Received: by 2002:a05:7412:3784:b0:e2:908c:2ebd with SMTP id jk4csp492503rdb; Sat, 30 Sep 2023 12:46:43 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEIpGyrZkgwuOn4h7gb0kHEF302Jqwhfr5cnw44aSoU22VhuEu6LtnDMolIGq6X3ghWjobh X-Received: by 2002:a17:902:c946:b0:1c5:c546:fece with SMTP id i6-20020a170902c94600b001c5c546fecemr12508758pla.34.1696103203515; Sat, 30 Sep 2023 12:46:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696103203; cv=none; d=google.com; s=arc-20160816; b=NnzrSY67ODsKoxjewX2V54mKoxYrxpKFTTgq1BcFSnFC2a2ioARcZ2TvvCYZh1Cptn CTwioq3tx6w5e3PRloPlvaAnGRxSwDBD/U04gRRS19HGWRfKge/Xtcr/VaaeCaMECyMi zr6Y71PxwxSMjrUYDFtpDuphhzIYsnu+TxsS4EBa9EkShuQJ0JjK2FvgxEn0nEVQQ2ur 0jDiRWngiLX3PZxbCaFlEbMzhRk4GZ+GiTxZevhm533oM2LqkzGm5N6MAh+w7ZsSsS0Q LM49b2PjGhCX/nw7CiXZpRw8Heq5gkPDJ2sWptB1lPJAjGQvIc8SLD/xBfKofpBjpizJ 0cuQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=FFaShB+3qvba7/SoRzblJyP9edbcj48LK8cu5WhW+iU=; fh=ZKGYhLkd8jK7pXNM6JRqiDkvxISrK4adgMEdkSwDP2c=; b=imnWGxz9t1+fG0zZmZtPGpRu7O/f3loe/yg7yTjeRUKZhjwwF3g7iD6GxJXF1X29FR ylea6LTQiEClNdrH9gB2dwi3NT3JOIWXGv62MdTt20R4TCJW5h/jQEfZYF4FQJ/dcwcu 0qVyRzCDWZtDO6rGPnAdJ2dvJyArewHwe04CK3l48In+jc/RY63wJtUW4dUa6Occ/6On 7PutM79HzqH/u31gt6IkmfKapNc6nDMnyAepZ8SAHsWUpeG4bnUKBHwFKDtXOYVU/ECn uZfo4hvDX+Gfv5BELsPX33BD/AsdIzs5lSZWXg3CTUENwS0k7p6rrqEYOPHtxmmdbmSi r5/w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=aaRC5oWh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3]) by mx.google.com with ESMTPS id i190-20020a6387c7000000b005645d9a89d6si23708387pge.554.2023.09.30.12.46.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 30 Sep 2023 12:46:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=aaRC5oWh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 263A7807D980; Fri, 29 Sep 2023 14:27:59 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233739AbjI2V1s (ORCPT + 99 others); Fri, 29 Sep 2023 17:27:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49824 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229508AbjI2V1q (ORCPT ); Fri, 29 Sep 2023 17:27:46 -0400 Received: from mgamail.intel.com (mgamail.intel.com [134.134.136.65]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DB92D1B0; Fri, 29 Sep 2023 14:27:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1696022864; x=1727558864; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=FLVd/ohpJACj32KeVgVSBeUww7ddTyoGFDmzYTsHN9o=; b=aaRC5oWhjTqFFABNQGpeWIPUEe/LvrmznLuRVIwkAIfggzGUr2JSlVF0 qkBCtUpUd1Tk0UWLv6+SZm+z33OytQ7uBFGdKGAOR92TIZx26q7bunxI/ Q3qVdR5CYE0ZApKwo/J9lsaIL5Xud3gwDaFpNT9QXb1NkhGZG/u5VNNNZ okb5YzuFFDJYh4/kclki0jUvv3neVDvzf0uzaumInmO3zj3A4bsQlylpJ o+qWVgzNtgp4/9Z47ZgHoHaxLaaVTR24VgzjnRuYuwRB+aOHO6ps34vl2 fDqhShNOjc0pRxfaW77fUvMIXR/x9BG/x6sICvl+8FKuMA55Th4bIpAo6 Q==; X-IronPort-AV: E=McAfee;i="6600,9927,10848"; a="386250138" X-IronPort-AV: E=Sophos;i="6.03,188,1694761200"; d="scan'208";a="386250138" Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Sep 2023 14:27:41 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10848"; a="815719573" X-IronPort-AV: E=Sophos;i="6.03,188,1694761200"; d="scan'208";a="815719573" Received: from alitchfi-mobl1.amr.corp.intel.com (HELO [10.209.69.33]) ([10.209.69.33]) by fmsmga008-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Sep 2023 14:27:40 -0700 Message-ID: <51164807-4860-b1cc-e3de-4230795808df@intel.com> Date: Fri, 29 Sep 2023 14:27:39 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.15.1 Subject: Re: [PATCH] x86/tdx: refactor deprecated strncpy Content-Language: en-US To: Kees Cook , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Justin Stitt Cc: linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, Nick Desaulniers References: <20230911-strncpy-arch-x86-coco-tdx-tdx-c-v1-1-4b38155727f3@google.com> <169601242377.3008066.9973846266706309040.b4-ty@chromium.org> From: Dave Hansen In-Reply-To: <169601242377.3008066.9973846266706309040.b4-ty@chromium.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-4.1 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Fri, 29 Sep 2023 14:27:59 -0700 (PDT) On 9/29/23 11:33, Kees Cook wrote: > On Mon, 11 Sep 2023 18:27:25 +0000, Justin Stitt wrote: >> `strncpy` is deprecated and we should prefer more robust string apis. >> >> In this case, `message.str` is not expected to be NUL-terminated as it >> is simply a buffer of characters residing in a union which allows for >> named fields representing 8 bytes each. There is only one caller of >> `tdx_panic()` and they use a 59-length string for `msg`: >> | const char *msg = "TD misconfiguration: SEPT_VE_DISABLE attribute must be set."; >> >> [...] > This appears to be trivially correct, so I can take it via my tree. Sorry about that, I was being clear as mud as to what I wanted to see here. I was hoping for another more clear changelog at least. The changelog makes it sound like there's a problem with not NULL-terminating 'message.str' when there isn't. That makes it hard to tell what the patch's goals are. As far as I can tell, the code is 100% correct with either the existing strncpy() or strtomem_pad(), even with a >64-byte string. This _is_ unusual because the hypervisor is nice and doesn't require NULL termination. Would there be anything wrong with a changelog like this? strncpy() works perfectly here in all cases. However, it _is_ deprecated and unsafe in other cases and there is an effort to purge it from the code base to avoid problems elsewhere. Replace strncpy() with an equivalent (in this case) strtomem_pad() which is not deprecated. In other words, this fixes no bug. But we should do it anyway.