Received: by 10.213.65.68 with SMTP id h4csp439184imn; Tue, 13 Mar 2018 09:05:22 -0700 (PDT) X-Google-Smtp-Source: AG47ELvdvDcnnYCgZ4riahicvvyB8iDbRkp9fOf4tC2j3BQi9FzWS5AmHAYPH6M4tJpqHfcOtCGW X-Received: by 10.98.185.11 with SMTP id z11mr1084394pfe.153.1520957122524; Tue, 13 Mar 2018 09:05:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1520957122; cv=none; d=google.com; s=arc-20160816; b=LdDdRh1NnP/gkP7ANIBHzN5D0qX7vsH7TULqQFU/KYcvLKt3aT6iZ7KtvBQrF9YCGU mflOTMAAZeC+gQS8swlernck02G4i4AyWGUlM6PcjNT3d5bFq7BcSTRglb1bdOs1HIZH g3Ar/lcjJmOo+GkUUI2x0mi5PAWDwsdwHxRb4WdLzRZxC7T9M/kebTnVF/DlSXXuLuTM v7Eg1D/VBbipc4tj+9xFdsZ4lIuLrlCYTqoUciCE4b4MgFl5JBqAkMx7FRmn1VsmkT3f bXHDuOyjnh766ZSx5kpL6Q/eKOIGqoptEXY1bpPlldLTkivZXSmic8z/ovOENXEN9FXz Rv7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=hskHv6hEAU4bZYudl5M1mR6ov0w4OH9MKF8xdwMhTSo=; b=Aih2+y0c+dMN8FHpC3I/RHPAwxpPrvLqBrrPRYsQCDGco/kPimJQWS57NZN535RW9g Kd8UNDqGCNsFQywp2QbD3L+n74HW2TP/vElw6E2O+CkdJviaYU8KY3Ey4anQb2+yozkx tVAnX2Gs9KTyeHoioFkz4diefijKSOJ65A2BhHRfVllLr5xLwgM9J9hGP7wNhsQWStI5 5ojAUhFWzqiDoZfJtyMtdn5YpAmK9thwWGKOcf1c5W86f90sv3iStvTNXlAqUYYb8P4A wXCLNJ1W7/0dI4MNb4L6qYxlwvhwTP942c/TeXL3PoGUprhFDzqc3DZNCpM8L2v3NLL/ uYfg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=HDIbe+A+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c193si346192pfc.356.2018.03.13.09.05.03; Tue, 13 Mar 2018 09:05:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=HDIbe+A+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934510AbeCMQCh (ORCPT + 99 others); Tue, 13 Mar 2018 12:02:37 -0400 Received: from mail-qt0-f176.google.com ([209.85.216.176]:44931 "EHLO mail-qt0-f176.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932425AbeCMQCe (ORCPT ); Tue, 13 Mar 2018 12:02:34 -0400 Received: by mail-qt0-f176.google.com with SMTP id g60so105527qtd.11 for ; Tue, 13 Mar 2018 09:02:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=hskHv6hEAU4bZYudl5M1mR6ov0w4OH9MKF8xdwMhTSo=; b=HDIbe+A+xZ9IpADqCNxmFhFrpvHsJwW/nbiSCK1vn1kX27WZm8PSgvK5WskZW4aTln 3XnO4nNqlnLmS2VLDvtbDsVJA6ptZEIGtbT77k12f3xJ11wSOZPyevYTJJU9Oq9VzWHL cnojICsmCSdUkCEv9pArNVwmfLW+sSfJPEgZu0gdZzepLutJjvWxmEusyh/QeckpWn4g hvYFJHAXdXYjpQpPfwYlUxFp4T25/XYXLEjRMbnAWLdGTjQl2PPCxP3RfvfEAr67RS5d sGj1XGrA0thWzIvXkKu0BvCHPPqGALid4uWTvOyI3ln25cBNJwRvGkdvcZsU0cjvOF+Q 1Yow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=hskHv6hEAU4bZYudl5M1mR6ov0w4OH9MKF8xdwMhTSo=; b=USU0VGDUJLFG94GSixsG3Fighrbvm5yjHeXryEouXILKggycmUa1S2svbDh17Qu4xS rUmmrtXImUiKrxsSplRnVjXAec1mhAtIxpOrULqU0jCEnMTU41RPoCzc5IrZdvgg9TbU f8bMgEJEYqXwV2cqLOJkkany/HQCeciSsXY5pfkq1so9kbQHA4HdfKVc5g/f+YRAPOc4 4Dhp3wj2Osdu5fEJZPAY0YeDF8QFPE/mD1DEcknemQ3eNCXY1/DG2Al7KVuJjZ5BvE8m nLqgDtTnt/4U7Czddl06qMYIvo+W6mAaQJfY09UFoBblD3ZnHn1ijlCf0jPR1QWiGQ+n FCxg== X-Gm-Message-State: AElRT7EE2hIQsWnvtbSqdHlz/MbJ9huefwJc4IldQtK86s0Uo/Gp3s4u sj/iv/+y7SAPDo5wA+awdrjGs4CIa5GsqUC3Ves= X-Received: by 10.200.36.233 with SMTP id t38mr416868qtt.141.1520956953589; Tue, 13 Mar 2018 09:02:33 -0700 (PDT) MIME-Version: 1.0 Received: by 10.12.185.46 with HTTP; Tue, 13 Mar 2018 09:02:32 -0700 (PDT) In-Reply-To: <0ab7c9f6-e677-3bc9-df05-9895870a3c32@rasmusvillemoes.dk> References: <20180313132155.203220-1-arnd@arndb.de> <0ab7c9f6-e677-3bc9-df05-9895870a3c32@rasmusvillemoes.dk> From: Arnd Bergmann Date: Tue, 13 Mar 2018 17:02:32 +0100 X-Google-Sender-Auth: djcNs0Es21ztUb9N2D8IUp82qsU Message-ID: Subject: Re: [PATCH] test_rhashtable: avoid gcc-8 -Wformat-overflow warning To: Rasmus Villemoes Cc: "David S. Miller" , Herbert Xu , Paul Blakey , Martin Sebor , Florian Westphal , Phil Sutter , Tom Herbert , Linux Kernel Mailing List , Andrew Morton Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Mar 13, 2018 at 3:41 PM, Rasmus Villemoes wrote: > On 2018-03-13 14:21, Arnd Bergmann wrote: >> gcc-8 warns about a code pattern that is used in the newly added >> test_rhashtable code: >> >> lib/test_rhashtable.c: In function 'print_ht': >> lib/test_rhashtable.c:511:21: error: ' >> bucket[' directive writing 8 bytes into a region of size between 1 and 512 [-Werror=format-overflow=] >> sprintf(buff, "%s\nbucket[%d] -> ", buff, i); >> ^~~~~~~~~ >> lib/test_rhashtable.c:511:4: note: 'sprintf' output between 15 and 536 bytes into a destination of size 512 >> sprintf(buff, "%s\nbucket[%d] -> ", buff, i); >> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> >> The problem here is using the same fixed-length buffer as input and output >> of snprintf(), which for an unbounded loop has an actual potential to >> overflow the buffer. The '512' byte length was apparently chosen to >> be "long enough" to prevent that in practice, but without any specific >> guarantees of being the smallest safe size. > > well, 1024 would certainly be enough, because the result is anyway > passed to printk() which formats into a buffer of that size, so anything > more would certainly just be thrown away... I was only worried about overflowing the stack here, not about the output making sense ;-) >> I can see three possible ways to avoid this warning: >> >> - rewrite the code to use pointer arithmetic to forward the buffer, >> rather than copying the buffer itself. This is a more conventional >> use of sprintf(), and it avoids the warning, but is not any more >> safe than the original code. >> - Rewrite the function in a safe way that avoids both the potential >> overflow and the warning. >> - Ask the gcc developers to not warn for this pattern if we consider >> the warning to be inappropriate. >> >> This patch implements the first of the above, as an illustration of >> the problem, and the simplest workaround. > > If you use scnprintf() and forward the printed length you can get rid of > the potential buffer overrun: > > len = 0; > ... > len += scnprintf(buf + len, sizeof(buf) - len, fmt, args...) > > scnprintf has the property that if you pass in a positive value, you get > back something that is strictly less, so with the above pattern, we > might eventually have sizeof(buf)-len==1, so all subsequent scnprintfs > return 0, but we never overflow the buffer. The effect is thus the same > as if you had done all the formatting with a single snprintf() call. Right, that was my second proposal above. Using scnprintf(), that's probably easier than I first thought. > FWIW, I sent an RFC [1] two years ago trying to get rid of all > snprintf(buf, ..., "%s...", buf, ...), because I think it's too fragile > (it obviously breaks horribly if anything precedes the %s with buf as > its argument), but others disagreed and said that the kernel's > vsnprintf() instead should be documented to support that special case of > overlapping src and dst. I don't really recall what happened with the > patches, perhaps some got applied, but if not, maybe gcc-8 will now warn > about those places. > > [1] > https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1096481.html It looks useful, but not all seem to have landed. I think you are referring to Andrew's feedback in https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1097554.html here as the concern about whether it did the right thing, but I'm not actually sure what his reply meant. In the case of the analog_name() function that Andrew commented on, Dmitry later fixed the overflow in a different way in commit 10ca4c0a622a ("Input: fix potential overflows in driver/input/joystick"). >> + buffp += sprintf(buffp, "[["); >> do { >> pos = &list->rhead; >> list = rht_dereference(list->next, ht); >> p = rht_obj(ht, pos); >> >> - sprintf(buff, "%s val %d (tid=%d)%s", buff, p->value.id, p->value.tid, >> + buffp += sprintf(buffp, "val %d (tid=%d)%s", p->value.id, p->value.tid, >> list? ", " : " "); > > this removes a space before val, not sure that was intended? It was not, I'll fix it up. Thanks for taking a closer look! Arnd