From: Kees Cook <keescook@chromium.org>
To: Joe Perches <joe@perches.com>
Cc: Justin Stitt <justinstitt@google.com>,
Andy Whitcroft <apw@canonical.com>,
Dwaipayan Ray <dwaipayanray1@gmail.com>,
Lukas Bulwahn <lukas.bulwahn@gmail.com>,
linux-kernel@vger.kernel.org, Lee Jones <lee@kernel.org>,
linux-hardening@vger.kernel.org,
Finn Thain <fthain@linux-m68k.org>
Subject: Re: [PATCH v6] checkpatch: add check for snprintf to scnprintf
Date: Thu, 2 May 2024 15:57:35 -0700 [thread overview]
Message-ID: <202405021556.374C2E8@keescook> (raw)
In-Reply-To: <aacd7c3a5ad5bb4df71ec5dd107ef12b6ebf4079.camel@perches.com>
On Mon, Apr 29, 2024 at 08:21:49PM -0700, Joe Perches wrote:
> On Mon, 2024-04-29 at 12:49 -0700, Kees Cook wrote:
> > On Mon, Apr 29, 2024 at 06:39:28PM +0000, Justin Stitt wrote:
> > > I am going to quote Lee Jones who has been doing some snprintf ->
> > > scnprintf refactorings:
> > >
> > > "There is a general misunderstanding amongst engineers that
> > > {v}snprintf() returns the length of the data *actually* encoded into the
> > > destination array. However, as per the C99 standard {v}snprintf()
> > > really returns the length of the data that *would have been* written if
> > > there were enough space for it. This misunderstanding has led to
> > > buffer-overruns in the past. It's generally considered safer to use the
> > > {v}scnprintf() variants in their place (or even sprintf() in simple
> > > cases). So let's do that."
> > >
> > > To help prevent new instances of snprintf() from popping up, let's add a
> > > check to checkpatch.pl.
> > >
> > > Suggested-by: Finn Thain <fthain@linux-m68k.org>
> > > Signed-off-by: Justin Stitt <justinstitt@google.com>
> >
> > Thanks!
> >
> > Reviewed-by: Kees Cook <keescook@chromium.org>
> >
>
> $ git grep -P '\b((v|)snprintf)\s*\(' | wc -l
> 7745
> $ git grep -P '(?:return\s+|=\s*)\b((v|)snprintf)\s*\(' | wc -l
> 1626
>
> Given there are ~5000 uses of these that don't care
> whether or not it's snprintf or scnprintf, I think this
> is not great.
But let's not add more of either case. :)
> I'd much rather make sure the return value of the call
> is used before suggesting an alternative.
>
> $ git grep -P '\b((v|)snprintf)\s*\(.*PAGE_SIZE' | wc -l
> 515
>
> And about 1/3 of these snprintf calls are for sysfs style
> output that ideally would be converted to sysfs_emit or
> sysfs_emit_at instead.
Detecting that we're in the right place for sysfs_emit seems out of
scope for here, but maybe it should be more clearly called out by the
contents at the reported URL?
--
Kees Cook
next prev parent reply other threads:[~2024-05-02 22:57 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-29 18:39 [PATCH v6] checkpatch: add check for snprintf to scnprintf Justin Stitt
2024-04-29 19:49 ` Kees Cook
2024-04-30 3:21 ` Joe Perches
2024-05-02 9:29 ` Lee Jones
2024-05-02 22:57 ` Kees Cook [this message]
2024-05-02 9:30 ` Lee Jones
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202405021556.374C2E8@keescook \
--to=keescook@chromium.org \
--cc=apw@canonical.com \
--cc=dwaipayanray1@gmail.com \
--cc=fthain@linux-m68k.org \
--cc=joe@perches.com \
--cc=justinstitt@google.com \
--cc=lee@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lukas.bulwahn@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.