From patchwork Sun Nov 12 11:26:49 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alejandro Colomar X-Patchwork-Id: 1862828 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256 header.s=k20201202 header.b=XHL3h+b/; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=2620:52:3:1:0:246e:9693:128c; helo=server2.sourceware.org; envelope-from=libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org; receiver=patchwork.ozlabs.org) Received: from server2.sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SSqz41kcGz1yR8 for ; Sun, 12 Nov 2023 22:27:12 +1100 (AEDT) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id E6A403858413 for ; Sun, 12 Nov 2023 11:27:07 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by sourceware.org (Postfix) with ESMTPS id C15A43858C29 for ; Sun, 12 Nov 2023 11:26:56 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org C15A43858C29 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=kernel.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=kernel.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org C15A43858C29 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=145.40.68.75 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1699788418; cv=none; b=RR6XmZDfQEUQE+eY2bmZFQTjHBAW9jZ1VBSymth0ngvARW1lEcnMbvvEhtU+NPEWocFeWQSkn58CUIKy5/AE8AYb8mltGrfPovhZ0W0WeCbBscX1QJ4kVOZ4FCYKUkXLl7jewspLHuQYhqLfoGhIezypAYB5563WokW29vRK8x0= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1699788418; c=relaxed/simple; bh=yVi+lj8581Tb4erLHGRME+3JfFenz0cB6Qb5TPUiCpc=; h=DKIM-Signature:Date:From:To:Subject:Message-ID:MIME-Version; b=YljODtD029ZVmivP9lwf/enSA8AuNbhByhIc3FRgL8W6SDqoEHtMgH42LsPJp7pjaSFM2TwndAAnDf6d9A819quTcVtk4QSb5ikkdymKh2XfmVsdJCeDlo+Q5BjRFK9b8FfnjQaPSc80WifFjf6N7W2tHgj0A2Wt344rzoJAgVc= ARC-Authentication-Results: i=1; server2.sourceware.org Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by ams.source.kernel.org (Postfix) with ESMTP id 6FA42B8077C; Sun, 12 Nov 2023 11:26:55 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9969BC433C8; Sun, 12 Nov 2023 11:26:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1699788414; bh=yVi+lj8581Tb4erLHGRME+3JfFenz0cB6Qb5TPUiCpc=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=XHL3h+b/m4vxZFM0PzK5C12Sa114RT5x09m5zVtsjJdhX6pZHfGr+GW3GNd7ug2sx L8Ku93y00nC3UkczrQRd1IAz2Yf+Ip/5TQ3pLNzRIWbz+b/dHQUiZgrhI38IM8l1Fe qcQeYxL1sSG0/3y1D461VirnOkZk1x0HMITxKb2WUYqcmynUK9lF4KAAiK2gwWRere P748DHiIkvAk0PNaE3d31k67OqFC2kwovuZduwBlRA7kiei4KxdvTr5twDhIKAi5TD RZyN+EBtSM7qaTA2K3g0CvORV28//K/M4DY2NKQlBIXLwlzJWcG5+ffXrBJb36zotk uo2mg4MCT76rQ== Date: Sun, 12 Nov 2023 12:26:49 +0100 From: Alejandro Colomar To: linux-man@vger.kernel.org Cc: Alejandro Colomar , libc-alpha@sourceware.org, Guillem Jover , Paul Eggert , Jonny Grant , DJ Delorie , Matthew House , Oskari Pirhonen , Thorsten Kukuk , Adhemerval Zanella Netto , Zack Weinberg , "G. Branden Robinson" , Carlos O'Donell , Xi Ruoyao , Stefan Puiu , Andreas Schwab Subject: [PATCH v2 2/3] string_copying.7: BUGS: Document strl{cpy,cat}(3)'s performance problems Message-ID: <20231112112629.13827-4-alx@kernel.org> References: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-Mailer: git-send-email 2.42.0 X-Spam-Status: No, score=-9.8 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, KAM_ASCII_DIVIDERS, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org Also point to BUGS from other sections that talk about these functions. These functions are doomed due to the design decision of mirroring snprintf(3)'s return value. They must return strlen(src), which makes them terribly slow, and vulnerable to DoS if an attacker can control strlen(src). A better design would have been to return -1 when truncating. Reported-by: Paul Eggert Cc: Jonny Grant Cc: DJ Delorie Cc: Matthew House Cc: Oskari Pirhonen Cc: Thorsten Kukuk Cc: Adhemerval Zanella Netto Cc: Zack Weinberg Cc: "G. Branden Robinson" Cc: Carlos O'Donell Cc: Xi Ruoyao Cc: Stefan Puiu Cc: Andreas Schwab Cc: Guillem Jover Signed-off-by: Alejandro Colomar --- man7/string_copying.7 | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/man7/string_copying.7 b/man7/string_copying.7 index 0254fbba6..cb3910db0 100644 --- a/man7/string_copying.7 +++ b/man7/string_copying.7 @@ -226,9 +226,9 @@ .SS Truncate or not? .IP \[bu] .BR strlcpy (3bsd) and .BR strlcat (3bsd) -are similar, but less efficient when chained. +are similar, but have important performance problems; see BUGS. .IP \[bu] .BR stpncpy (3) and .BR strncpy (3) @@ -417,8 +417,10 @@ .SS Functions the resulting string is truncated (but it is guaranteed to be null-terminated). They return the length of the total string they tried to create. .IP +Check BUGS before using these functions. +.IP .BR stpecpy (3) is a simpler alternative to these functions. .\" ----- DESCRIPTION :: Functions :: stpncpy(3) ----------------------/ .TP @@ -598,8 +600,22 @@ .SH BUGS into normal copy functions, since .I strlen(dst) is usually a byproduct of the previous copy. +.P +.BR strlcpy (3) +and +.BR strlcat (3) +need to read the entire +.I src +string, +even if the destination buffer is small. +This makes them vulnerable to Denial of Service (DoS) attacks +if an attacker can control the length of the +.I src +string. +And if not, +they're still unnecessarily slow. .\" ----- EXAMPLES :: -------------------------------------------------/ .SH EXAMPLES The following are examples of correct use of each of these functions. .\" ----- EXAMPLES :: stpcpy(3) ---------------------------------------/