[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 22 Jul 2019 11:21:29 -0700
From: Kees Cook <keescook@...omium.org>
To: Joe Perches <joe@...ches.com>
Cc: Nitin Gote <nitin.r.gote@...el.com>, akpm@...ux-foundation.org,
corbet@....net, apw@...onical.com, linux-doc@...r.kernel.org,
linux-kernel@...r.kernel.org, kernel-hardening@...ts.openwall.com,
Rasmus Villemoes <rasmus.villemoes@...vas.dk>
Subject: Re: [RFC PATCH] string.h: Add stracpy/stracpy_pad (was: Re: [PATCH]
checkpatch: Added warnings in favor of strscpy().)
On Mon, Jul 22, 2019 at 10:58:15AM -0700, Joe Perches wrote:
> On Mon, 2019-07-22 at 10:43 -0700, Joe Perches wrote:
> > On Mon, 2019-07-22 at 10:33 -0700, Kees Cook wrote:
> > > On Thu, Jul 04, 2019 at 05:15:57PM -0700, Joe Perches wrote:
> > > > On Thu, 2019-07-04 at 13:46 -0700, Joe Perches wrote:
> > > > > On Thu, 2019-07-04 at 11:24 +0530, Nitin Gote wrote:
> > > > > > Added warnings in checkpatch.pl script to :
> > > > > >
> > > > > > 1. Deprecate strcpy() in favor of strscpy().
> > > > > > 2. Deprecate strlcpy() in favor of strscpy().
> > > > > > 3. Deprecate strncpy() in favor of strscpy() or strscpy_pad().
> > > > > >
> > > > > > Updated strncpy() section in Documentation/process/deprecated.rst
> > > > > > to cover strscpy_pad() case.
> > > >
> > > > []
> > > >
> > > > I sent a patch series for some strscpy/strlcpy misuses.
> > > >
> > > > How about adding a macro helper to avoid the misuses like:
> > > > ---
> > > > include/linux/string.h | 16 ++++++++++++++++
> > > > 1 file changed, 16 insertions(+)
> > > >
> > > > diff --git a/include/linux/string.h b/include/linux/string.h
> > > > index 4deb11f7976b..ef01bd6f19df 100644
> > > > --- a/include/linux/string.h
> > > > +++ b/include/linux/string.h
> > > > @@ -35,6 +35,22 @@ ssize_t strscpy(char *, const char *, size_t);
> > > > /* Wraps calls to strscpy()/memset(), no arch specific code required */
> > > > ssize_t strscpy_pad(char *dest, const char *src, size_t count);
> > > >
> > > > +#define stracpy(to, from) \
> > > > +({ \
> > > > + size_t size = ARRAY_SIZE(to); \
> > > > + BUILD_BUG_ON(!__same_type(typeof(*to), char)); \
> > > > + \
> > > > + strscpy(to, from, size); \
> > > > +})
> > > > +
> > > > +#define stracpy_pad(to, from) \
> > > > +({ \
> > > > + size_t size = ARRAY_SIZE(to); \
> > > > + BUILD_BUG_ON(!__same_type(typeof(*to), char)); \
> > > > + \
> > > > + strscpy_pad(to, from, size); \
> > > > +})
> > > > +
> > > > #ifndef __HAVE_ARCH_STRCAT
> > > > extern char * strcat(char *, const char *);
> > > > #endif
> > >
> > > This seems like a reasonable addition, yes. I think Coccinelle might
> > > actually be able to find all the existing strscpy(dst, src, sizeof(dst))
> > > cases to jump-start this conversion.
> >
> > I did that. It works. It's a lot of conversions.
> >
> > $ cat str.cpy.cocci
> > @@
> > expression e1;
> > expression e2;
> > @@
> >
> > - strscpy(e1, e2, sizeof(e1))
> > + stracpy(e1, e2)
> >
> > @@
> > expression e1;
> > expression e2;
> > @@
> >
> > - strlcpy(e1, e2, sizeof(e1))
> > + stracpy(e1, e2)
> >
> > > Devil's advocate: this adds yet more string handling functions... will
> > > this cause even more confusion?
> >
> > Documentation is good.
> > Actual in-kernel use and examples better.
>
> btw: I just ran this again and it produces:
>
> $ spatch --in-place -sp-file str.cpy.cocci .
> $ git checkout tools/
> $ git diff --shortstat
> 958 files changed, 2179 insertions(+), 2655 deletions(-)
Cool. Well, assuming no one hates this, let's do it. :) Can you send a
more complete patch with docs, etc? Maybe Linus will take it for late
in the next merge window, perhaps?
--
Kees Cook
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
