Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753242AbbD1FfO (ORCPT <rfc822;w@1wt.eu>);
	Tue, 28 Apr 2015 01:35:14 -0400
Received: from mailsec102.isp.belgacom.be ([195.238.20.98]:40069 "EHLO
	mailsec102.isp.belgacom.be" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1751269AbbD1FfM convert rfc822-to-8bit
	(ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Tue, 28 Apr 2015 01:35:12 -0400
X-Cloudmark-SP-Filtered: true
X-Cloudmark-SP-Result: v=1.1 cv=+BsAzE94k0WpM8AtezFGaEXBVpw1lpSE4R7UN5Nfg4g= c=1 sm=2
 a=IkcTkHD0fZMA:10 a=drOt6m5kAAAA:8 a=wPz6kqcNvlyLjm8e28MA:9
 a=QEXdDO2ut3YA:10 a=rbDLXIiulyzorfEy:21 a=rpHP-z5_GOn6dGpN:21
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A2B1BQDrGj9V/9QU7sNcgwyBL4MasWkGmUECgTZMAQEBAQEBgQuEIAEBAQMBI1YFCwUGFAQCAhgOAgJXBgESEYgSDLJMhlGNNgEBAQEGAQEBAR6BIYR1hSKEUjMHgmiBRQWxbyODdjwxgkQBAQE
Date: Tue, 28 Apr 2015 07:35:10 +0200 (CEST)
From: Fabian Frederick <fabf@skynet.be>
Reply-To: Fabian Frederick <fabf@skynet.be>
To: Al Viro <viro@ZenIV.linux.org.uk>,
        Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-kernel@vger.kernel.org
Message-ID: <1363736428.511175.1430199310500.open-xchange@webmail.nmp.proximus.be>
In-Reply-To: <20150428034859.GI889@ZenIV.linux.org.uk>
References: <20150428034859.GI889@ZenIV.linux.org.uk>
Subject: Re: revert "fs/befs/linuxvfs.c: replace strncpy by strlcpy"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8BIT
X-Priority: 3
Importance: Medium
X-Mailer: Open-Xchange Mailer v7.2.2-Rev27
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2251
Lines: 55



> On 28 April 2015 at 05:48 Al Viro <viro@ZenIV.linux.org.uk> wrote:
>
>
> commit 39d7a29f867bd5a4a551fad6bb3812ceddb0bce1
> Author: Fabian Frederick <fabf@skynet.be>
> Date:   Fri Jun 6 14:36:15 2014 -0700
>
>     fs/befs/linuxvfs.c: replace strncpy by strlcpy
>     
>     strncpy + end of string assignment replaced by strlcpy
>
> replaces perfectly safe code with undefined behaviour.  All in the name
> of "security hardening", presumably.  Folks, seeing the words "designed to be
> safer, more consistent, and less error prone replacement" in a manpage does
> *NOT* mean "OK, quit reading it - no need to go further, not even to the end
> of the paragraph".  Because in the end of that paragraph it says "This means
> that for strlcpy() src must be NUL-terminated".  And sure enough, our
> implementation relies on that - it starts with strlen().
>
> strncpy() is guaranteed not to look further than size.  strlcpy() is *NOT*.
> strncpy() on unvalidated source is safe, provided that you sanitize the copy;
> strlcpy() on anything like that is an invitation for nasal daemons.
>
> Sure, we can (and probably should) make strlcpy(dst, src, n) never access
> memory beyond src + n - 1, but this kind of cargo-culting is a Bad Thing(tm);
> mindless "security improvements" without so much as bothering to RTFM are
> asking for trouble.  And in userland code anything like that _can't_ be
> papered over afterwards - not unless you can patch every libc implementation
> out there.
>
> This particular code is completely pointless - if anything, it should've been
> memcpy() + nd_terminate_link()...
>
> Al, very unhappy about the prospect of looking through ~2000 calls of
> strlcpy()
> we have in the tree...

Sorry Al, I thought it was more secure.
I guess the 2 following patches should be reversed as well :

6cb103b6f45a
"fs/befs/btree.c: replace strncpy by strlcpy + coding style fixing"

69201bb11327
"fs/ocfs2/super.c: use OCFS2_MAX_VOL_LABEL_LEN and strlcpy"

Regards,
Fabian
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/