Linux 7.2 Closes Memory Bug Class With strncpy Removal After Six Years
Linux 7.2 Closes Memory Bug Class With strncpy Removal After Six Years
Publish Date: 2026-06-21 06:09:00
Source Domain: www.techtimes.com
Canonical.com
Phoronix Linux 7.2’s merge window closed out a cleanup campaign on Friday that most kernel developers had stopped expecting to see end: the complete removal of strncpy(), a C string-copy function that the kernel’s own documentation labels “actively dangerous,” from every subsystem, driver, and architecture-specific file in the kernel source tree. The merge landed June 20, 2026. After around 362 commits spread across six years of incremental work, no call site using the function remained, and the function itself — including the last per-CPU-architecture optimized implementations — was struck from the source.
The removal matters beyond housekeeping. strncpy() is a persistent source of a specific class of memory error: kernel buffers that contain sensitive data can leak bytes past an unterminated string boundary, a pattern that enables memory disclosure vulnerabilities. Eliminating the function from the tree removes that entire class from the kernel’s attack surface — and, critically, makes strncpy() unavailable to any future contributor, turning a best-practice suggestion into an enforced policy.
Why strncpy Was a Persistent Bug Source
The function’s problem is architectural. strncpy() copies up to a specified number of bytes from a source buffer to a destination buffer — but it does not guarantee that the destination will be NUL-terminated if the source string reaches or exceeds the byte limit. A developer who copies a string of exactly N bytes into an N-byte destination with strncpy() gets a buffer with no terminating null character. Any code that subsequently reads that buffer as a C string will continue past the end of the allocated region until it hits a null byte — reading whatever kernel memory happens to follow.
The opposite behavior is equally counterproductive. When the source string is shorter than the limit, strncpy() zero-fills the entire remaining destination buffer. For a 256-byte destination holding a 10-byte string, that…
