linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Andy Shevchenko <andy.shevchenko@gmail.com>
To: Kees Cook <keescook@chromium.org>
Cc: Masahiro Yamada <masahiroy@kernel.org>,
	Nick Desaulniers <ndesaulniers@google.com>,
	Joe Perches <joe@perches.com>,
	clang-built-linux <clang-built-linux@googlegroups.com>,
	stable <stable@vger.kernel.org>, Andy Lavr <andy.lavr@gmail.com>,
	Arvind Sankar <nivedita@alum.mit.edu>,
	Rasmus Villemoes <linux@rasmusvillemoes.dk>,
	Sami Tolvanen <samitolvanen@google.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
	Alexandru Ardelean <alexandru.ardelean@analog.com>,
	Yury Norov <yury.norov@gmail.com>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v3] lib/string.c: implement stpcpy
Date: Thu, 27 Aug 2020 23:05:42 +0300	[thread overview]
Message-ID: <CAHp75VeA6asim81CwxPD7LKc--DEvOWH9fwgQ9Bbb1Xf55OYKw@mail.gmail.com> (raw)
In-Reply-To: <202008271126.2C397BF6D@keescook>

On Thu, Aug 27, 2020 at 9:30 PM Kees Cook <keescook@chromium.org> wrote:
>
> On Thu, Aug 27, 2020 at 11:59:24AM +0300, Andy Shevchenko wrote:
> > strcpy() is not a bad API for the cases when you know what you are
> > doing. A problem that most of the developers do not know what they are
> > doing.
> > No need to split everything to bad and good by its name or semantics,
> > each API has its own pros and cons and programmers must use their
> > brains.
>
> I equate "unsafe" or "fragile" with "bad". There's no reason to use our
> brains for remembering what's safe or not when we can just remove unsafe
> things from the available APIs, and/or lean on the compiler to help
> (e.g. CONFIG_FORTIFY_SOURCE).
>
> Most of the uses of strcpy() in the kernel are just copying between two
> known-at-compile-time NUL-terminated character arrays. We had wanted to
> introduce stracpy() for this, but Linus objected to yet more string
> functions. So for now, I'm aimed at removing strlcpy() completely first,
> then look at strcpy() -> strscpy() for cases where target size is NOT
> compile-time known, and then to convert the kernel's strcpy() into
> _requiring_ that source/dest lengths are known at compile time.
>
> And then tackle strncpy(), which is a mess.

In general it's better to have a robust API, but what may go wrong
with the interface where we have no length of  the buffer passed, but
we all know that it's PAGE_SIZE?
So, what's wrong with doing something like
strcpy(buf, "Yes, we know we won't overflow here\n");
?


-- 
With Best Regards,
Andy Shevchenko

  parent reply	other threads:[~2020-08-27 20:06 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-25 13:58 [PATCH v3] lib/string.c: implement stpcpy Nick Desaulniers
2020-08-25 18:51 ` Nathan Chancellor
2020-08-26 15:41 ` Sedat Dilek
2020-08-26 15:58 ` Masahiro Yamada
2020-09-06  9:57   ` Kees Cook
2020-08-26 16:49 ` Masahiro Yamada
2020-08-26 16:57   ` Joe Perches
2020-08-26 16:58     ` Nick Desaulniers
2020-08-26 22:59       ` Masahiro Yamada
2020-08-26 23:38         ` Kees Cook
2020-08-26 23:57           ` Joe Perches
2020-08-27  2:33             ` Kees Cook
2020-08-27  2:42               ` Joe Perches
2020-08-27 18:26                 ` Kees Cook
2020-08-27  8:59           ` Andy Shevchenko
2020-08-27 18:30             ` Kees Cook
2020-08-27 19:37               ` Joe Perches
2020-08-27 19:41                 ` Kees Cook
2020-08-27 20:05               ` Andy Shevchenko [this message]
2020-08-27 22:26                 ` Kees Cook
2020-08-28  8:17                   ` Andy Shevchenko
2020-08-31 23:21                     ` Nick Desaulniers
2020-09-01  8:51                       ` David Laight
2020-08-25 14:00 Nick Desaulniers
2020-08-26 15:22 ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAHp75VeA6asim81CwxPD7LKc--DEvOWH9fwgQ9Bbb1Xf55OYKw@mail.gmail.com \
    --to=andy.shevchenko@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=alexandru.ardelean@analog.com \
    --cc=andriy.shevchenko@linux.intel.com \
    --cc=andy.lavr@gmail.com \
    --cc=clang-built-linux@googlegroups.com \
    --cc=joe@perches.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux@rasmusvillemoes.dk \
    --cc=masahiroy@kernel.org \
    --cc=ndesaulniers@google.com \
    --cc=nivedita@alum.mit.edu \
    --cc=samitolvanen@google.com \
    --cc=stable@vger.kernel.org \
    --cc=yury.norov@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).