From: "Dávid Bolvanský" <david.bolvansky@gmail.com>
To: Kees Cook <keescook@chromium.org>
Cc: Nick Desaulniers <ndesaulniers@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
Eli Friedman <efriedma@quicinc.com>,
stable@vger.kernel.org, Arvind Sankar <nivedita@alum.mit.edu>,
Joe Perches <joe@perches.com>,
Sami Tolvanen <samitolvanen@google.com>,
Vishal Verma <vishal.l.verma@intel.com>,
Dan Williams <dan.j.williams@intel.com>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
"Joel Fernandes (Google)" <joel@joelfernandes.org>,
Daniel Axtens <dja@axtens.net>, Ingo Molnar <mingo@kernel.org>,
Yury Norov <yury.norov@gmail.com>,
Alexandru Ardelean <alexandru.ardelean@analog.com>,
linux-kernel@vger.kernel.org, clang-built-linux@googlegroups.com
Subject: Re: [PATCH v2] lib/string.c: implement stpcpy
Date: Sat, 15 Aug 2020 19:38:52 +0200 [thread overview]
Message-ID: <672236FE-769D-48F0-AAAD-FB9630BB2FA9@gmail.com> (raw)
In-Reply-To: <202008150921.B70721A359@keescook>
Yeah, sprintf calls should be replaced with something safer.
> Dňa 15. 8. 2020 o 18:34 užívateľ Kees Cook <keescook@chromium.org> napísal:
>
> On Fri, Aug 14, 2020 at 07:09:44PM -0700, Nick Desaulniers wrote:
>> LLVM implemented a recent "libcall optimization" that lowers calls to
>> `sprintf(dest, "%s", str)` where the return value is used to
>> `stpcpy(dest, str) - dest`. This generally avoids the machinery involved
>> in parsing format strings. Calling `sprintf` with overlapping arguments
>> was clarified in ISO C99 and POSIX.1-2001 to be undefined behavior.
>>
>> `stpcpy` is just like `strcpy` except it returns the pointer to the new
>> tail of `dest`. This allows you to chain multiple calls to `stpcpy` in
>> one statement.
>
> O_O What?
>
> No; this is a _terrible_ API: there is no bounds checking, there are no
> buffer sizes. Anything using the example sprintf() pattern is _already_
> wrong and must be removed from the kernel. (Yes, I realize that the
> kernel is *filled* with this bad assumption that "I'll never write more
> than PAGE_SIZE bytes to this buffer", but that's both theoretically
> wrong ("640k is enough for anybody") and has been known to be wrong in
> practice too (e.g. when suddenly your writing routine is reachable by
> splice(2) and you may not have a PAGE_SIZE buffer).
>
> But we cannot _add_ another dangerous string API. We're already in a
> terrible mess trying to remove strcpy[1], strlcpy[2], and strncpy[3]. This
> needs to be addressed up by removing the unbounded sprintf() uses. (And
> to do so without introducing bugs related to using snprintf() when
> scnprintf() is expected[4].)
>
> -Kees
>
> [1] https://github.com/KSPP/linux/issues/88
> [2] https://github.com/KSPP/linux/issues/89
> [3] https://github.com/KSPP/linux/issues/90
> [4] https://lore.kernel.org/lkml/20200810092100.GA42813@2f5448a72a42/
>
> --
> Kees Cook
next prev parent reply other threads:[~2020-08-15 22:02 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-15 0:24 [PATCH] lib/string.c: implement stpcpy Nick Desaulniers
2020-08-15 0:52 ` Joe Perches
2020-08-15 2:00 ` Nick Desaulniers
2020-08-15 0:53 ` Sami Tolvanen
2020-08-15 1:33 ` Arvind Sankar
2020-08-15 1:40 ` Arvind Sankar
2020-08-15 2:09 ` [PATCH v2] " Nick Desaulniers
2020-08-15 2:58 ` Arvind Sankar
2020-08-15 3:42 ` Joe Perches
2020-08-15 16:34 ` Kees Cook
2020-08-15 17:38 ` Dávid Bolvanský [this message]
2020-08-15 20:47 ` Nick Desaulniers
2020-08-15 21:23 ` Joe Perches
2020-08-15 21:27 ` Dávid Bolvanský
2020-08-15 21:28 ` Nick Desaulniers
2020-08-15 21:31 ` Joe Perches
2020-08-15 22:17 ` Nick Desaulniers
2020-08-16 0:19 ` Fangrui Song
2020-08-16 5:22 ` Sedat Dilek
2020-08-16 15:02 ` Arvind Sankar
2020-08-17 17:14 ` Sami Tolvanen
2020-08-17 18:36 ` Nick Desaulniers
2020-08-17 19:15 ` Kees Cook
2020-08-17 20:13 ` Arvind Sankar
2020-08-17 21:45 ` Nick Desaulniers
[not found] ` <77557c29286140dea726cc334b4f59fc@AcuMS.aculab.com>
2020-08-18 8:32 ` Joe Perches
2020-08-17 19:16 ` Kees Cook
2020-08-16 7:44 ` kernel test robot
2020-08-16 7:44 ` kernel test robot
2020-08-15 2:00 ` [PATCH] " Nick Desaulniers
2020-08-15 22:17 ` David Laight
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=672236FE-769D-48F0-AAAD-FB9630BB2FA9@gmail.com \
--to=david.bolvansky@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=alexandru.ardelean@analog.com \
--cc=andriy.shevchenko@linux.intel.com \
--cc=clang-built-linux@googlegroups.com \
--cc=dan.j.williams@intel.com \
--cc=dja@axtens.net \
--cc=efriedma@quicinc.com \
--cc=joe@perches.com \
--cc=joel@joelfernandes.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=ndesaulniers@google.com \
--cc=nivedita@alum.mit.edu \
--cc=samitolvanen@google.com \
--cc=stable@vger.kernel.org \
--cc=vishal.l.verma@intel.com \
--cc=yury.norov@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.