Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp8988801ybi;
        Tue, 23 Jul 2019 19:33:21 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxMllpyEfnj4k+CwYfRJeaUT3VjFG/4GhzGThgMIuIWGwfGFhBV7Td1r7KCKVDKtj+iEpUs
X-Received: by 2002:a17:90a:35e5:: with SMTP id r92mr86592248pjb.34.1563935601876;
        Tue, 23 Jul 2019 19:33:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1563935601; cv=none;
        d=google.com; s=arc-20160816;
        b=l0JgQGHUUeWhs3lddEGo0AKU3MZMxAm86agRxnW7/Oze6rYurhJkYU7L4oTDxSTsj0
         u9dexdWigjE/qDGbTOewqgaOI8LphVFsBxW/4N6yaowFIIpu0kgnA0fFtCDUBYZuMKWY
         qdR5Ij0rSyxTpH2EB52x2h54ewL0+E57dqegvApqsx3kR03Rnh3Zf/nT26iCiIrZ9d5j
         uHTPPQQRwJBvxTRD37uIugJS12AVKi/92+SCIEw0gQ7FK+eQPI+vm43vvachL3W4JfyI
         8EXi9k3LT8mC1OBFmmSfX3tD3Kzkbyr0o6fePqig2W/164/gv+9evWouVvxZz5kX31Xr
         uZRw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date
         :dkim-signature;
        bh=VWIEpkB+n44qq++ScgWqxmeSI/uO47Tg9yPkq7RW5zM=;
        b=BoiVrrDQNfgm2v/cEWuYGxqH6hF16DSgI/KI+eCyW6qE2CkoBfoAcxjQBAMLG6rT89
         CSCWUpat0d1gYZ5cZpmbgu+dZgzpgycS2V8upMFkXPZ4xR9yoToRAwFIwo6LsAw1s2KD
         zgDjUinBZD6T/pzIF9fnVPOsy3vz0pTMoHGKJPWJctGnP0LxzaCiEbReXG5lg5d0RVG0
         TaDVioAX7hIa0a//N1Ery/8K/j/KCq9C1qqHUaww+6ocnZ/07xmuyemgH+MORXxH2Ae2
         pMP13IfUa+6+wCApGt0r+nGR7ZBgakFoA16jAcHLGouW9c6Celii/Ib+Pwq1fkTw2CZ7
         nqxQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=lt80K4Z+;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id q19si11510213pjp.24.2019.07.23.19.33.05;
        Tue, 23 Jul 2019 19:33:21 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=lt80K4Z+;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2392130AbfGWVer (ORCPT <rfc822;atom.tux.beastie@gmail.com>
        + 99 others); Tue, 23 Jul 2019 17:34:47 -0400
Received: from mail-pf1-f182.google.com ([209.85.210.182]:39029 "EHLO
        mail-pf1-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729084AbfGWVeq (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 23 Jul 2019 17:34:46 -0400
Received: by mail-pf1-f182.google.com with SMTP id f17so15782134pfn.6
        for <linux-kernel@vger.kernel.org>; Tue, 23 Jul 2019 14:34:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to;
        bh=VWIEpkB+n44qq++ScgWqxmeSI/uO47Tg9yPkq7RW5zM=;
        b=lt80K4Z+V8K9yGobfELvvO6KN7cDAATkM5sB7/0W8IECrsCK4UHj1uU0WAdzz/ZO26
         r/HOZ8OnsLZP/RZkGSvpfHuHv524maccj1Ez/vGHlwE2piDXhMMnNArlJD3hYEWLROca
         3AUzSTQir2yk7D3E4PR+ub3J5xlSjQq2S2e2Y=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to;
        bh=VWIEpkB+n44qq++ScgWqxmeSI/uO47Tg9yPkq7RW5zM=;
        b=uCyu6cGZgedtlQWqzmJkCFh3DQecxKZteKaPYZCYfETu6B43oh+0AEposT9D36QfWG
         UyXU2QWneOTHV6gCNooICxhjAyThL+T4oqLRBB50Ba7be4zxxIDYiAP5O34m4I+atgUd
         E2l+TN7sFlEMN/6HekCSJZZ3MRJZPk2e1bBjVIY955Zgl1/maMMja3FzHYioHjbuI6BE
         BI+qmlDXtYIuiBxBVC3HEEC9NiH/K5CyQooQ4r4kV3IL30u42IXFIOsOiblwLBPEAwOo
         Jg1Gn3UjXbkKm5GvW/h2X5dw2WXwywZJ5Awm57x1TnjVbga1/gC9dO/A9zvYsMgczj9I
         APgw==
X-Gm-Message-State: APjAAAV3mhK8+91scJZvaW7uon8eFGJOrtK9vi3fr86nZ4OcpA9Usg5b
        /mvt1+f73KEB8fqicVt8noxWQQ==
X-Received: by 2002:aa7:9afc:: with SMTP id y28mr7646026pfp.252.1563917686160;
        Tue, 23 Jul 2019 14:34:46 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
        by smtp.gmail.com with ESMTPSA id 196sm46955301pfy.167.2019.07.23.14.34.45
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Tue, 23 Jul 2019 14:34:45 -0700 (PDT)
Date:   Tue, 23 Jul 2019 14:34:44 -0700
From:   Kees Cook <keescook@chromium.org>
To:     David Laight <David.Laight@ACULAB.COM>
Cc:     'Rasmus Villemoes' <linux@rasmusvillemoes.dk>,
        Joe Perches <joe@perches.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        Jonathan Corbet <corbet@lwn.net>, Stephen Kitt <steve@sk2.org>,
        Nitin Gote <nitin.r.gote@intel.com>,
        "jannh@google.com" <jannh@google.com>,
        "kernel-hardening@lists.openwall.com" 
        <kernel-hardening@lists.openwall.com>,
        Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [PATCH 1/2] string: Add stracpy and stracpy_pad mechanisms
Message-ID: <201907231430.C679A37EC@keescook>
References: <cover.1563841972.git.joe@perches.com>
 <7ab8957eaf9b0931a59eff6e2bd8c5169f2f6c41.1563841972.git.joe@perches.com>
 <eec901c6-ca51-89e4-1887-1ccab0288bee@rasmusvillemoes.dk>
 <5ffdbf4f87054b47a2daf23a6afabecf@AcuMS.aculab.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5ffdbf4f87054b47a2daf23a6afabecf@AcuMS.aculab.com>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Jul 23, 2019 at 03:41:27PM +0000, David Laight wrote:
> From: Rasmus Villemoes
> > Sent: 23 July 2019 07:56
> ...
> > > +/**
> > > + * stracpy - Copy a C-string into an array of char
> > > + * @to: Where to copy the string, must be an array of char and not a pointer
> > > + * @from: String to copy, may be a pointer or const char array
> > > + *
> > > + * Helper for strscpy.
> > > + * Copies a maximum of sizeof(@to) bytes of @from with %NUL termination.
> > > + *
> > > + * Returns:
> > > + * * The number of characters copied (not including the trailing %NUL)
> > > + * * -E2BIG if @to is a zero size array.
> > 
> > Well, yes, but more importantly and generally: -E2BIG if the copy
> > including %NUL didn't fit. [The zero size array thing could be made into
> > a build bug for these stra* variants if one thinks that might actually
> > occur in real code.]
> 
> Probably better is to return the size of the destination if the copy didn't fit
> (zero if the buffer is zero length).
> This allows code to do repeated:
> 	offset += str*cpy(buf + offset, src, sizeof buf - offset);
> and do a final check for overflow after all the copies.
> 
> The same is true for a snprintf()like function

Please no; I understand the utility of the "max on error" condition for
chaining, but chaining is less common than standard operations. And it
requires that the size of the destination be known in multiple places,
which isn't robust either.

The very point of stracpy() is to not need to know the size of the
destination (i.e. it's handled by the compiler). (And it can't be
chained since it requires the base address of the array, not a char *.)

-- 
Kees Cook