Received: by 2002:a05:7412:5112:b0:fa:6e18:a558 with SMTP id fm18csp1668131rdb; Thu, 25 Jan 2024 02:36:40 -0800 (PST) X-Google-Smtp-Source: AGHT+IFx4zbGmAzwxVJ0z/DHlaArKDSIpxw/WX1+KsaK9Lr0yYXZTLDZNG/cO4zqaqIGEEX71zUx X-Received: by 2002:a05:6e02:1c49:b0:361:a33f:cb59 with SMTP id d9-20020a056e021c4900b00361a33fcb59mr1289294ilg.32.1706178999808; Thu, 25 Jan 2024 02:36:39 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706178999; cv=pass; d=google.com; s=arc-20160816; b=NNSPCBQOzISoJBpmg99UXTUca0M9pk5ZJBPTF4TCy0UqRxNvnQ9mWa4eVqi0B2aUp5 Zl79cR5aPQ5TAsMpnQAatDz9ERNgQQc46hkPkrEeSxDZXEmDTWpTzHnPSog5v1tSbxHo 70ODqfZryTi/Ujwm4IGS1J8bhG8UtRKNrPYMeYhwqwAAcfEBV9Aw5cMk+o9TA8qhRqvA z0wNG/ANxG73S2DK8eSi1rKFHT1neYs+GqF1Z0Q4Y46kF+fxZFvauhJ4NcWNu7SKGp+t 1bbLKE+KuIJG0po5w8ExX6EuufvRzvDkxA1M9Q6HBHDNNXXDYSZHl3xOzJ+1isv4E0ln 2v8A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:date:dkim-signature; bh=Z9T04f1XinkhL8HV1myQlGVNBQVQ1SgSfMhqft5qKcQ=; fh=7vISbhVuvlOxzuBBEkTYhnxwleXJhXd0QWEcewMHGzQ=; b=aQonTfxDTKYfxLg4dycTpOrhlHBn6SA+ctNDarjAcKNt/3lJeWZPFNWRGvrW9lR/+K uAujs0qGFtMQaWt8VMx4IrhY+kY30b1/Cb5cSjLwXXMumy9Qqa74Nu1W9DbekYvjwe7o xgeU70zLRcN4J5CxhMYkcaNvJaJFBzeqjEPK9Uh6Ih3amSFhMXoio+to7hbN7we9khS9 ci7EQ/1B3sqzE4ZhDO+NQ3yK7W66cLSqx7+iDpanYJZqDMG9n0aA+KP3LWyntJkPPE30 ijnxi3WOwRiNSlgaxHcst1ABqLwC5+q0SSv/o8hu6h1USX83vXpm7HvmXaqOqwT68RXt EkdA== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=jkEu5Tph; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-38400-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-38400-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id c1-20020a63d501000000b005ce08c4bff1si13022859pgg.754.2024.01.25.02.36.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Jan 2024 02:36:39 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-38400-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=jkEu5Tph; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-38400-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-38400-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 6E07E295334 for ; Thu, 25 Jan 2024 10:36:39 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 0F9E81CD02; Thu, 25 Jan 2024 10:36:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="jkEu5Tph" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3562832C60; Thu, 25 Jan 2024 10:36:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706178991; cv=none; b=jLdqIqnxLqCoEwDypuOOt2vGlqHs480tgNc51S/53Jkc2zMBqzSGqzIk4pabxmOkBCaDJMeCXzv1GhWG55cb8xEASiBn2xh8gCmMx3mV12RCGHHcSHu+Sf+NHFEeSvuMPVQ8Jzj1esOqWgCinD/MJWg9+OyWYEiQhcHAbR2DI5U= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706178991; c=relaxed/simple; bh=RYngMZoEzsFVQfzATY40EOP/Ghyf3Ecc4V9vxdhnAHg=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=sr+N68TvW/KMP3KWuvYwGEBtUYwR9apRRHkFK08gKh6dY0B5cs+iQp7bivhG5tr2JuN2KzFFN9K+EIz8xubg46VjwEwDIaIURXlgzbPufLyszQ5jhhLyOGrs0RInYmq+QW088qBP0UEPPvDruDJbOc3YE2zoCQoYZslcCB+9kKQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=jkEu5Tph; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id F2E9BC433F1; Thu, 25 Jan 2024 10:36:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1706178990; bh=RYngMZoEzsFVQfzATY40EOP/Ghyf3Ecc4V9vxdhnAHg=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=jkEu5TphxlQN5VjN5SBeWzbjSDdHcvImdqX3TSsEbYaxEWiyswL609etipf9SWqHp r/WkdtU6/oce5njRbuD3cuKINHRMa9ifraLwB0iHnn4/nW5SXm02hHzCEsBja1q2YS dPg2fONSG9kbr3YzNjssF0HcFOnbceSJmXrgQORtIUkGfSVIrVFLFT+9C863fMF+kM qRbBaYDbie6t0ZHOeCQAJkUX/zx7FqnYBzro4HZJHriUJ7BARMtfCcps+dgIKHEwhB hpulw473CjrObtAoT0Dri0fPfmAZ5MnSVtpvbsnq2pC/iTMEiYeegQFhpIET4ZTYPk Tjeq7paTfb0Vg== Date: Thu, 25 Jan 2024 10:36:24 +0000 From: Lee Jones To: Rasmus Villemoes Cc: linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, Andrew Morton , Petr Mladek , Steven Rostedt , Andy Shevchenko , Sergey Senozhatsky , Crutcher Dunnavant , Juergen Quade Subject: Re: [PATCH 1/1] lib/vsprintf: Implement ssprintf() to catch truncated strings Message-ID: <20240125103624.GC74950@google.com> References: <20240125083921.1312709-1-lee@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: On Thu, 25 Jan 2024, Rasmus Villemoes wrote: > On 25/01/2024 09.39, Lee Jones wrote: > > There is an ongoing effort to replace the use of {v}snprintf() variants > > with safer alternatives - for a more in depth view, see Jon's write-up > > on LWN [0] and/or Alex's on the Kernel Self Protection Project [1]. > > > > Whist executing the task, it quickly became apparent that the initial > > thought of simply s/snprintf/scnprintf/ wasn't going to be adequate for > > a number of cases. Specifically ones where the caller needs to know > > whether the given string ends up being truncated. This is where > > ssprintf() [based on similar semantics of strscpy()] comes in, since it > > takes the best parts of both of the aforementioned variants. It has the > > testability of truncation of snprintf() and returns the number of Bytes > > *actually* written, similar to scnprintf(), making it a very programmer > > friendly alternative. > > > > Here's some examples to show the differences: > > > > Success: No truncation - all 9 Bytes successfully written to the buffer > > > > ret = snprintf (buf, 10, "%s", "123456789"); // ret = 9 > > ret = scnprintf(buf, 10, "%s", "123456789"); // ret = 9 > > ret = ssprintf (buf, 10, "%s", "123456789"); // ret = 9 > > > > Failure: Truncation - only 9 of 10 Bytes written; '-' is truncated > > > > ret = snprintf (buf, 10, "%s", "123456789-"); // ret = 10 > > > > Reports: "10 Bytes would have been written if buf was large enough" > > Issue: Programmers need to know/remember to check ret against "10" > > Yeah, so I'm not at all sure we need yet-another-wrapper with > yet-another-hard-to-read-prefix when people can just RTFM and learn how > to check for truncation or whatnot. But if you do this: As wonderful as it would be for people to "just RTFM", we're seeing a large number of cases where this isn't happening. Providing a more programmer friendly way is thought, by people way smarter than me, to be a solid means to solve this issue. Please also see Kees Cook's related work to remove strlcpy() use. > > +/** > > + * vssprintf - Format a string and place it in a buffer > > + * @buf: The buffer to place the result into > > + * @size: The size of the buffer, including the trailing null space > > + * @fmt: The format string to use > > + * @args: Arguments for the format string > > + * > > + * The return value is the number of characters which have been written into > > + * the @buf not including the trailing '\0' or -E2BIG if the string was > > + * truncated. If @size is == 0 the function returns 0. > > + * > > + * If you're not already dealing with a va_list consider using ssprintf(). > > + * > > + * See the vsnprintf() documentation for format string extensions over C99. > > + */ > > +int vssprintf(char *buf, size_t size, const char *fmt, va_list args) > > +{ > > + int i; > > + > > + if (unlikely(!size)) > > + return 0; > > No, don't special-case size 0 here. Passing size==0 should just > guarantee -E2BIG because that's essentially a programmer error, and the > calling code is then at least much more likely to not believe that buf > now contains a nul-terminated (empty) string. > > And since it's essentially a bug, there's no need to special-case size 0 > to avoid calling vsnprintf(), just let it be caught by the i >= size check. Agree. Thanks for the feedback. I will change this. > > + i = vsnprintf(buf, size, fmt, args); > > + > > + if (unlikely(i >= size)) > > + return -E2BIG; > > + > > + if (likely(i < size)) > > + return i; > > Those two ifs are mutually exclusive, so why the second if() and not > just a direct "return i"? That final "return size-1" is unreachable, and > confusing. That's true. The last line of vscnprintf() essentially means that the data was truncated, which is caught by the new check. So it should be reworked to look like this: ``` if (likely(i < size)) return i; return -E2BIG; ``` Thanks again. That's very helpful. -- Lee Jones [李琼斯]