Received: by 2002:a05:7412:d1aa:b0:fc:a2b0:25d7 with SMTP id ba42csp1519380rdb;
        Wed, 31 Jan 2024 00:37:34 -0800 (PST)
X-Google-Smtp-Source: AGHT+IEcR1yiWY08jgFB43CGccdlSaiEEwHE1eksLsAR1gYdsMcRUB06aY+4QGNQnuf+KL9yvL+q
X-Received: by 2002:ac8:5943:0:b0:42a:5cd2:875e with SMTP id 3-20020ac85943000000b0042a5cd2875emr1134370qtz.68.1706690254344;
        Wed, 31 Jan 2024 00:37:34 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1706690254; cv=pass;
        d=google.com; s=arc-20160816;
        b=kJrwP7glqVpEkW+F8Co+CleWJKfNvL7OIiP5gNU5piTDkFnkplKcs9CESubWwYhdAs
         1s9rrLONAi+I2k1O/GSrT8+6uee9YsqeXg3hZ1Q+KGlhHULc7rknTd+6u7NO0v688IWA
         tXju+IPY96vC4rWVXStU1svu3AHkseGUpeZgyCnTrjxfiTXvxuo3Nn0WKhsCacG3uqim
         biv5tcxCdBVVyoTJnm2y7tY9Q6Y8w6+2xamoJN4aLc+/1D49nKB2UmJjLqHcBqYa5Fo5
         cCAXzd2hrvcY4PzE7xWxZSqulSgOwC6wd/zUTjiA8HCwRi8/MRwWqzv2Wbu1i+RYLjgy
         +feQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-transfer-encoding:content-disposition
         :mime-version:list-unsubscribe:list-subscribe:list-id:precedence
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=WJ4JbIJTMB74Av53tI+CQ+Nv4gLiTkHqBJ5q6mdBt4E=;
        fh=QxwlSuzOXuDf+vE14JTj2yKtv87uyV1SmEK5z4cOIug=;
        b=rP7AhLpP1dbAnL2l+CpGCPkJ0Yu1CAABInpiPygfnb7krKy0N+RpzgRWmiy+o9+V2P
         8CvnyaouJHl0XrViqJBNLlxnccZchaI+EO5CKpiH3qNzHwpQQm36LSW0tWf0wWjU4Z7a
         X5EtteZib5ymXB1jlfb6FkNj9iwhAGqkOB3O0z2OWWgug6AIGji4wFcK7hFiy2O3cXHr
         7y6T03wo8EEPZKXmuDnk3W2GfrE81n2c9fOq8fSJK22AASF66pulLE4Fsw3sWWD9gTVa
         qrweEPxbxx5Hj4nOpnfok1vlh8tUVl4+2KEuXWZtsSRYmjNTal6ea3OngEt6HAVoqxfE
         WrSg==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b="m/Tj0cn6";
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-kernel+bounces-46010-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-46010-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
X-Forwarded-Encrypted: i=1; AJvYcCUW4tGsALwMS1gTeWgAtnuy1nWnONoI6yEqrQOEpRnCc4WniT4VGewOncGLRrQV8i57ARoboil1NSKcYoLuc2f9OjH3jfqRFkyDI1YJUA==
Return-Path: <linux-kernel+bounces-46010-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1])
        by mx.google.com with ESMTPS id a11-20020ac85b8b000000b0042a253b9c2csi11366969qta.771.2024.01.31.00.37.34
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 31 Jan 2024 00:37:34 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-46010-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b="m/Tj0cn6";
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-kernel+bounces-46010-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-46010-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 11EE91C26996
	for <linux.lists.archive@gmail.com>; Wed, 31 Jan 2024 08:36:56 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id C12395D8F7;
	Wed, 31 Jan 2024 08:36:49 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="m/Tj0cn6"
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D50755DF1F;
	Wed, 31 Jan 2024 08:36:48 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1706690209; cv=none; b=smP8HbiihnbLgmxvzB3pYzJgWAREnFXZ6aY8s0AAFT8Yxni/WuNQ8QnhCViKGEkPFoGDRj89ZjmUAYpn8uPCBu+KRjU72PFB9zJpfB5k7v6Lpu1A9/klO1jXHvASy6k63Dg0+H/tPwm/ADps31tegEMD48GWKuERmaao7TK8sB0=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1706690209; c=relaxed/simple;
	bh=3fSoaam3bpW+RZdeV1nq004KT4pap3gb5P9HUz6Zm+A=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=W5SEHuEMOQKt0WVQnh8cOmtZk+r5yamdMVLMSzoeb1pPjKQFGv95Enqjgeu2P7QO9+9NCf7HSWpaWj4ldvNDkRWriQeDiYIDLt72+QxMkgVRJXkt7p7zZYnV9eUjsKWvJDk/ITdU0Absz7Zkx0wJm66cilWR56sr2u7EJffYMLw=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=m/Tj0cn6; arc=none smtp.client-ip=10.30.226.201
Received: by smtp.kernel.org (Postfix) with ESMTPSA id BCCD7C433C7;
	Wed, 31 Jan 2024 08:36:45 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1706690208;
	bh=3fSoaam3bpW+RZdeV1nq004KT4pap3gb5P9HUz6Zm+A=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=m/Tj0cn61cMCn2mizYiadUUc5W0/r22jCNnm/WJ6/1Icey3ZHgTjsdgu9xarclDMN
	 W3ak17gZzVfqIKuY36pBWpQvy4H+DJ0d2K06HFj5j+neG1Vvg2sl72fL5Cm7724JPm
	 MfAsIT3RZdKZzM65rEPc9iIcK1l7mZ7Xcdlp3SgwqIF2QZnItCJ/5/Xf+Fuaa8JSzz
	 /8ePjt6iV/mARr1qg4MDENfIEgJ3AcNnj1gNjsgdbsqWeccq3mQw1P5EFi10cDhCIX
	 P4GpT6HuGineQ4lZzL3atzrw5jxN5r3iJEWzwTZzg44ooM0Ndlh/3p4hbeHG6wc5y2
	 A+ok0FnJSqX3Q==
Date: Wed, 31 Jan 2024 08:36:42 +0000
From: Lee Jones <lee@kernel.org>
To: Kees Cook <keescook@chromium.org>
Cc: Rasmus Villemoes <rasmus.villemoes@prevas.dk>,
	David Laight <David.Laight@aculab.com>,
	Rasmus Villemoes <linux@rasmusvillemoes.dk>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"linux-hardening@vger.kernel.org" <linux-hardening@vger.kernel.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Petr Mladek <pmladek@suse.com>,
	Steven Rostedt <rostedt@goodmis.org>,
	Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
	Sergey Senozhatsky <senozhatsky@chromium.org>,
	Crutcher Dunnavant <crutcher+kernel@datastacks.com>,
	Juergen Quade <quade@hsnr.de>
Subject: Re: [PATCH 1/1] lib/vsprintf: Implement ssprintf() to catch
 truncated strings
Message-ID: <20240131083642.GB8551@google.com>
References: <20240125083921.1312709-1-lee@kernel.org>
 <a37e8071-32ac-4f5d-95e8-ddd2eb21edcd@rasmusvillemoes.dk>
 <20240125103624.GC74950@google.com>
 <54e518b6dd9647c1add38b706eccbb4b@AcuMS.aculab.com>
 <20240129092440.GA1708181@google.com>
 <7054dcbfb7214665afedaea93ce4dbad@AcuMS.aculab.com>
 <20240129095237.GC1708181@google.com>
 <20240130150721.GA692144@google.com>
 <79921f9a-2453-48ec-85db-e63a0958db1e@prevas.dk>
 <202401301351.83A809993@keescook>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <202401301351.83A809993@keescook>

On Tue, 30 Jan 2024, Kees Cook wrote:

> On Tue, Jan 30, 2024 at 04:18:42PM +0100, Rasmus Villemoes wrote:
> > So here scnprint() would have returned 1, leaving size at 1. scnprintf()
> > has the invariant that, for non-zero size, the return value is strictly
> > less than that size, so when passed a size of 1, all subsequent calls
> > return 0 (corresponding to the fact that all it could do was to write
> > the '\0' terminator).
> > 
> > This pattern already exists, and is really the reason scnprint exists.
> > Yes, scnprintf() cannot distinguish overflow from
> > it-just-exactly-fitted. Maybe it would have been better to make it work
> > like this, but I don't think there's a real use - and we do have
> > seq_buf() if one really wants an interface that can build a string
> > piece-meal while keeping track of whether it ever caused overflow.
> 
> Yeah, I think we can take the handful of places that really need to know
> about the overflow and can't reliably use scnprintf() and migrate them
> to the seq_buf API. It should be much easier to use now[1] too.
> 
> That way we won't add a new string API, and we can continue to remove
> snprintf.

This looks promising.  I'll have a look and get back to you.

> [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/include/linux/seq_buf.h?id=dcc4e5728eeaeda84878ca0018758cff1abfca21
>     https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/include/linux/seq_buf.h?id=7a8e9cdf9405819105ae7405cd91e482bf574b01

-- 
Lee Jones [李琼斯]