linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Kees Cook <keescook@chromium.org>
To: Joe Perches <joe@perches.com>
Cc: "Russell King (Oracle)" <linux@armlinux.org.uk>,
	"Len Baker" <len.baker@gmx.com>,
	"Dmitry Torokhov" <dmitry.torokhov@gmail.com>,
	"Lee Jones" <lee.jones@linaro.org>,
	"Uwe Kleine-König" <u.kleine-koenig@pengutronix.de>,
	linux-hardening@vger.kernel.org, linux-input@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH] drivers/input: Remove all strcpy() uses in favor of strscpy()
Date: Mon, 2 Aug 2021 09:13:08 -0700	[thread overview]
Message-ID: <202108020912.3807510B4B@keescook> (raw)
In-Reply-To: <4962ac72a94bc5826960dab855b5e2f47a4d1b9a.camel@perches.com>

On Sun, Aug 01, 2021 at 09:55:28AM -0700, Joe Perches wrote:
> On Sun, 2021-08-01 at 09:39 -0700, Joe Perches wrote:
> > On Sun, 2021-08-01 at 16:00 +0100, Russell King (Oracle) wrote:
> > > On Sun, Aug 01, 2021 at 04:43:16PM +0200, Len Baker wrote:
> > > > strcpy() performs no bounds checking on the destination buffer. This
> > > > could result in linear overflows beyond the end of the buffer, leading
> > > > to all kinds of misbehaviors. The safe replacement is strscpy().
> []
> > > So if the string doesn't fit, it's fine to silently truncate it?
> > > 
> > > Rather than converting every single strcpy() in the kernel to
> > > strscpy(), maybe there should be some consideration given to how the
> > > issue of a strcpy() that overflows the buffer should be handled.
> > > E.g. in the case of a known string such as the above, if it's longer
> > > than the destination, should we find a way to make the compiler issue
> > > a warning at compile time?
> 
> (apologies for the earlier blank reply, sometimes I dislike my email client)
> 
> stracpy could do that with a trivial addition like below:
> 
> Old lkml references:
> 
> https://lore.kernel.org/lkml/cover.1563889130.git.joe@perches.com/
> and
> https://lore.kernel.org/lkml/56dc4de7e0db153cb10954ac251cb6c27c33da4a.camel@perches.com/
> 
> But Linus T wants a copy_string mechanism instead:
> https://lore.kernel.org/lkml/CAHk-=wgqQKoAnhmhGE-2PBFt7oQs9LLAATKbYa573UO=DPBE0Q@mail.gmail.com/
> 
> /**
>  * stracpy - Copy a C-string into an array of char/u8/s8 or equivalent
>  * @dest: Where to copy the string, must be an array of char and not a pointer
>  * @src: String to copy, may be a pointer or const char array
>  *
>  * Helper for strscpy().
>  * Copies a maximum of sizeof(@dest) bytes of @src with %NUL termination.
>  *
>  * A BUILD_BUG_ON is used for cases where @dest is not a char array or
>  * @src is a char array and is larger than @dest.
>  *
>  * Returns:
>  * * The number of characters copied (not including the trailing %NUL)
>  * * -E2BIG if @dest is a zero size array or @src was truncated.
>  */
> #define stracpy(dest, src)						\
> ({									\
> 	BUILD_BUG_ON(!(__same_type(dest, char[]) ||			\
> 		       __same_type(dest, unsigned char[]) ||		\
> 		       __same_type(dest, signed char[])));		\
> 	BUILD_BUG_ON((__same_type(src, char[]) ||			\
> 		      __same_type(src, unsigned char[]) ||		\
> 		      __same_type(src, signed char[])) &&		\
> 		     ARRAY_SIZE(src) > ARRAY_SIZE(dest));		\
> 									\
> 	strscpy(dest, src, ARRAY_SIZE(dest));				\
> })

I'm wondering, instead, if we could convert strcpy() into this instead
of adding another API? I.e. convert all the places that warn (if this
were strcpy), and then land the conversion.

-- 
Kees Cook

  reply	other threads:[~2021-08-02 16:13 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-01 14:43 [PATCH] drivers/input: Remove all strcpy() uses in favor of strscpy() Len Baker
2021-08-01 15:00 ` Russell King (Oracle)
2021-08-01 15:57   ` Len Baker
2021-08-01 16:44     ` Kees Cook
2021-08-01 17:19       ` Dmitry Torokhov
2021-08-02 16:17         ` Kees Cook
2021-08-03  7:07       ` Kees Cook
2021-08-03  7:18         ` Hans Verkuil
2021-08-07 14:02       ` Len Baker
2021-08-07 15:17         ` Joe Perches
2021-08-08 11:30           ` Len Baker
2021-08-01 16:39   ` Joe Perches
2021-08-01 16:55     ` Joe Perches
2021-08-02 16:13       ` Kees Cook [this message]
2021-08-02 18:57         ` Joe Perches
2021-08-07 14:10           ` Len Baker

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202108020912.3807510B4B@keescook \
    --to=keescook@chromium.org \
    --cc=dmitry.torokhov@gmail.com \
    --cc=joe@perches.com \
    --cc=lee.jones@linaro.org \
    --cc=len.baker@gmx.com \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-input@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux@armlinux.org.uk \
    --cc=u.kleine-koenig@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).