[Semibug] Potential danger of strlcpy

Mike O'Connor mjo at dojo.mi.org
Wed Nov 20 06:03:53 EST 2019


:From our discussion tonight: it can be dangerous to replace strncpy() calls
:with strlcpy() in a kernel setting [1].  The problem is that since strlcpy()
:doesn't zero out the remainder of a string buffer like strncpy(), it can lead
:to inadvertent leaks of data from the kernel.  If that unzeroed section of
:memory happens to contain internal kernel memory addresses, it could be used to
:help defeat ASLR.
:
:[1] https://twitter.com/grsecurity/status/1082957293489147904

FWIW, strlcpy doesn't zero out the remainder of the string buffer for
performance reasons.  zero-filling has a non-zero cost.  

In general, strlcpy won't really help you if you're not checking its
return value (assuming you can ascertain what to check against)

I'm amused that you're citing a Linux security guru, when strlcpy has
BSD history and is still verboten in glibc.  :)


-Mike

-- 
 Michael J. O'Connor                                          mjo at dojo.mi.org
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"I go to school, but I never learn what I want to know."              -Calvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://lists.nycbug.org:8080/pipermail/semibug/attachments/20191120/9da5747f/attachment.bin>


More information about the Semibug mailing list