Re: [Ksummit-discuss] [MAINTAINERS SUMMIT] API replacement/deprecation

ksummit.lists.linux.dev archive mirror
 help / color / mirror / Atom feed

From: Kees Cook <keescook@chromium.org>
To: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Cc: ksummit <ksummit-discuss@lists.linuxfoundation.org>
Subject: Re: [Ksummit-discuss] [MAINTAINERS SUMMIT] API replacement/deprecation
Date: Mon, 10 Sep 2018 09:09:33 -0700	[thread overview]
Message-ID: <CAGXu5jLDw1fdwd9cmESQtBmr6oMEteYbT9R7+MG_PdfH52wZWQ@mail.gmail.com> (raw)
In-Reply-To: <20180910092814.085dcebd@coco.lan>

On Mon, Sep 10, 2018 at 5:28 AM, Mauro Carvalho Chehab
<mchehab+samsung@kernel.org> wrote:
> Em Thu, 6 Sep 2018 16:24:03 -0700
> Kees Cook <keescook@chromium.org> escreveu:
>
>> On Thu, Sep 6, 2018 at 4:18 PM, Stephen Rothwell <sfr@canb.auug.org.au> wrote:
>> > Hi Kees,
>> >
>> > On Thu, 6 Sep 2018 11:24:11 -0700 Kees Cook <keescook@chromium.org> wrote:
>> >>
>> >> If there was an agreement by all maintainers that deprecated
>> >> functions/patterns should not be added, and we documented the
>> >> deprecation somewhere like Documentation/process/deprecated.rst, then
>> >> we could make the declaration that if such functions got added (it's
>> >> easy to mechanically check for them), it would be the responsibility
>> >> of the author and maintainer chain to see that it got fixed before the
>> >> release is cut. We already have this for things like "breaks the x86
>> >> allmodconfig build" or similar. The checking would be manual, and the
>> >> enforcement would be by agreement, but it'd be better than the kind of
>> >> "please don't do this" hand-waving we've had in the past.
>> >
>> > I could do this in linux-next, of course, the same way I check for
>> > missing signed-off-bys.  All I would need is the list of deprecated
>> > things.
>>
>> Hopefully we can all agree on deprecating strcpy() and strncpy() in
>> favor of strscpy()?
>
> I suspect that that's the way to go for most use cases.
>
> In the case of media, I double-checked: 100% of the usages can be
> replaced by strscpy() [1]. I just sent a patchset for review with
> such changes.

Double-check the strncpy() uses: some may depend on the trailing NUL-padding.

> Yet, there are 104 occurrences of strncpy_from_user(). If they
> all do something similar, it could make sense to have a
> strscpy_from_user() function. If you're willing to do so,
> feel free to also convert av7110 to it.

Yeah. I think we need:

strscpy_pad()
memcpy_pad()
strscpy_from_user()

The strncpy uses are:

1- safer strcpy() (usually visible with leading/trailing "buf[size-1]=0")
2- padded strcpy() (to wipe the contents of a destination)
3- copy non-NUL-terminated array of characters

1 should use strscpy
2 needs a strscpy+trailing memset (e.g. strscpy_pad())
3 needs memcpy+trailing memset (e.g. memcpy_pad())

I suggest "memcpy_pad" to very clearly distinguish that it is not
NUL-terminated, but rather NUL-padded.

-Kees

-- 
Kees Cook
Pixel Security

next prev parent reply	other threads:[~2018-09-10 16:09 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-09-05 22:57 Kees Cook
2018-09-05 23:41 ` Stephen Rothwell
2018-09-06  2:24   ` Steven Rostedt
2018-09-06  6:12     ` Julia Lawall
2018-09-06 18:24     ` Kees Cook
2018-09-06 23:18       ` Stephen Rothwell
2018-09-06 23:24         ` Kees Cook
2018-09-07  7:03           ` Takashi Iwai
2018-09-07  7:20             ` Johannes Berg
2018-09-07  7:31               ` Takashi Iwai
2018-09-07  9:42               ` Julia Lawall
2018-09-07  8:04             ` Jani Nikula
2018-09-07  9:38               ` Julia Lawall
2018-09-07  9:54                 ` Jani Nikula
2018-09-07 10:05                   ` Julia Lawall
2018-09-07 10:43                     ` Jani Nikula
2018-09-07 10:25                   ` Alexandre Belloni
2018-09-07 11:44                     ` Mark Brown
2018-09-10 12:51                   ` Mauro Carvalho Chehab
2018-09-11  8:10                     ` Jani Nikula
2018-09-11  9:34                       ` Mauro Carvalho Chehab
2018-09-11 11:08                         ` Arnd Bergmann
2018-09-07  8:19           ` Jan Kara
2018-09-07 14:33           ` Theodore Y. Ts'o
2018-09-07 16:10             ` Kees Cook
2018-09-07 20:30               ` Arnd Bergmann
2018-09-07 20:56                 ` Theodore Y. Ts'o
2018-09-08  8:15                   ` Geert Uytterhoeven
2018-09-08 15:19                     ` Theodore Y. Ts'o
2018-09-10 12:28           ` Mauro Carvalho Chehab
2018-09-10 16:09             ` Kees Cook [this message]
2018-09-07 10:14         ` Dan Carpenter
2018-09-07 10:40         ` Geert Uytterhoeven
2018-09-07  8:40       ` Maxime Ripard
2018-09-06  4:44 ` Julia Lawall
2018-09-06 10:04 ` Linus Walleij
2018-09-06 10:11 ` Geert Uytterhoeven
2018-09-06 14:59   ` Kees Cook
2018-09-06 15:06     ` Geert Uytterhoeven

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAGXu5jLDw1fdwd9cmESQtBmr6oMEteYbT9R7+MG_PdfH52wZWQ@mail.gmail.com \
    --to=keescook@chromium.org \
    --cc=ksummit-discuss@lists.linuxfoundation.org \
    --cc=mchehab+samsung@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox