From: Adhemerval Zanella Netto <adhemerval.zanella@linaro.org>
To: Wilco Dijkstra <Wilco.Dijkstra@arm.com>,
Florian Weimer <fweimer@redhat.com>,
Szabolcs Nagy <Szabolcs.Nagy@arm.com>,
"H.J. Lu" <hjl.tools@gmail.com>,
Noah Goldstein <goldstein.w.n@gmail.com>
Cc: 'GNU C Library' <libc-alpha@sourceware.org>
Subject: Re: [PATCH v2] string: Fix OOB read on generic strncmp
Date: Fri, 24 Feb 2023 09:34:57 -0300 [thread overview]
Message-ID: <76498f0c-6520-4932-25e6-b3691bf81db5@linaro.org> (raw)
In-Reply-To: <PAWPR08MB898234CEC8F554BAACD9981683A89@PAWPR08MB8982.eurprd08.prod.outlook.com>
On 24/02/23 09:24, Wilco Dijkstra wrote:
> Hi,
>
>> It's common to use strncmp as a starts-with predicate, like this:
>>
>> strncmp (s, "prefix", 5)
>>
>> This requires that reading stops at the first null byte. C11 wording
>> makes this kind of usage inadvisable because it treats the inputs as
>> arrays, and this means that mean that implementations could read past
>> the null byte. But that doesn't match current programming practice.
>
> C11 says you can't read past the end of the array, but it doesn't say that
> you *must* read past a NUL-byte. My interpretation is that this is a valid
> strncmp implementation:
>
> int
> simple_strncmp (const char *s1, const char *s2, size_t size)
> {
> size_t len1 = strnlen (s1, size);
> size_t len2 = strnlen (s2, size);
> if (len1 < len2)
> len1++;
> else if (len1 > len2)
> len1 = len2 + 1;
> return memcmp (s1, s2, len1);
> }
>
> Ie. both strings must be valid up until the given size or NUL-terminated if
> smaller. This works on the example above even if the first string is only 1 byte.
That was my understanding as well when I wrote the generic strncmp, and
multiple strncmp implementation also follows this same idea.
So another option is to keep the generic strncmp as is and just remove the
crypt/badsalttest.c, since it passing invalid inputs on crypt (non null
terminated strings).
>
>> The strnlen function has the same problem if you want to use it to limit
>> readhead, e.g. in sscanf to fix bug 17577. (POSIX also speaks of an
>> array argument.) In stdio-common/Xprintf_buffer_puts_1.c, we already
>> use it to avoid a similar performance glitch. It's not the first such
>> uses, there is already a similar call (with similar rationale) in
>> string/strcasestr.c, and for wcsnlen in
>> stdio-common/vfprintf-process-arg.c.
>>
>> I think we should support all these as extensions. The alternative
>> would be to add new functions that stop reading after the first null
>> byte (particularly for the strnlen optimization).
>
> Existing functions already do stop after the first NUL byte. Even if the C
> standard doesn't explicitly disallow it, it doesn't seem valid to read beyond
> it (a lot of code could fail if we did).
>
> Cheers,
> Wilco
next prev parent reply other threads:[~2023-02-24 12:35 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-24 12:24 Wilco Dijkstra
2023-02-24 12:34 ` Adhemerval Zanella Netto [this message]
2023-02-24 12:43 ` Szabolcs Nagy
2023-02-24 12:57 ` Adhemerval Zanella Netto
-- strict thread matches above, loose matches on Subject: below --
2023-02-23 19:10 Wilco Dijkstra
2023-02-22 16:31 Adhemerval Zanella
2023-02-22 17:21 ` Szabolcs Nagy
2023-02-23 18:15 ` Adhemerval Zanella Netto
2023-02-24 10:19 ` Szabolcs Nagy
2023-02-24 10:58 ` Florian Weimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=76498f0c-6520-4932-25e6-b3691bf81db5@linaro.org \
--to=adhemerval.zanella@linaro.org \
--cc=Szabolcs.Nagy@arm.com \
--cc=Wilco.Dijkstra@arm.com \
--cc=fweimer@redhat.com \
--cc=goldstein.w.n@gmail.com \
--cc=hjl.tools@gmail.com \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).