Re: [PATCH] x86/setup: replace strlcat() with snprintf() in setup_arch()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: David Laight <david.laight.linux@gmail.com>
To: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Thorsten Blum <thorsten.blum@linux.dev>,
	Thomas Gleixner <tglx@kernel.org>, Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Ard Biesheuvel <ardb@kernel.org>,
	"Mike Rapoport (Microsoft)" <rppt@kernel.org>,
	Thomas Zimmermann <tzimmermann@suse.de>,
	Arnd Bergmann <arnd@arndb.de>, Jiri Bohac <jbohac@suse.cz>,
	Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>,
	linux-hardening@vger.kernel.org, Ingo Molnar <mingo@kernel.org>,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH] x86/setup: replace strlcat() with snprintf() in setup_arch()
Date: Sat, 6 Jun 2026 11:12:51 +0100	[thread overview]
Message-ID: <20260606111251.008f3a0e@pumpkin> (raw)
In-Reply-To: <aiMVYiG8oe4JTwB4@ashevche-desk.local>

On Fri, 5 Jun 2026 21:28:50 +0300
Andy Shevchenko <andriy.shevchenko@linux.intel.com> wrote:

> On Fri, Jun 05, 2026 at 08:05:21PM +0200, Thorsten Blum wrote:
> > On Fri, Jun 05, 2026 at 06:55:31PM +0300, Andy Shevchenko wrote:  
> > > On Fri, Jun 05, 2026 at 05:42:48PM +0200, Thorsten Blum wrote:  
> > > > On Fri, Jun 05, 2026 at 07:41:11AM +0300, Andy Shevchenko wrote:  
> > > > > On Thu, Jun 04, 2026 at 03:17:53PM +0200, Thorsten Blum wrote:  
> 
> ...
> 
> > > > > >  	strscpy(boot_command_line, builtin_cmdline, COMMAND_LINE_SIZE);  
> > > > > 
> > > > > This also has third argument fixed. Don't you want to change that?  
> > > > 
> > > > That doesn't work because boot_command_line, at least the declaration in
> > > > linux/init.h, doesn't have a fixed size.  
> > > 
> > > Ah, okay.
> > >   
> > > > > >  #else
> > > > > >  	if (builtin_cmdline[0]) {
> > > > > > +		size_t len = strnlen(builtin_cmdline, COMMAND_LINE_SIZE);
> > > > > > +
> > > > > >  		/* append boot loader cmdline to builtin */
> > > > > > -		strlcat(builtin_cmdline, " ", COMMAND_LINE_SIZE);
> > > > > > -		strlcat(builtin_cmdline, boot_command_line, COMMAND_LINE_SIZE);
> > > > > > +		snprintf(builtin_cmdline + len, COMMAND_LINE_SIZE - len, " %s",
> > > > > > +			 boot_command_line);  
> > > > > 
> > > > > Hmm... Wouldn't GCC complain on this? (Build with `make W=1`.)  
> > > > 
> > > > No warnings with W=1. Why would GCC warn here?  
> > > 
> > > Sometimes it complains if it can't prove the size of the string to fit the
> > > destination. You said that there is no size for boot_command_line, I'm not
> > > sure I understand how GCC proves that the above snprintf() won't ever truncate
> > > the input.  
> > 
> > The compiler doesn't prove that this cannot truncate. It only knows the
> > buffer sizes, but not the runtime string lengths.
> > 
> > snprintf() can truncate, and its return value could be used to detect
> > that. However, the previous version also ignored possible truncation by
> > strlcat(), so I didn't add new truncation handling.  
> 
> I understand that, but AFAIK strlcat() doesn't induce a warning in such a case,
> while GCC does (or at least should).
> 

gcc only complains about snprintf() when it knows the the sizes
(including taking strings from arrays).
So I suspect the warnings are mostly false-positives.

But I'm not really sure using snprintf() to avoid strlcat() is a gain.
This could be:
	len = strnlen(builtin_cmdline, COMMAND_LINE_SIZE);
	if (strscpy(builtin_cmdline + len + 1, boot_command_line,
			COMMAND_LINE_SIZE - len - 1) >= 0)
		builtin_cmdline[len] = ' ';
but I suspect that doesn't return a useful string on overflow.

I've been trying to remove strcpy(), a lot of code has already
done strlen() for a bound check - so memcpy() can be used instead.

-- David

     prev parent reply	other threads:[~2026-06-06 10:12 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-04 13:17 [PATCH] x86/setup: replace strlcat() with snprintf() in setup_arch() Thorsten Blum
2026-06-05  4:41 ` Andy Shevchenko
2026-06-05 15:42   ` Thorsten Blum
2026-06-05 15:55     ` Andy Shevchenko
2026-06-05 18:05       ` Thorsten Blum
2026-06-05 18:28         ` Andy Shevchenko
2026-06-06 10:12           ` David Laight [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260606111251.008f3a0e@pumpkin \
    --to=david.laight.linux@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=andriy.shevchenko@linux.intel.com \
    --cc=ardb@kernel.org \
    --cc=arnd@arndb.de \
    --cc=bp@alien8.de \
    --cc=dave.hansen@linux.intel.com \
    --cc=harshit.m.mogalapalli@oracle.com \
    --cc=hpa@zytor.com \
    --cc=jbohac@suse.cz \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@kernel.org \
    --cc=mingo@redhat.com \
    --cc=rppt@kernel.org \
    --cc=tglx@kernel.org \
    --cc=thorsten.blum@linux.dev \
    --cc=tzimmermann@suse.de \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.