On Thu, Aug 27, 2020 at 9:30 PM Kees Cook keescook@chromium.org wrote:
On Thu, Aug 27, 2020 at 11:59:24AM +0300, Andy Shevchenko wrote:
strcpy() is not a bad API for the cases when you know what you are doing. A problem that most of the developers do not know what they are doing. No need to split everything to bad and good by its name or semantics, each API has its own pros and cons and programmers must use their brains.
I equate "unsafe" or "fragile" with "bad". There's no reason to use our brains for remembering what's safe or not when we can just remove unsafe things from the available APIs, and/or lean on the compiler to help (e.g. CONFIG_FORTIFY_SOURCE).
Most of the uses of strcpy() in the kernel are just copying between two known-at-compile-time NUL-terminated character arrays. We had wanted to introduce stracpy() for this, but Linus objected to yet more string functions. So for now, I'm aimed at removing strlcpy() completely first, then look at strcpy() -> strscpy() for cases where target size is NOT compile-time known, and then to convert the kernel's strcpy() into _requiring_ that source/dest lengths are known at compile time.
And then tackle strncpy(), which is a mess.
In general it's better to have a robust API, but what may go wrong with the interface where we have no length of the buffer passed, but we all know that it's PAGE_SIZE? So, what's wrong with doing something like strcpy(buf, "Yes, we know we won't overflow here\n"); ?