Add support for rlbox::strncpy

shravanrn · shravanrn · commit 69306c5b93f5 · 2025-07-28T03:34:50.000-05:00
diff --git a/code/include/rlbox_stdlib.hpp b/code/include/rlbox_stdlib.hpp
@@ -141,9 +141,9 @@ static constexpr bool can_type_be_memcopied =
   std::is_same_v<char16_t, std::remove_cv_t<T>> || std::is_same_v<short, std::remove_cv_t<T>>;
 
 /**
- * @brief Copy to sandbox memory area. Note that memcpy is meant to be called on
- * byte arrays does not adjust data according to ABI differences. If the
- * programmer does accidentally call memcpy on buffers that needs ABI
+ * @brief Copy buffer to sandbox memory area. Note that memcpy is meant to be
+ * called on byte arrays does not adjust data according to ABI differences. If
+ * the programmer does accidentally call memcpy on buffers that needs ABI
  * adjustment, this may cause compatibility issues, but will not cause a
  * security issue as the destination is always a tainted or tainted_volatile
  * pointer
@@ -184,6 +184,50 @@ inline T_Wrap<T_Rhs*, T_Sbx> memcpy(rlbox_sandbox<T_Sbx>& sandbox,
   return dest;
 }
 
+/**
+ * @brief Copy string to sandbox memory area. Note that memcpy is meant to be
+ * called on byte arrays does not adjust data according to ABI differences. If
+ * the programmer does accidentally call memcpy on buffers that needs ABI
+ * adjustment, this may cause compatibility issues, but will not cause a
+ * security issue as the destination is always a tainted or tainted_volatile
+ * pointer
+ */
+template<typename T_Sbx,
+         typename T_Rhs,
+         typename T_Lhs,
+         typename T_Num,
+         template<typename, typename>
+         typename T_Wrap>
+inline T_Wrap<T_Rhs*, T_Sbx> strncpy(rlbox_sandbox<T_Sbx>& sandbox,
+                                    T_Wrap<T_Rhs*, T_Sbx> dest,
+                                    T_Lhs src,
+                                    T_Num num)
+{
+
+  static_assert(detail::rlbox_is_tainted_or_vol_v<T_Wrap<T_Rhs, T_Sbx>>,
+                "strncpy called on non wrapped type");
+
+  static_assert(!std::is_const_v<T_Rhs>, "Destination is const");
+
+  auto num_val = detail::unwrap_value(num);
+  detail::dynamic_check(num_val <= sandbox.get_total_memory(),
+                        "Called strncpy for memory larger than the sandbox");
+
+  tainted<T_Rhs*, T_Sbx> dest_tainted = dest;
+  char* dest_start = dest_tainted.INTERNAL_unverified_safe();
+  detail::check_range_doesnt_cross_app_sbx_boundary<T_Sbx>(dest_start, num_val);
+
+  // src also needs to be checked, as we don't want to allow a src rand to start
+  // inside the sandbox and end outside, and vice versa
+  // src may or may not be a wrapper, so use unwrap_value
+  const char* src_start = detail::unwrap_value(src);
+  detail::check_range_doesnt_cross_app_sbx_boundary<T_Sbx>(src_start, num_val);
+
+  std::strncpy(dest_start, src_start, num_val);
+
+  return dest;
+}
+
 /**
  * @brief Compare data in sandbox memory area.
  */
diff --git a/code/tests/rlbox/test_stdlib.cpp b/code/tests/rlbox/test_stdlib.cpp
@@ -131,22 +131,29 @@ TEST_CASE("test memcpy", "[stdlib]")
 
   const uint32_t max32Val = 0xFFFFFFFF;
 
-  auto dest = sandbox.malloc_in_sandbox<unsigned int>(12); // NOLINT
-  auto dest_fifth = dest + 4;
+  /////////////// Check with a tainted source
 
-  // tainted src
+  // Alloc and zero initialize 12 int dest buffer
+  auto dest = sandbox.malloc_in_sandbox<unsigned int>(12); // NOLINT
   for (int i = 0; i < 12; i++) { // NOLINT
     *(dest + i) = 0;
   }
+
+  // Alloc and max initialize 12 int src buffer
   auto src = sandbox.malloc_in_sandbox<unsigned int>(12); // NOLINT
-  auto src_fifth = src + 4;
   for (int i = 0; i < 12; i++) { // NOLINT
     *(src + i) = max32Val;
   }
+
+  auto dest_fifth = dest + 4;
+  auto src_fifth = src + 4;
+
   memcpy(sandbox,
          dest_fifth,
          src_fifth,
          sizeof(tainted<unsigned int, TestSandbox>) * 4);
+
+  // Check that destination looks as expected
   for (int i = 0; i < 4; i++) { // NOLINT
     REQUIRE(*((dest + i).UNSAFE_unverified()) == 0);
   }
@@ -157,16 +164,26 @@ TEST_CASE("test memcpy", "[stdlib]")
     REQUIRE(*((dest + i).UNSAFE_unverified()) == 0);
   }
 
-  // untainted src
+  /////////////// Check with a untainted source
+
+  // zero initialize 12 int dest buffer
+  for (int i = 0; i < 12; i++) { // NOLINT
+    *(dest + i) = 0;
+  }
+
+  // Alloc and max initialize 12 int untainted src buffer
   unsigned int* src2 = new unsigned int[12]; // NOLINT
-  auto src2_fifth = src2 + 4;                // NOLINT
   for (int i = 0; i < 12; i++) {             // NOLINT
     *(src2 + i) = max32Val;                  // NOLINT
   }
+
+  auto src2_fifth = src2 + 4;                // NOLINT
   memcpy(sandbox,
          dest_fifth,
          src2_fifth,
          sizeof(tainted<unsigned int, TestSandbox>) * 4);
+
+  // Check that destination looks as expected
   for (int i = 0; i < 4; i++) { // NOLINT
     REQUIRE(*((dest + i).UNSAFE_unverified()) == 0);
   }
@@ -184,6 +201,72 @@ TEST_CASE("test memcpy", "[stdlib]")
   sandbox.destroy_sandbox();
 }
 
+// NOLINTNEXTLINE
+TEST_CASE("test strncpy", "[stdlib]")
+{
+  rlbox::rlbox_sandbox<TestSandbox> sandbox;
+  sandbox.create_sandbox();
+
+  const uint32_t max32Val = 0xFFFFFFFF;
+
+  /////////////// Check with a tainted source
+
+  // Alloc and zero initialize dest string
+  auto dest = sandbox.malloc_in_sandbox<char>(12); // NOLINT
+  for (int i = 0; i < 12; i++) { // NOLINT
+    *(dest + i) = 0;
+  }
+
+  // Alloc and max initialize src string
+  auto src = sandbox.malloc_in_sandbox<char>(12); // NOLINT
+  memcpy(src.unverified_safe_pointer_because(12, "Known size"), "Hello", 6);
+
+  strncpy(sandbox,
+         dest,
+         src,
+         12);
+
+  // Check that destination looks as expected
+  REQUIRE(
+    strncmp(
+      dest.unverified_safe_pointer_because(12, "Known size"),
+      src.unverified_safe_pointer_because(12, "Known size"),
+      6
+    ) == 0
+  );
+
+  /////////////// Check with an untainted source
+
+  // zero initialize dest string
+  for (int i = 0; i < 12; i++) { // NOLINT
+    *(dest + i) = 0;
+  }
+
+  // Alloc and max initialize src string
+  auto src2 = new char[12]; // NOLINT
+  memcpy(src2, "Hello", 6);
+
+  strncpy(sandbox,
+         dest,
+         src,
+         12);
+
+  // Check that destination looks as expected
+  REQUIRE(
+    strncmp(
+      dest.unverified_safe_pointer_because(12, "Known size"),
+      src2,
+      6
+    ) == 0
+  );
+
+  delete[] src2; // NOLINT
+  sandbox.free_in_sandbox(src);
+  sandbox.free_in_sandbox(dest);
+
+  sandbox.destroy_sandbox();
+}
+
 static int normalize(int a)
 {
   if (a > 0) {
