From: Kees Cook <keescook@chromium.org>
To: Christoph Hellwig <hch@lst.de>
Cc: Justin Stitt <justinstitt@google.com>,
Keith Busch <kbusch@kernel.org>, Jens Axboe <axboe@kernel.dk>,
Sagi Grimberg <sagi@grimberg.me>,
linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org,
linux-hardening@vger.kernel.org, ksummit@lists.linux.dev
Subject: Re: the nul-terminated string helper desk chair rearrangement
Date: Wed, 18 Oct 2023 23:01:54 -0700 [thread overview]
Message-ID: <202310182248.9E197FFD5@keescook> (raw)
In-Reply-To: <20231019054642.GF14346@lst.de>
On Thu, Oct 19, 2023 at 07:46:42AM +0200, Christoph Hellwig wrote:
> On Wed, Oct 18, 2023 at 10:48:49PM +0000, Justin Stitt wrote:
> > strncpy() is deprecated for use on NUL-terminated destination strings
> > [1] and as such we should prefer more robust and less ambiguous string
> > interfaces.
>
> If we want that we need to stop pretendening direct manipulation of
> nul-terminate strings is a good idea. I suspect the churn of replacing
> one helper with another, maybe slightly better, one probably
> introduces more bugs than it fixes.
>
> If we want to attack the issue for real we need to use something
> better.
>
> lib/seq_buf.c is a good start for a lot of simple cases that just
> append to strings including creating complex ones. Kent had a bunch
> of good ideas on how to improve it, but couldn't be convinced to
> contribute to it instead of duplicating the functionality which
> is a bit sad, but I think we need to switch to something like
> seq_buf that actually has a counted string instead of all this messing
> around with the null-terminated strings.
When doing more complex string creation, I agree. I spent some time
doing this while I was looking at removing strcat() and strlcat(); this
is where seq_buf shines. (And seq_buf is actually both: it maintains its
%NUL termination _and_ does the length counting.) The only thing clunky
about it was initialization, but all the conversions I experimented with
were way cleaner using seq_buf. I even added a comment to strlcat()'s
kern-doc to aim folks at seq_buf. :)
/**
* strlcat - Append a string to an existing string
...
* Do not use this function. While FORTIFY_SOURCE tries to avoid
* read and write overflows, this is only possible when the sizes
* of @p and @q are known to the compiler. Prefer building the
* string with formatting, via scnprintf(), seq_buf, or similar.
Almost all of the remaining strncpy() usage is just string to string
copying, but the corner cases that are being spun out that aren't
strscpy() or strscpy_pad() are covered by strtomem(), kmemdup_nul(),
and memcpy(). Each of these are a clear improvement since they remove
the ambiguity of the intended behavior. Using seq_buf ends up being way
more overhead than is needed.
-Kees
--
Kees Cook
next prev parent reply other threads:[~2023-10-19 6:01 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20231018-strncpy-drivers-nvme-host-fabrics-c-v1-1-b6677df40a35@google.com>
2023-10-19 5:46 ` the nul-terminated string helper desk chair rearrangement, was: Re: [PATCH] nvme-fabrics: replace deprecated strncpy with strscpy Christoph Hellwig
2023-10-19 6:01 ` Kees Cook [this message]
2023-10-19 7:01 ` the nul-terminated string helper desk chair rearrangement Willy Tarreau
2023-10-19 11:40 ` Alexey Dobriyan
2023-10-19 12:00 ` Willy Tarreau
2023-10-20 4:46 ` Christoph Hellwig
2023-10-20 17:40 ` Justin Stitt
2023-10-20 17:56 ` Linus Torvalds
2023-10-20 18:22 ` Kees Cook
2023-10-20 18:30 ` Kees Cook
2023-10-26 10:01 ` Christoph Hellwig
2023-10-26 11:39 ` James Bottomley
2023-10-26 13:52 ` Steven Rostedt
2023-10-26 13:59 ` Geert Uytterhoeven
2023-10-27 18:32 ` Alexey Dobriyan
2023-10-26 14:05 ` Jonathan Corbet
2023-10-27 7:08 ` Kalle Valo
2023-10-26 13:44 ` Andrew Lunn
2023-10-26 13:51 ` Laurent Pinchart
2023-10-26 14:27 ` James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202310182248.9E197FFD5@keescook \
--to=keescook@chromium.org \
--cc=axboe@kernel.dk \
--cc=hch@lst.de \
--cc=justinstitt@google.com \
--cc=kbusch@kernel.org \
--cc=ksummit@lists.linux.dev \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox