Kees Cook1d ago

We can remove strncpy() from the Linux kernel finally! I did the last 6 instances, and dropped all the implementations:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=dev/v7.0-rc2/strncpy

Over the last 6 years working on this, there were 362 commits by 70 contributors. The folks with more than 1 commit were:

211 Justin Stitt <[email protected]>
22 Xu Panda <[email protected]>
21 Kees Cook <[email protected]>
17 Thorsten Blum <[email protected]>
12 Arnd Bergmann <[email protected]>
4 Pranav Tyagi <[email protected]>
4 Lee Jones <[email protected]>
2 Steven Rostedt <[email protected]>
2 Sam Ravnborg <[email protected]>
2 Marcelo Moreira <[email protected]>
2 Krzysztof Kozlowski <[email protected]>
2 Kalle Valo <[email protected]>
2 Jaroslav Kysela <[email protected]>
2 Daniel Thompson <[email protected]>
2 Andrew Lunn <[email protected]>

Thank you to all of you! (And especially to Justin Stitt who took on the brunt of the work.)

kernel/git/kees/linux.git - Various feature branches

Show threadjdb
@kees
Hi, though I have been using linux for decades, I don't know what it means.
Looks like strncopy() had lots of adherence in many place, but can you explain ?
Thank you.
Mar 24 at 7:14amWeb
Show threadMatthias Auswöger1d ago
@jdb @kees
deprecated.rst ->
strncpy() did not guarantee NUL-termination of the destination buffer, leading to linear read overflows and other misbehavior. It also unconditionally NUL-padded the destination, which was a needless performance penalty for callers using only NUL-terminated strings. Due to its various behaviors, it was an ambiguous API for determining what an author's true intent was for the copy.
Show threadMatthias Auswöger1d ago
@jdb
The replacements for strncpy() are:
- strscpy() when the destination must be NUL-terminated.
- strscpy_pad() when the destination must be NUL-terminated and
zero-padded (e.g., structs crossing privilege boundaries).
- memtostr() for NUL-terminated destinations from non-NUL-terminated
fixed-width sources (with the `__nonstring` attribute on the source).
- memtostr_pad() for the same, but with zero-padding.
1/2
Show threadMatthias Auswöger1d ago
@jdb
- strtomem() for non-NUL-terminated fixed-width destinations, with
the `__nonstring` attribute on the destination.
- strtomem_pad() for non-NUL-terminated destinations that also need
zero-padding.
- memcpy_and_pad() for bounded copies from potentially unterminated
sources where the destination size is a runtime value.
2/2