Received: by 2002:a05:7412:d1aa:b0:fc:a2b0:25d7 with SMTP id ba42csp1288011rdb; Tue, 30 Jan 2024 13:55:51 -0800 (PST) X-Google-Smtp-Source: AGHT+IFoltOLhWJHUlXtQmDzYd1u4J7fGsQMYHGfuq8xhvKLg3xj40ixJxdY7/eX3JFjw7m2Iqp/ X-Received: by 2002:a67:ec4a:0:b0:46b:5b3:180b with SMTP id z10-20020a67ec4a000000b0046b05b3180bmr7170791vso.29.1706651750831; Tue, 30 Jan 2024 13:55:50 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706651750; cv=pass; d=google.com; s=arc-20160816; b=1LMPB2pbt/b/GO+3xmukaJpcNqg08slkIRE1+GwnuWgUk/K2Wu9vIG6meRiqjnhj3R smqSC2UoDOYm6PoaKaFhHJwtlgY2aMot9IekeNStWuBISAHzecmBX0syZxQSAhI8VThg gMk7Hc2b+BlHY4stBzNY+zIokQuOZe5G1crQxoGCiFYGQV/7UNMTc/Fcy5JsaGoOgQCW c9dvbt0UjA0ugfzi2FqsOS6n0afdJgtPeaJc2CXVm8GMP/R+YRLxiqxL2U66ecdkmo69 CdpO7L02UMuwXtgHhQg1THBSPuWfYix8bhqGSZ5GuDjEW6KcmJwNeosUMIAy5VfrDIu9 vxmg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=zgCw758SnRU10FmXGJ6fL0E+0y68xRsCAN6bqEGIiyI=; fh=iTGjkFWqa7njlvl1U1aWGjS4Sx9GqJ8jnNSA9OrCJfs=; b=CCeBmLZ0fCZPrIE3GFmvyornlS9XINZwf2naUUs7bIYswyOlHoMZknBPC8YXfwK4QM nevU79w/QZzZkz3MS1lE/VKnRsL65Du/ZpDlfWs2w14siPST4StABUhXZ2jk0/NHBQHs SOEl41yMG8tsIx4/LwbLb0faZnqpUI3JkLPcEaqMGcXSIReZkFQ4/ll0G7gt9zoOaU1s PoEkYNkUaKKqxbMPIUh+gxbSl972tc1+B64b5yobRKm/XjmB+ZODB80IgUGP0gtZtTbb q+rxXBSAy67FEq1w5NgUJLanpqgi5eDqRSRv2sDy/KQV9qqwlL1gmrbLPeIxagw8LlEz rLrw== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=h4stz5ff; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-45353-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-45353-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id fc10-20020ad44f2a000000b0068c4d48778esi5240156qvb.44.2024.01.30.13.55.50 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Jan 2024 13:55:50 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-45353-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=h4stz5ff; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-45353-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-45353-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 932291C22B94 for ; Tue, 30 Jan 2024 21:55:50 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 3BEA914F61; Tue, 30 Jan 2024 21:55:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="h4stz5ff" Received: from mail-pg1-f169.google.com (mail-pg1-f169.google.com [209.85.215.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 05A0114AAA for ; Tue, 30 Jan 2024 21:55:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.169 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706651743; cv=none; b=T4OX7o/Pse7bbXMk8uzKFNh1aLN+4JGsGtyHP/3lNCCvlgTFNvXKBQuWPJTxtC2XsbNLkootZEPzyFqhim4rzsbEk0S/ujQsGzlJ7/4b3OF3aOasim9zTrskeJchLGMwtHaaPv3OJCJ3KYsmiJvVnUZ4VCCW4q6G1KxAaK3maLY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706651743; c=relaxed/simple; bh=Q65Legcaqxpk83zwUxTW+gQWMAoQAmgQ7r7moKmFE/g=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=D53pyphmwXJe8pTBbrBdE4AH5zyL7nYP2LAs+Z2ZVF4yEvJRzgmSplFlHpqHmg8vd3iTwmEFicz6TtBxC94UzGldJxHGBmFm7GbFIl7vpNVbunu2UVMGDRABelXwERnGmQ6Sx5DmcF9k8KIDV/mtWvb45KPQGcl/HkJydFQ0jAo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=h4stz5ff; arc=none smtp.client-ip=209.85.215.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-pg1-f169.google.com with SMTP id 41be03b00d2f7-5cfd95130c6so2713598a12.1 for ; Tue, 30 Jan 2024 13:55:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1706651741; x=1707256541; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=zgCw758SnRU10FmXGJ6fL0E+0y68xRsCAN6bqEGIiyI=; b=h4stz5ffhVjUZ6HXZFpmFWmSsXE4MmAj6prdup2kNs+ODL7hU1+L9oaEbq5wrhVUHZ EglrL2QccnN+hUblX7n5PGyaMe0ncE9OHkA8qs2k9egMraNr4F8puUpvSLbxv7FiW5QQ VT3zDednCv8/hYlj1qxOH5ranKNlSWsBy0RJQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706651741; x=1707256541; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=zgCw758SnRU10FmXGJ6fL0E+0y68xRsCAN6bqEGIiyI=; b=TtU3vRRbACHHAyE6CiqXbFEooda5gOPeod2EI4RE13cDfRwkQuczwUP7ALDmwMJhGN 6Ab/t1qW0ixxWKF97C+4+gdopO/l3BlgNbjtlMyLRdTex7XIVLre5q+S+wgAf63W61fB scrEextRVjfoBPmHtGZvvl3Yi1yCj89a/EXOHHQ3R9jCheRrxhijRILPSE7ouH7lF2Qg gd27BAs0pYu9FGqzh/rsMx/jC3/qDUyozCC80DxoReaLiIbEaFzqgj7ZBIidl5th3VnD kxz79Dw6L65cgKslRkry5+gFeSLsMYh5JleOejbsiXcdrSKBKklQet2/OXg/7wXkxFMW jTfw== X-Gm-Message-State: AOJu0YynFwbSE6OpWH10ZWFkuqtCCqogmryr9+Tp7U4a0fsLIJmuJKLK FpBXYaqWlhaUqcXB61dw8f2H3AofXjlzXjBe4wSwVZdZ5M7yEQSd2yaRH2eaxg== X-Received: by 2002:a17:902:bcc5:b0:1d7:8816:a81f with SMTP id o5-20020a170902bcc500b001d78816a81fmr6408751pls.134.1706651741309; Tue, 30 Jan 2024 13:55:41 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id bv123-20020a632e81000000b005c1ce3c960bsm9078626pgb.50.2024.01.30.13.55.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Jan 2024 13:55:40 -0800 (PST) Date: Tue, 30 Jan 2024 13:55:39 -0800 From: Kees Cook To: Rasmus Villemoes Cc: Lee Jones , David Laight , Rasmus Villemoes , "linux-kernel@vger.kernel.org" , "linux-hardening@vger.kernel.org" , Andrew Morton , Petr Mladek , Steven Rostedt , Andy Shevchenko , Sergey Senozhatsky , Crutcher Dunnavant , Juergen Quade Subject: Re: [PATCH 1/1] lib/vsprintf: Implement ssprintf() to catch truncated strings Message-ID: <202401301351.83A809993@keescook> References: <20240125083921.1312709-1-lee@kernel.org> <20240125103624.GC74950@google.com> <54e518b6dd9647c1add38b706eccbb4b@AcuMS.aculab.com> <20240129092440.GA1708181@google.com> <7054dcbfb7214665afedaea93ce4dbad@AcuMS.aculab.com> <20240129095237.GC1708181@google.com> <20240130150721.GA692144@google.com> <79921f9a-2453-48ec-85db-e63a0958db1e@prevas.dk> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <79921f9a-2453-48ec-85db-e63a0958db1e@prevas.dk> On Tue, Jan 30, 2024 at 04:18:42PM +0100, Rasmus Villemoes wrote: > So here scnprint() would have returned 1, leaving size at 1. scnprintf() > has the invariant that, for non-zero size, the return value is strictly > less than that size, so when passed a size of 1, all subsequent calls > return 0 (corresponding to the fact that all it could do was to write > the '\0' terminator). > > This pattern already exists, and is really the reason scnprint exists. > Yes, scnprintf() cannot distinguish overflow from > it-just-exactly-fitted. Maybe it would have been better to make it work > like this, but I don't think there's a real use - and we do have > seq_buf() if one really wants an interface that can build a string > piece-meal while keeping track of whether it ever caused overflow. Yeah, I think we can take the handful of places that really need to know about the overflow and can't reliably use scnprintf() and migrate them to the seq_buf API. It should be much easier to use now[1] too. That way we won't add a new string API, and we can continue to remove snprintf. -Kees [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/include/linux/seq_buf.h?id=dcc4e5728eeaeda84878ca0018758cff1abfca21 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/include/linux/seq_buf.h?id=7a8e9cdf9405819105ae7405cd91e482bf574b01 -- Kees Cook