Re: [PATCH v2] x86/tdx: replace deprecated strncpy with strtomem_pad
From: Kees Cook
Date: Sat Feb 10 2024 - 02:19:29 EST
On Wed, Feb 07, 2024 at 04:03:35PM +0200, Andy Shevchenko wrote:
> On Wed, Oct 04, 2023 at 09:32:54AM +0200, Ingo Molnar wrote:
>
> ...
>
> > > Note: Ingo Molnar has some concerns about the comment being out of sync
> > > [1] but I believe the comment still has a place as we can still
> > > theoretically copy 64 bytes into our destination buffer without a
> > > NUL-byte. The extra information about the 65th byte being NUL may serve
> > > helpful to future travelers of this code. What do we think? I can drop
> > > the comment in a v3 if needed.
> >
> > > /* VMM assumes '\0' in byte 65, if the message took all 64 bytes */
> > > - strncpy(message.str, msg, 64);
> > > + strtomem_pad(message.str, msg, '\0');
> >
> > My concern was that with the old code it was obvious that the size
> > of message.str was 64 bytes - but I judged this based on the
> > patch context alone, which seemingly lost context due to the change.
> >
> > In reality it's easy to see it when reading the code, because the
> > length definition is right before the code:
> >
> > union {
> > /* Define register order according to the GHCI */
> > struct { u64 r14, r15, rbx, rdi, rsi, r8, r9, rdx; };
> >
> > char str[64];
> > ^^^^^^^^^^^^^
> > } message;
> >
> > /* VMM assumes '\0' in byte 65, if the message took all 64 bytes */
> > strtomem_pad(message.str, msg, '\0');
>
> This comment and size of union seems not in agreement.
It does agree -- the comment could be more clear.
> How does the previous code work if message indeed takes 64 bytes?
> By luck?
It's saying "the non-existent 65th byte is assumed to be %NUL". As in,
this is treated as a C string, even if it uses all 64 bytes.
--
Kees Cook