From patchwork Sun Nov 12 09:18:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alejandro Colomar X-Patchwork-Id: 79628 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 195EE3858CD1 for ; Sun, 12 Nov 2023 09:18:41 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by sourceware.org (Postfix) with ESMTPS id D2CE63858C50 for ; Sun, 12 Nov 2023 09:18:06 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org D2CE63858C50 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=kernel.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=kernel.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org D2CE63858C50 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2604:1380:4641:c500::1 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1699780688; cv=none; b=NDVLKfOsz7/mHwkQJL2RCk98ecpI/Wok5foczkSfyr1I5AXUq6G0aahUqOj1v58+DOg6YdH7c8LBiVv7bmkr8RGgO9XO9gAA8uhSwB8xRlp2IGIcDAQbVJ4uIlHgDoDwh2jewJGWrVvIbDIeeyk/wvB494g3MEbrt6Olz4tLZ80= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1699780688; c=relaxed/simple; bh=4OZ5pjlZcOR5C1mMy/ZMLW5UGIj/eQsxRwe+fNCiBwQ=; h=DKIM-Signature:Date:From:To:Subject:Message-ID:MIME-Version; b=SfyXvPR7RT4jCLQABV/7noFS2buD8jl1GkFeQ6mSZs3iWzcIzCnmHB2yKTgImoCXjwOOdstvXL2pM2n5r3EmLbHxwcHFkzH0M8D7eBQYKDwig25sTJo5Pgk1/qCi2SKetEfqsaSX8km9iE8BS4fxKsbedpADmtuqZ+Oj18T58XQ= ARC-Authentication-Results: i=1; server2.sourceware.org Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id 30F8B60C2C; Sun, 12 Nov 2023 09:18:06 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1DA06C433C8; Sun, 12 Nov 2023 09:18:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1699780685; bh=4OZ5pjlZcOR5C1mMy/ZMLW5UGIj/eQsxRwe+fNCiBwQ=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=K7U32jJf3Ol59lo24w9UxsPoZbVkqZLuCB2kHDLSXt6uTUhFGY+FlipEmmKNzVgO2 vviuui4yAkODSHm7yeaupebbs3/ThSjJMsDJO7TvGhaDvK9Rc1qoPCY0vW8sKz51Gx A1p3ad6EOaKsCInNWcvPxn9qEZmsPgvuoBTgZgnynDLJFh0I8iohptXlW0Hc8gR6oI qlUyaHxf7gg9SrNwU8uS5tojo1ueumRMaEyNAypLKOGh+yqT4DxWi7G/52/sNXNMvj hRWQz+IsAYqUlHIoO+fnkIWhswcGThq2q53pki2e3EkeyW1SfqvJQ26YWvv0AaJzPt 8nHrUD7i1IL+Q== Date: Sun, 12 Nov 2023 10:18:00 +0100 From: Alejandro Colomar To: linux-man@vger.kernel.org Cc: Alejandro Colomar , libc-alpha@sourceware.org, Paul Eggert , Jonny Grant , DJ Delorie , Matthew House , Oskari Pirhonen , Thorsten Kukuk , Adhemerval Zanella Netto , Zack Weinberg , "G. Branden Robinson" , Carlos O'Donell , Xi Ruoyao , Stefan Puiu , Andreas Schwab Subject: [PATCH 1/2] string_copying.7: BUGS: *cat(3) functions aren't always bad Message-ID: <20231112091748.6906-3-alx@kernel.org> References: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-Mailer: git-send-email 2.42.0 X-Spam-Status: No, score=-9.8 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org The compiler will sometimes optimize them to normal *cpy(3) functions, since the length of dst is usually known, if the previous *cpy(3) is visible to the compiler. And they provide for cleaner code. If you know that they'll get optimized, you could use them. Cc: Paul Eggert Cc: Jonny Grant Cc: DJ Delorie Cc: Matthew House Cc: Oskari Pirhonen Cc: Thorsten Kukuk Cc: Adhemerval Zanella Netto Cc: Zack Weinberg Cc: "G. Branden Robinson" Cc: Carlos O'Donell Cc: Xi Ruoyao Cc: Stefan Puiu Cc: Andreas Schwab Signed-off-by: Alejandro Colomar --- man7/string_copying.7 | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/man7/string_copying.7 b/man7/string_copying.7 index 1637ebc91..0254fbba6 100644 --- a/man7/string_copying.7 +++ b/man7/string_copying.7 @@ -592,8 +592,14 @@ .SH BUGS All catenation functions share the same performance problem: .UR https://www.joelonsoftware.com/\:2001/12/11/\:back\-to\-basics/ Shlemiel the painter .UE . +As a mitigation, +compilers are able to transform some calls to catenation functions +into normal copy functions, +since +.I strlen(dst) +is usually a byproduct of the previous copy. .\" ----- EXAMPLES :: -------------------------------------------------/ .SH EXAMPLES The following are examples of correct use of each of these functions. .\" ----- EXAMPLES :: stpcpy(3) ---------------------------------------/ From patchwork Sun Nov 12 09:18:05 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alejandro Colomar X-Patchwork-Id: 79627 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id BD5A93858291 for ; Sun, 12 Nov 2023 09:18:25 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by sourceware.org (Postfix) with ESMTPS id 0E58F3858C33 for ; Sun, 12 Nov 2023 09:18:11 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 0E58F3858C33 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=kernel.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=kernel.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 0E58F3858C33 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2604:1380:4641:c500::1 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1699780692; cv=none; b=KzArope+1TYNaLZYO7F+JuKpOrvvh1sExM0UWPjIVSRpJWp2VUQTkGiTReHUL5W6YUDBayWjbSFNXKc2Qfz0wvC40cJDCCLm8m/oxhpCHsQyG8ykxkwqUE64JjGigAWg9VEFmzP9K6F46mYrSgEkZ5b4gb/4+zfGO4I7a+CUnSI= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1699780692; c=relaxed/simple; bh=4hFvmgBEONg7cOZD8NWcY4fX/eld8CvY7FFyB612+wc=; h=DKIM-Signature:Date:From:To:Subject:Message-ID:MIME-Version; b=Aj+Vb2zs4uYMGc0JKOavypuPz3Zer9Yi+DgbbAwf/zxp8BopUZfrWN92+RrBO4x2JzQOWwRSI7SVyrjtVkBIEoql6uYXA9er9Qc55JOjPkCYhRJ52zoXrIEZ4wYape+UUViGngBFF+ewl1SZx7sCvURjoD0fZOdjdxsPLmwLYGs= ARC-Authentication-Results: i=1; server2.sourceware.org Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id A552260BD6; Sun, 12 Nov 2023 09:18:10 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 458FDC433C7; Sun, 12 Nov 2023 09:18:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1699780690; bh=4hFvmgBEONg7cOZD8NWcY4fX/eld8CvY7FFyB612+wc=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=hsIi/sSU0g5qFCK5zpFu45JWRF98KMSDuG+k8Vt4J0hgnJaFU6SfjB2fue6ds8fv5 ymHp5ePuHoI2h7lpNLz2Mmn+7TQmQXPKJqAzAhEJbW9G99gs6HFOnwl1zjFgD8lrTL 2hKCfMVxW9bEN4THu8saTA0VSJ8dJQzx4ZON0pvfOY5dMUvfWt5J/pJfD4A39tnzyI 2jsJMmZx0S9vu62bkV+Ckn/QdFnfvqhzWixZtfFx2d9spmWd0nss4FsB20ubKre9Go LjwnonlDi+B92ngv6Pg+k/VUwnUmnTzDMIZdIxfqZo+rwTDQ+cx30f5CqAErlSzEKs wG6ZP5Xc3wjFA== Date: Sun, 12 Nov 2023 10:18:05 +0100 From: Alejandro Colomar To: linux-man@vger.kernel.org Cc: Alejandro Colomar , libc-alpha@sourceware.org, Paul Eggert , Jonny Grant , DJ Delorie , Matthew House , Oskari Pirhonen , Thorsten Kukuk , Adhemerval Zanella Netto , Zack Weinberg , "G. Branden Robinson" , Carlos O'Donell , Xi Ruoyao , Stefan Puiu , Andreas Schwab Subject: [PATCH 2/2] string_copying.7: BUGS: Document strl{cpy,cat}(3)'s performance problems Message-ID: <20231112091748.6906-4-alx@kernel.org> References: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-Mailer: git-send-email 2.42.0 X-Spam-Status: No, score=-9.5 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, KAM_ASCII_DIVIDERS, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Also point to BUGS from other sections that talk about these functions. These functions are doomed due to the design decision of mirroring snprintf(3)'s return value. They must return strlen(src), which makes them terribly slow, and vulnerable to DoS if an attacker can control strlen(src). A better design would have been to return -1 when truncating. Reported-by: Paul Eggert Cc: Jonny Grant Cc: DJ Delorie Cc: Matthew House Cc: Oskari Pirhonen Cc: Thorsten Kukuk Cc: Adhemerval Zanella Netto Cc: Zack Weinberg Cc: "G. Branden Robinson" Cc: Carlos O'Donell Cc: Xi Ruoyao Cc: Stefan Puiu Cc: Andreas Schwab Signed-off-by: Alejandro Colomar --- man7/string_copying.7 | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/man7/string_copying.7 b/man7/string_copying.7 index 0254fbba6..cb3910db0 100644 --- a/man7/string_copying.7 +++ b/man7/string_copying.7 @@ -226,9 +226,9 @@ .SS Truncate or not? .IP \[bu] .BR strlcpy (3bsd) and .BR strlcat (3bsd) -are similar, but less efficient when chained. +are similar, but have important performance problems; see BUGS. .IP \[bu] .BR stpncpy (3) and .BR strncpy (3) @@ -417,8 +417,10 @@ .SS Functions the resulting string is truncated (but it is guaranteed to be null-terminated). They return the length of the total string they tried to create. .IP +Check BUGS before using these functions. +.IP .BR stpecpy (3) is a simpler alternative to these functions. .\" ----- DESCRIPTION :: Functions :: stpncpy(3) ----------------------/ .TP @@ -598,8 +600,22 @@ .SH BUGS into normal copy functions, since .I strlen(dst) is usually a byproduct of the previous copy. +.P +.BR strlcpy (3) +and +.BR strlcat (3) +need to read the entire +.I src +string, +even if the destination buffer is small. +This makes them vulnerable to Denial of Service (DoS) attacks +if an attacker can control the length of the +.I src +string. +And if not, +they're still unnecessarily slow. .\" ----- EXAMPLES :: -------------------------------------------------/ .SH EXAMPLES The following are examples of correct use of each of these functions. .\" ----- EXAMPLES :: stpcpy(3) ---------------------------------------/