linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Kees Cook <keescook@chromium.org>
To: Joe Perches <joe@perches.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	Julia Lawall <julia.lawall@lip6.fr>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	linux-kernel@vger.kernel.org, Jonathan Corbet <corbet@lwn.net>,
	Stephen Kitt <steve@sk2.org>, Nitin Gote <nitin.r.gote@intel.com>,
	jannh@google.com, kernel-hardening@lists.openwall.com,
	Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Subject: Re: [PATCH V2 1/2] string: Add stracpy and stracpy_pad mechanisms
Date: Thu, 26 Sep 2019 08:45:05 -0700	[thread overview]
Message-ID: <201909260842.CDA50B7E3@keescook> (raw)
In-Reply-To: <56dc4de7e0db153cb10954ac251cb6c27c33da4a.camel@perches.com>

On Thu, Sep 26, 2019 at 01:34:36AM -0700, Joe Perches wrote:
> On Wed, 2019-09-25 at 14:50 -0700, Andrew Morton wrote:
> > On Tue, 23 Jul 2019 06:51:36 -0700 Joe Perches <joe@perches.com> wrote:
> > 
> > > Several uses of strlcpy and strscpy have had defects because the
> > > last argument of each function is misused or typoed.
> > > 
> > > Add macro mechanisms to avoid this defect.
> > > 
> > > stracpy (copy a string to a string array) must have a string
> > > array as the first argument (dest) and uses sizeof(dest) as the
> > > count of bytes to copy.
> > > 
> > > These mechanisms verify that the dest argument is an array of
> > > char or other compatible types like u8 or s8 or equivalent.
> > > 
> > > A BUILD_BUG is emitted when the type of dest is not compatible.
> > > 
> > 
> > I'm still reluctant to merge this because we don't have code in -next
> > which *uses* it.  You did have a patch for that against v1, I believe? 
> > Please dust it off and send it along?
> 
> https://lore.kernel.org/lkml/CAHk-=wgqQKoAnhmhGE-2PBFt7oQs9LLAATKbYa573UO=DPBE0Q@mail.gmail.com/
> 
> I gave up, especially after the snark from Linus
> where he wrote I don't understand this stuff.
> 
> He's just too full of himself here merely using
> argument from authority.
> 
> Creating and using a function like copy_string with
> both source and destination lengths specified is
> is also potentially a large source of defects where
> the stracpy macro atop strscpy does not have a
> defect path other than the src not being a string
> at all.
> 
> I think the analysis of defects in string function
> in the kernel is overly difficult today given the
> number of possible uses of pointer and length in
> strcpy/strncpy/strlcpy/stracpy.
> 
> I think also that there is some sense in what he
> wrote against the "word salad" use of str<foo>cpy,
> but using stracpy as a macro when possible instead
> of strscpy also makes the analysis of defects rather
> simpler.
> 
> The trivial script cocci I posted works well for the
> simple cases.
> 
> https://lore.kernel.org/cocci/66fcdbf607d7d0bea41edb39e5579d63b62b7d84.camel@perches.com/
> 
> The more complicated cocci script Julia posted is
> still not quite correct as it required intermediate
> compilation for verification of specified lengths.
> 
> https://lkml.org/lkml/2019/7/25/1406
> 
> Tell me again if you still want it and maybe the
> couple conversions that mm/ would get.

FWIW, I want it because it creates a compile-time-verifiable API for a
non-trivial set of common string copying flaws.

CONFIG_FORTIFY_SOURCE isn't able to handle these (yet?) because it's
examining the outer size of structures that hold char arrays. And even
if we built in the logic to deal with it correctly, it'd still split
the detection between compile time and run time.

-Kees

-- 
Kees Cook

  reply	other threads:[~2019-09-26 15:45 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-07-23 13:51 [PATCH V2 0/2] string: Add stracpy and stracpy_pad Joe Perches
2019-07-23 13:51 ` [PATCH V2 1/2] string: Add stracpy and stracpy_pad mechanisms Joe Perches
2019-07-23 14:37   ` Rasmus Villemoes
2019-07-23 15:39     ` Joe Perches
2019-07-24  6:53       ` Rasmus Villemoes
2019-07-24  7:10         ` Joe Perches
2019-09-25 21:50   ` Andrew Morton
2019-09-26  0:01     ` Stephen Kitt
2019-09-26  7:29       ` Rasmus Villemoes
2019-09-26  8:25         ` Stephen Kitt
2019-09-26  8:51           ` Rasmus Villemoes
2019-09-26  8:34     ` Joe Perches
2019-09-26 15:45       ` Kees Cook [this message]
2019-09-27 12:57       ` Julia Lawall
2019-09-27 13:22       ` Julia Lawall
2019-07-23 13:51 ` [PATCH V2 2/2] kernel-doc: core-api: Include string.h into core-api Joe Perches

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=201909260842.CDA50B7E3@keescook \
    --to=keescook@chromium.org \
    --cc=akpm@linux-foundation.org \
    --cc=corbet@lwn.net \
    --cc=jannh@google.com \
    --cc=joe@perches.com \
    --cc=julia.lawall@lip6.fr \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=nitin.r.gote@intel.com \
    --cc=rasmus.villemoes@prevas.dk \
    --cc=steve@sk2.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).