On May 23, 2025 7:24:49 AM PDT, Theodore Ts'o <tytso@xxxxxxx> wrote: >On Fri, May 23, 2025 at 01:31:00PM +0100, David Laight wrote: >> >> The compiler (or headers files) can also allow strcpy() of constant >> length strings into arrays (known size). Erroring requests that are too long. >> The strcpy() is then converted to a memcpy() which can then be optimised >> into writes of constants. >> >> So using strcpy() under those conditions 'isn't all bad' and can generate >> better (and less bug prone) code than trying to hand-optimise it. >> >> So even through strcpy() is usually a bad idea, there is not need to >> remove the calls that the compiler can validate as safe. > >I assume that what the hardening folks want to do is to assert that >strcpy is always evil(tm) so they can detect potential security bugs >by doing "git grep strcpy". FWIW, what I'd like is a lack of ambiguity for both humans and compilers. "Get rid of strcpy" is the Big Hammer solution for strcpy. The more precise version is "disallow strcpy of a src or dst where either lack a compile-time buffer size". -Kees -- Kees Cook
