diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2026-06-19 14:56:45 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2026-06-19 14:56:45 -0700 |
| commit | 1a3746ccbb0a97bed3c06ccde6b880013b1dddc1 (patch) | |
| tree | ca6f73c603b70a638e7f3e0dd93c8158812676d1 /Documentation | |
| parent | a975094bf98ca97be9146f9d3b5681a6f9cf5ce3 (diff) | |
| parent | 079a028d6327e68cfa5d38b36123637b321c19a7 (diff) | |
| download | ath-1a3746ccbb0a97bed3c06ccde6b880013b1dddc1.tar.gz | |
Merge tag 'strncpy-removal-v7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
Pull strncpy removal from Kees Cook:
- Remove the per-arch strncpy implementations in alpha, m68k, powerpc,
x86, and xtensa
- Remove strncpy API
Over the last 6 years working on strncpy removal there were 362
commits by 70 contributors. Folks with more than 1 commit were:
211 Justin Stitt <justinstitt@google.com>
22 Xu Panda <xu.panda@zte.com.cn>
21 Kees Cook <kees@kernel.org>
17 Thorsten Blum <thorsten.blum@linux.dev>
12 Arnd Bergmann <arnd@arndb.de>
4 Pranav Tyagi <pranav.tyagi03@gmail.com>
4 Lee Jones <lee@kernel.org>
2 Steven Rostedt <rostedt@goodmis.org>
2 Sam Ravnborg <sam@ravnborg.org>
2 Marcelo Moreira <marcelomoreira1905@gmail.com>
2 Krzysztof Kozlowski <krzk@kernel.org>
2 Kalle Valo <kvalo@kernel.org>
2 Jaroslav Kysela <perex@perex.cz>
2 Daniel Thompson <danielt@kernel.org>
2 Andrew Lunn <andrew@lunn.ch>
* tag 'strncpy-removal-v7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
string: Remove strncpy() from the kernel
xtensa: Remove arch-specific strncpy() implementation
x86: Remove arch-specific strncpy() implementation
powerpc: Remove arch-specific strncpy() implementation
m68k: Remove arch-specific strncpy() implementation
alpha: Remove arch-specific strncpy() implementation
Diffstat (limited to 'Documentation')
| -rw-r--r-- | Documentation/process/deprecated.rst | 43 |
1 files changed, 24 insertions, 19 deletions
diff --git a/Documentation/process/deprecated.rst b/Documentation/process/deprecated.rst index 03de71f654c76..22a5e62c92eaf 100644 --- a/Documentation/process/deprecated.rst +++ b/Documentation/process/deprecated.rst @@ -131,27 +131,32 @@ value of strcpy() was used, since strscpy() does not return a pointer to the destination, but rather a count of non-NUL bytes copied (or negative errno when it truncates). -strncpy() on NUL-terminated strings ------------------------------------ -Use of strncpy() does not guarantee that the destination buffer will -be NUL terminated. This can lead to various linear read overflows and -other misbehavior due to the missing termination. It also NUL-pads -the destination buffer if the source contents are shorter than the -destination buffer size, which may be a needless performance penalty -for callers using only NUL-terminated strings. +strncpy() +--------- +strncpy() has been removed from the kernel. All former callers have +been migrated to safer alternatives. + +strncpy() did not guarantee NUL-termination of the destination buffer, +leading to linear read overflows and other misbehavior. It also +unconditionally NUL-padded the destination, which was a needless +performance penalty for callers using only NUL-terminated strings. Due +to its various behaviors, it was an ambiguous API for determining what +an author's true intent was for the copy. -When the destination is required to be NUL-terminated, the replacement is -strscpy(), though care must be given to any cases where the return value -of strncpy() was used, since strscpy() does not return a pointer to the -destination, but rather a count of non-NUL bytes copied (or negative -errno when it truncates). Any cases still needing NUL-padding should -instead use strscpy_pad(). +The replacements for strncpy() are: -If a caller is using non-NUL-terminated strings, strtomem() should be -used, and the destinations should be marked with the `__nonstring -<https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html>`_ -attribute to avoid future compiler warnings. For cases still needing -NUL-padding, strtomem_pad() can be used. +- strscpy() when the destination must be NUL-terminated. +- strscpy_pad() when the destination must be NUL-terminated and + zero-padded (e.g., structs crossing privilege boundaries). +- memtostr() for NUL-terminated destinations from non-NUL-terminated + fixed-width sources (with the `__nonstring` attribute on the source). +- memtostr_pad() for the same, but with zero-padding. +- strtomem() for non-NUL-terminated fixed-width destinations, with + the `__nonstring` attribute on the destination. +- strtomem_pad() for non-NUL-terminated destinations that also need + zero-padding. +- memcpy_and_pad() for bounded copies from potentially unterminated + sources where the destination size is a runtime value. strlcpy() --------- |
