
>>> On 02.10.2020 06:50, Jürgen Groß wrote:
>>>> On 01.10.20 18:38, Bertrand Marquis wrote:
>>>>> Hi Juergen,
>>>>>
>>>>>> On 14 Sep 2020, at 11:58, Bertrand Marquis <bertrand.marquis@arm.com> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>> On 12 Sep 2020, at 14:08, Juergen Gross <jgross@suse.com> wrote:
>>>>>>>
>>>>>>> Making getBridge() static triggered a build error with some gcc versions:
>>>>>>>
>>>>>>> error: 'strncpy' output may be truncated copying 15 bytes from a string of
>>>>>>> length 255 [-Werror=stringop-truncation]
>>>>>>>
>>>>>>> Fix that by using a buffer with 256 bytes instead.
>>>>>>>
>>>>>>> Fixes: 6d0ec053907794 ("tools: split libxenstat into new tools/libs/stat directory")
>>>>>>> Signed-off-by: Juergen Gross <jgross@suse.com>
>>>>>> Reviewed-by: Bertrand Marquis <bertrand.marquis@arm.com>
>>>>>
>>>>> Sorry i have to come back on this one.
>>>>>
>>>>> I still see an error compiling with Yocto on this one:
>>>>> |     inlined from 'xenstat_collect_networks' at xenstat_linux.c:306:2:
>>>>> | xenstat_linux.c:81:6: error: 'strncpy' output may be truncated copying 255 bytes from a string of length 255 [-Werror=stringop-truncation]
>>>>> |    81 |      strncpy(result, de->d_name, resultLen);
>>>>> |       |      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>>>
>>>>> To solve it, I need to define devBridge[257] as devNoBrideg.
>>>>
>>>> IMHO this is a real compiler error.
>>>>
>>>> de->d_name is an array of 256 bytes, so doing strncpy() from that to
>>>> another array of 256 bytes with a length of 256 won't truncate anything.
>>>
>>> That's a matter of how you look at it, I think: If the original array
>>> doesn't hold a nul-terminated string, the destination array won't
>>> either, yet the common goal of strncpy() is to yield a properly nul-
>>> terminated string. IOW the warning may be since the standard even has
>>> a specific foot note to point out this possible pitfall.
>>
>> If the source doesn't hold a nul-terminated string there will still be
>> 256 bytes copied, so there is no truncation done during strncpy().
>>
>> In fact there is no way to use strncpy() in a safe way on a fixed sized
>> source array with the above semantics: either the target is larger than
>> the source and length is at least sizeof(source) + 1, resulting in a
>> possible read beyond the end of source, or the target is the same length
>> leading to the error.
> 
> I agree with all of what you say, but I can also see why said foot note
> alone may have motivated the emission of the warning.

The motivation can be explained, yes, but it is wrong. strncpy() is not
limited to source arrays of unknown length. So this warning is making
strncpy() unusable for fixed sized source strings and -Werror. And that
is nothing a compiler should be allowed to do, hence a compiler bug.

Juergen