Re: [PATCH v3] lib/string.c: implement stpcpy

From: Kees Cook
Date: Thu Aug 27 2020 - 18:26:15 EST

Next message: Gustavo A. R. Silva: "Re: [PATCH v2] udf: Use kvzalloc() in udf_sb_alloc_bitmap()"
Previous message: Jens Axboe: "Re: [PATCH] coccinelle: api: fix kobj_to_dev.cocci warnings"
In reply to: Andy Shevchenko: "Re: [PATCH v3] lib/string.c: implement stpcpy"
Next in thread: Andy Shevchenko: "Re: [PATCH v3] lib/string.c: implement stpcpy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Aug 27, 2020 at 11:05:42PM +0300, Andy Shevchenko wrote:
> In general it's better to have a robust API, but what may go wrong
> with the interface where we have no length of the buffer passed, but
> we all know that it's PAGE_SIZE?
> So, what's wrong with doing something like
> strcpy(buf, "Yes, we know we won't overflow here\n");

(There's a whole thread[1] about this right now, actually.)

The problem isn't the uses where it's safe (obviously), it's about the
uses where it is NOT safe. (Or _looks_ safe but isn't.) In order to
eliminate bug classes, we need remove the APIs that are foot-guns. Even
if one developer never gets it wrong, others might.

[1] https://lore.kernel.org/lkml/c256eba42a564c01a8e470320475d46f@xxxxxxxxxxxxxxxx/T/#mac95487d7ae427de03251b49b75dd4de40c2462d

--
Kees Cook

Next message: Gustavo A. R. Silva: "Re: [PATCH v2] udf: Use kvzalloc() in udf_sb_alloc_bitmap()"
Previous message: Jens Axboe: "Re: [PATCH] coccinelle: api: fix kobj_to_dev.cocci warnings"
In reply to: Andy Shevchenko: "Re: [PATCH v3] lib/string.c: implement stpcpy"
Next in thread: Andy Shevchenko: "Re: [PATCH v3] lib/string.c: implement stpcpy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]