Re: [PATCH] x86/setup: replace strlcat() with snprintf() in setup_arch()

[Thorsten Blum <thorsten.blum@linux.dev>]

On Fri, Jun 05, 2026 at 06:55:31PM +0300, Andy Shevchenko wrote:
> On Fri, Jun 05, 2026 at 05:42:48PM +0200, Thorsten Blum wrote:
> > On Fri, Jun 05, 2026 at 07:41:11AM +0300, Andy Shevchenko wrote:
> > > On Thu, Jun 04, 2026 at 03:17:53PM +0200, Thorsten Blum wrote:
> 
> ...
> 
> > > >  	strscpy(boot_command_line, builtin_cmdline, COMMAND_LINE_SIZE);
> > > 
> > > This also has third argument fixed. Don't you want to change that?
> > 
> > That doesn't work because boot_command_line, at least the declaration in
> > linux/init.h, doesn't have a fixed size.
> 
> Ah, okay.
> 
> > > >  #else
> > > >  	if (builtin_cmdline[0]) {
> > > > +		size_t len = strnlen(builtin_cmdline, COMMAND_LINE_SIZE);
> > > > +
> > > >  		/* append boot loader cmdline to builtin */
> > > > -		strlcat(builtin_cmdline, " ", COMMAND_LINE_SIZE);
> > > > -		strlcat(builtin_cmdline, boot_command_line, COMMAND_LINE_SIZE);
> > > > +		snprintf(builtin_cmdline + len, COMMAND_LINE_SIZE - len, " %s",
> > > > +			 boot_command_line);
> > > 
> > > Hmm... Wouldn't GCC complain on this? (Build with `make W=1`.)
> > 
> > No warnings with W=1. Why would GCC warn here?
> 
> Sometimes it complains if it can't prove the size of the string to fit the
> destination. You said that there is no size for boot_command_line, I'm not
> sure I understand how GCC proves that the above snprintf() won't ever truncate
> the input.

The compiler doesn't prove that this cannot truncate. It only knows the
buffer sizes, but not the runtime string lengths.

snprintf() can truncate, and its return value could be used to detect
that. However, the previous version also ignored possible truncation by
strlcat(), so I didn't add new truncation handling.