Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp8987855ybi; Tue, 23 Jul 2019 19:32:19 -0700 (PDT) X-Google-Smtp-Source: APXvYqxQN/rJ7svAS7yRv30KFnQvuJuHvaUEK2xJmo+/ptPFulVFSh2GHPHn/BsZpM3maDOiHvzp X-Received: by 2002:a17:902:106:: with SMTP id 6mr85133634plb.64.1563935539088; Tue, 23 Jul 2019 19:32:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563935539; cv=none; d=google.com; s=arc-20160816; b=q8/N/yVXn0KcK8QOTuAOYEW0YO9pmYsAOwauk4U3haOFQGXGhhIAHNUVvCoi2+gGB/ 1dSqoXtbo30rPkknPVZ3ON1MvYd4iRJK/fN7kcfmrUOXmQsCfHiM4zZlMQqTZRtVXak9 qBC5cdfvFnKxeqbqK/oLJ984Br1/A+esK0ne9WhJE9gYFgdanVWpt0a7z2hOwYZc6FDD 14j0xAwvaftuEm+QuwGZfQpSOJCirHFKBWH0xzcR+BknWkr9Y9Q8I1rqk18nvrWF/njv 2c5iQxjz0gSppxt92EP/aL+1mw/D28HupivNGvJKHmLKFkF9pJ9s2YSdZozl4d7Z06Kb LnTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=sJ26+RBQ3ZFnOV9Aj98RtPTC8pHzaX0ptSijoUlQUkI=; b=uloGcrygf3hHsWR5tZ3RPaizM7dS8TOKPFhlUc3aSoC2FSq9SazJxO0WBqnA9XcuZi jmaKLW5kVDQJU4joRERk8YrLeF4hLY3JBT29FVp8zgLl+vbsX0n3rfIGD6JOpipqf9LP C1yUoYujL+6Rg1Lg4rEGHCjyVtXO28iGreXF2Be5uBj2vvDs2YiAo1BIoyBKiCEEFokw 5XTZI6NW9A+HBBoJH4ePRq49q18evx4g0+wCwVKkiGuoT320NQ+jxyO6E4XAQWbWmhMp 3t3ZSB8wkqjnbwv2LU8B0B679hV4vyjlyEvYSaoe6Rspu2WqhGv2zVZ572IPM59vtMhO Wcxw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=iN4t1Zn1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t17si12662067pjw.99.2019.07.23.19.32.03; Tue, 23 Jul 2019 19:32:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=iN4t1Zn1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389462AbfGWVg1 (ORCPT + 99 others); Tue, 23 Jul 2019 17:36:27 -0400 Received: from mail-pg1-f194.google.com ([209.85.215.194]:41571 "EHLO mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727643AbfGWVg1 (ORCPT ); Tue, 23 Jul 2019 17:36:27 -0400 Received: by mail-pg1-f194.google.com with SMTP id x15so9708116pgg.8 for ; Tue, 23 Jul 2019 14:36:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=sJ26+RBQ3ZFnOV9Aj98RtPTC8pHzaX0ptSijoUlQUkI=; b=iN4t1Zn1v2DmU8mvkldOApHG7952JwrdmCAzWP6t6fUn4mxwlrXdCrKhDBoYO+Kkks +rUONVweXqk57JOxOZq4HTSP1I+gj3kT41+v2kwK8PGg1PKElPlHUWQ4x0bobd6a76Jk mQvG6KpZ8nNo7er85VoQbqCLA5bcjdKb+zkNU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=sJ26+RBQ3ZFnOV9Aj98RtPTC8pHzaX0ptSijoUlQUkI=; b=Kf7XbU5j7WOIpPDT4aRGjHHJl9BITpIpGElYmXgwSHTuiJQ5FmG6NiJNh7OuQRoj3D o/KmZWwSyDxj2zJhzhUCRtDXNXb/hlebguklAqF2ZeMfJZo5JooIAK0hdamOC8x3SKY5 pSNNa7zk62xbROSsCwsjPB82X/m3Wc+h/az8o3pOvT7KIj+ZnIpM0rX9/d81oKrDSWf/ nGvfbbBlM2u8+T1+BQZoKUWWdTZCURmouHnlnBDYuZNuoSpLR2yi8vzKUPiK6GE6+Uq4 0ORY/w1FtrwvvR06IbFgO70tFwpJg7tE5hvzdttPIVoIj3TeY7/nXQWuT2XCf1o/5OXo jrtw== X-Gm-Message-State: APjAAAWL8x7cyTWULYXkFqWFNY7eJI7W+srC/s8ddoQBddAS2lGt57cI +wY7MKtzTAf3vaTPaNdkE6IyNg== X-Received: by 2002:a62:5487:: with SMTP id i129mr8031553pfb.69.1563917786927; Tue, 23 Jul 2019 14:36:26 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id f88sm43170456pjg.5.2019.07.23.14.36.25 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 23 Jul 2019 14:36:25 -0700 (PDT) Date: Tue, 23 Jul 2019 14:36:25 -0700 From: Kees Cook To: Joe Perches Cc: Linus Torvalds , linux-kernel@vger.kernel.org, Jonathan Corbet , Stephen Kitt , Nitin Gote , jannh@google.com, kernel-hardening@lists.openwall.com, Rasmus Villemoes , Andrew Morton Subject: Re: [PATCH 1/2] string: Add stracpy and stracpy_pad mechanisms Message-ID: <201907231435.FABB1CC@keescook> References: <7ab8957eaf9b0931a59eff6e2bd8c5169f2f6c41.1563841972.git.joe@perches.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <7ab8957eaf9b0931a59eff6e2bd8c5169f2f6c41.1563841972.git.joe@perches.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jul 22, 2019 at 05:38:15PM -0700, Joe Perches wrote: > Several uses of strlcpy and strscpy have had defects because the > last argument of each function is misused or typoed. > > Add macro mechanisms to avoid this defect. > > stracpy (copy a string to a string array) must have a string > array as the first argument (to) and uses sizeof(to) as the > size. > > These mechanisms verify that the to argument is an array of > char or other compatible types like u8 or unsigned char. > > A BUILD_BUG is emitted when the type of to is not compatible. > > Signed-off-by: Joe Perches I think Rasmus's suggestion would make sense: BUILD_BUG_ON(!__same_type(typeof(to), char[])) Either way, I think it should be fine: Reviewed-by: Kees Cook -Kees > --- > include/linux/string.h | 41 +++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 41 insertions(+) > > diff --git a/include/linux/string.h b/include/linux/string.h > index 4deb11f7976b..f80b0973f0e5 100644 > --- a/include/linux/string.h > +++ b/include/linux/string.h > @@ -35,6 +35,47 @@ ssize_t strscpy(char *, const char *, size_t); > /* Wraps calls to strscpy()/memset(), no arch specific code required */ > ssize_t strscpy_pad(char *dest, const char *src, size_t count); > > +/** > + * stracpy - Copy a C-string into an array of char > + * @to: Where to copy the string, must be an array of char and not a pointer > + * @from: String to copy, may be a pointer or const char array > + * > + * Helper for strscpy. > + * Copies a maximum of sizeof(@to) bytes of @from with %NUL termination. > + * > + * Returns: > + * * The number of characters copied (not including the trailing %NUL) > + * * -E2BIG if @to is a zero size array. > + */ > +#define stracpy(to, from) \ > +({ \ > + size_t size = ARRAY_SIZE(to); \ > + BUILD_BUG_ON(!__same_type(typeof(*to), char)); \ > + \ > + strscpy(to, from, size); \ > +}) > + > +/** > + * stracpy_pad - Copy a C-string into an array of char with %NUL padding > + * @to: Where to copy the string, must be an array of char and not a pointer > + * @from: String to copy, may be a pointer or const char array > + * > + * Helper for strscpy_pad. > + * Copies a maximum of sizeof(@to) bytes of @from with %NUL termination > + * and zero-pads the remaining size of @to > + * > + * Returns: > + * * The number of characters copied (not including the trailing %NUL) > + * * -E2BIG if @to is a zero size array. > + */ > +#define stracpy_pad(to, from) \ > +({ \ > + size_t size = ARRAY_SIZE(to); \ > + BUILD_BUG_ON(!__same_type(typeof(*to), char)); \ > + \ > + strscpy_pad(to, from, size); \ > +}) > + > #ifndef __HAVE_ARCH_STRCAT > extern char * strcat(char *, const char *); > #endif > -- > 2.15.0 > -- Kees Cook