Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 2 Apr 2019 14:35:02 -0700
From: Kees Cook <keescook@...omium.org>
To: "Tobin C. Harding" <tobin@...nel.org>
Cc: Shuah Khan <shuah@...nel.org>, Jann Horn <jannh@...gle.com>, 
	Andy Shevchenko <andriy.shevchenko@...ux.intel.com>, Randy Dunlap <rdunlap@...radead.org>, 
	Rasmus Villemoes <linux@...musvillemoes.dk>, Stephen Rothwell <sfr@...b.auug.org.au>, 
	Andy Lutomirski <luto@...capital.net>, Daniel Micay <danielmicay@...il.com>, 
	Arnd Bergmann <arnd@...db.de>, Miguel Ojeda <miguel.ojeda.sandonis@...il.com>, 
	"Gustavo A. R. Silva" <gustavo@...eddedor.com>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, 
	Alexander Shishkin <alexander.shishkin@...ux.intel.com>, 
	Kernel Hardening <kernel-hardening@...ts.openwall.com>, 
	"open list:KERNEL SELFTEST FRAMEWORK" <linux-kselftest@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v3 6/7] lib/string: Add strscpy_pad() function

On Wed, Mar 6, 2019 at 1:43 PM Tobin C. Harding <tobin@...nel.org> wrote:
>
> We have a function to copy strings safely and we have a function to copy
> strings and zero the tail of the destination (if source string is
> shorter than destination buffer) but we do not have a function to do
> both at once.  This means developers must write this themselves if they
> desire this functionality.  This is a chore, and also leaves us open to
> off by one errors unnecessarily.
>
> Add a function that calls strscpy() then memset()s the tail to zero if
> the source string is shorter than the destination buffer.
>
> Signed-off-by: Tobin C. Harding <tobin@...nel.org>

Lovely. :)

Acked-by: Kees Cook <keescook@...omium.org>

-Kees

> ---
>  include/linux/string.h |  4 ++++
>  lib/string.c           | 47 +++++++++++++++++++++++++++++++++++-------
>  2 files changed, 44 insertions(+), 7 deletions(-)
>
> diff --git a/include/linux/string.h b/include/linux/string.h
> index 7927b875f80c..bfe95bf5d07e 100644
> --- a/include/linux/string.h
> +++ b/include/linux/string.h
> @@ -31,6 +31,10 @@ size_t strlcpy(char *, const char *, size_t);
>  #ifndef __HAVE_ARCH_STRSCPY
>  ssize_t strscpy(char *, const char *, size_t);
>  #endif
> +
> +/* Wraps calls to strscpy()/memset(), no arch specific code required */
> +ssize_t strscpy_pad(char *dest, const char *src, size_t count);
> +
>  #ifndef __HAVE_ARCH_STRCAT
>  extern char * strcat(char *, const char *);
>  #endif
> diff --git a/lib/string.c b/lib/string.c
> index 38e4ca08e757..3a3353512184 100644
> --- a/lib/string.c
> +++ b/lib/string.c
> @@ -159,11 +159,9 @@ EXPORT_SYMBOL(strlcpy);
>   * @src: Where to copy the string from
>   * @count: Size of destination buffer
>   *
> - * Copy the string, or as much of it as fits, into the dest buffer.
> - * The routine returns the number of characters copied (not including
> - * the trailing NUL) or -E2BIG if the destination buffer wasn't big enough.
> - * The behavior is undefined if the string buffers overlap.
> - * The destination buffer is always NUL terminated, unless it's zero-sized.
> + * Copy the string, or as much of it as fits, into the dest buffer.  The
> + * behavior is undefined if the string buffers overlap.  The destination
> + * buffer is always NUL terminated, unless it's zero-sized.
>   *
>   * Preferred to strlcpy() since the API doesn't require reading memory
>   * from the src string beyond the specified "count" bytes, and since
> @@ -173,8 +171,10 @@ EXPORT_SYMBOL(strlcpy);
>   *
>   * Preferred to strncpy() since it always returns a valid string, and
>   * doesn't unnecessarily force the tail of the destination buffer to be
> - * zeroed.  If the zeroing is desired, it's likely cleaner to use strscpy()
> - * with an overflow test, then just memset() the tail of the dest buffer.
> + * zeroed.  If zeroing is desired please use strscpy_pad().
> + *
> + * Return: The number of characters copied (not including the trailing
> + *         %NUL) or -E2BIG if the destination buffer wasn't big enough.
>   */
>  ssize_t strscpy(char *dest, const char *src, size_t count)
>  {
> @@ -237,6 +237,39 @@ ssize_t strscpy(char *dest, const char *src, size_t count)
>  EXPORT_SYMBOL(strscpy);
>  #endif
>
> +/**
> + * strscpy_pad() - Copy a C-string into a sized buffer
> + * @dest: Where to copy the string to
> + * @src: Where to copy the string from
> + * @count: Size of destination buffer
> + *
> + * Copy the string, or as much of it as fits, into the dest buffer.  The
> + * behavior is undefined if the string buffers overlap.  The destination
> + * buffer is always %NUL terminated, unless it's zero-sized.
> + *
> + * If the source string is shorter than the destination buffer, zeros
> + * the tail of the destination buffer.
> + *
> + * For full explanation of why you may want to consider using the
> + * 'strscpy' functions please see the function docstring for strscpy().
> + *
> + * Return: The number of characters copied (not including the trailing
> + *         %NUL) or -E2BIG if the destination buffer wasn't big enough.
> + */
> +ssize_t strscpy_pad(char *dest, const char *src, size_t count)
> +{
> +       ssize_t written;
> +
> +       written = strscpy(dest, src, count);
> +       if (written < 0 || written == count - 1)
> +               return written;
> +
> +       memset(dest + written + 1, 0, count - written - 1);
> +
> +       return written;
> +}
> +EXPORT_SYMBOL(strscpy_pad);
> +
>  #ifndef __HAVE_ARCH_STRCAT
>  /**
>   * strcat - Append one %NUL-terminated string to another
> --
> 2.20.1
>


-- 
Kees Cook

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.