From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id DFB80C83F07
	for <linux-mm@archiver.kernel.org>; Mon,  7 Jul 2025 14:59:39 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 867616B03FB; Mon,  7 Jul 2025 10:59:39 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 83ECE6B03FC; Mon,  7 Jul 2025 10:59:39 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 77BE36B03FD; Mon,  7 Jul 2025 10:59:39 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12])
	by kanga.kvack.org (Postfix) with ESMTP id 64F406B03FB
	for <linux-mm@kvack.org>; Mon,  7 Jul 2025 10:59:39 -0400 (EDT)
Received: from smtpin09.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay06.hostedemail.com (Postfix) with ESMTP id 1ED9D109C11
	for <linux-mm@kvack.org>; Mon,  7 Jul 2025 14:59:39 +0000 (UTC)
X-FDA: 83637777678.09.567FD54
Received: from sea.source.kernel.org (sea.source.kernel.org [172.234.252.31])
	by imf22.hostedemail.com (Postfix) with ESMTP id 3FDCBC0005
	for <linux-mm@kvack.org>; Mon,  7 Jul 2025 14:59:37 +0000 (UTC)
Authentication-Results: imf22.hostedemail.com;
	dkim=pass header.d=kernel.org header.s=k20201202 header.b=AvUGVCWn;
	spf=pass (imf22.hostedemail.com: domain of alx@kernel.org designates 172.234.252.31 as permitted sender) smtp.mailfrom=alx@kernel.org;
	dmarc=pass (policy=quarantine) header.from=kernel.org
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1751900377;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=Ua/pU1asxZEC1SDx4TLmGsItVvCbIim55tXRb/bEicI=;
	b=nRwmqCfWk2RFVeCYKzEohCginRYKbFWyuflnMKw1R8HRA9BUnDfVM6pxFEsolUTUEy/s7H
	Ecb9sjMR+MzUW4X7Av3WTpXFGFaLRj9TwPvdD2m1Mx25macODQ9t629FBQYi0UxzMg2LED
	B3ivE55egvpRkqOLsM87fk7VOlCvIBw=
ARC-Authentication-Results: i=1;
	imf22.hostedemail.com;
	dkim=pass header.d=kernel.org header.s=k20201202 header.b=AvUGVCWn;
	spf=pass (imf22.hostedemail.com: domain of alx@kernel.org designates 172.234.252.31 as permitted sender) smtp.mailfrom=alx@kernel.org;
	dmarc=pass (policy=quarantine) header.from=kernel.org
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1751900377; a=rsa-sha256;
	cv=none;
	b=JhGP7L4Oox5S+VvrEKGnHuywt1zKipS8zl4Ye94VutPqRIdhI8luDOUJo0ZBtE0M/fW+Kt
	ZkXW/00fbnecRfq+ZA1gII0sVrckJKG+yomP1NXpq1JFucq+Ytcd6euTrz01kNrX8UIyN3
	dVJUZY7cqaQQtuKP6SbPhZ53RK4Uo80=
Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58])
	by sea.source.kernel.org (Postfix) with ESMTP id D69ED45221;
	Mon,  7 Jul 2025 14:59:35 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4A9B6C4AF0B;
	Mon,  7 Jul 2025 14:59:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1751900375;
	bh=AWC2+QrGGPhLVXZSYH0uztW+sd6LA96IpxcDRobGl9E=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=AvUGVCWnNmAO7W75Rs5AQJ2G0//FEvucDQ7gqxUQ/y4B8Yo3GiF+faeaf3/k9+Tyq
	 ODyO0zPgv8p2wRTSg3dnHc89kMCjYD7XsJ0lQIyaIAd6PBjOpwG3cKHrKVe63ofmM3
	 /Q6Tl1qysl/uuTjH/KyDoorCG9Q62QGUY8PgT5e4v1IJl2uLNSdwmyv6Pk0HdyD3h/
	 NuWVN9teFs3JLpCn4BuUkiztcuER+3A47aOx6ykJMUhbAvAbJPtcruE8g05rhqHT0k
	 xW0n2lMOoATxPZrYEcMOfWTWWSGB/pJBkm4uv6J3aiHaILT0dkT2rpijVBhPjkMMEv
	 7qdS8BViWInbA==
Date: Mon, 7 Jul 2025 16:59:32 +0200
From: Alejandro Colomar <alx@kernel.org>
To: Alexander Potapenko <glider@google.com>
Cc: linux-mm@kvack.org, linux-hardening@vger.kernel.org, 
	Kees Cook <kees@kernel.org>, Christopher Bazley <chris.bazley.wg14@gmail.com>, 
	shadow <~hallyn/shadow@lists.sr.ht>, linux-kernel@vger.kernel.org, 
	Andrew Morton <akpm@linux-foundation.org>, kasan-dev@googlegroups.com, Dmitry Vyukov <dvyukov@google.com>, 
	Marco Elver <elver@google.com>, Christoph Lameter <cl@linux.com>, 
	David Rientjes <rientjes@google.com>, Vlastimil Babka <vbabka@suse.cz>, 
	Roman Gushchin <roman.gushchin@linux.dev>, Harry Yoo <harry.yoo@oracle.com>
Subject: Re: [RFC v1 1/3] vsprintf: Add [v]seprintf(), [v]stprintf()
Message-ID: <a3f7i56s5fmg2kcc2j2yledsyxfgepvf62jquqhjzckvg2ojwp@nokqxjgqpman>
References: <cover.1751747518.git.alx@kernel.org>
 <2d20eaf1752efefcc23d0e7c5c2311dd5ae252af.1751747518.git.alx@kernel.org>
 <CAG_fn=UG3O-3_ik0TY_kstxzMVh4Z9noTP1cYfAiWvCnaXQ-6A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="ltlrnmdc5i3ybtlp"
Content-Disposition: inline
In-Reply-To: <CAG_fn=UG3O-3_ik0TY_kstxzMVh4Z9noTP1cYfAiWvCnaXQ-6A@mail.gmail.com>
X-Stat-Signature: o3nsd3f99jibi1gt16mrh1jd9s8h7aaq
X-Rspam-User: 
X-Rspamd-Server: rspam06
X-Rspamd-Queue-Id: 3FDCBC0005
X-HE-Tag: 1751900377-184676
X-HE-Meta: U2FsdGVkX1+FAFwEQLttyPZuqtMdxu0bUHSFU6kxrRjG69hZYXx7jfPkuILTPgBSv7/N827LSiC63MG0kuHhpjABq++6UA+f8qOZfCOuZ469RCElRaft/IxLt38MpLjUUzMkTK/O9bulY80IpR7q5M2ICdjjxhDY6K5RekDAeKH5EW8YJVhxCcXY6kFo36kli4/CseMbM5Vr0lh7ojY7D1JTlbhHF5kv8tD+JciQDkC/Jfv/ZJeba3OExXqfcH7NZLJGBPN4w6vHPq+E1OBIdjXEM4Jdxn6jsjd4czUYOWkoF5mPZn8FmMmuWUt6Dn0ZEK9qoPvPdJfwRslf8tLOnJGbABxewHcEXFe8wMYYd3ADnhxJuDKl6kulXuIRYJeG8aT+QCctjPHkMpLr+KM1K6TWw/4fuwH/UiNHNl5k5HBQQX26g2Gbip8Ofx2jIvyehOCsG8CJwCscVUS6SvNJyfFaX/PVex5F5JwNcmnniFFPORiZya/GKBBp9IWFjJkgyzXLBOHqZX49tPNpDprJtEn5vDCZut6Zx1k2AMdVXDUwei2SLmhi1rCDsNbEeNYP1FIQZPRXJjJs4FGScQC2WQiLjePNKsXj4S3O8arEjrY1CdIfQprmIbXneJhm3jGWPhyggXAbWdUVmh274bfNofQtP6UxCfaa285rhgfKw7nxJBH5NaEfEtw6wpUROBBr2JAZIyn3MwvY1g1HuxgI6mfvvnmKW4O3k107rfAs+TIf4wCoC7Or1BcJVTXFjxoCXkWYe9707k+Lh/izWUnIaeGOv2An3KfIrMYfM5jA3815ncLhT5GtQFPVMnSeqJ+opTUq56K+XGOE3NjR/Ev7uV5GRFaTLdjGJy5Bri54UgTPFNkUcpUoM2f/r+NqkmTzVCt0DbTKQA/TELSN4CbJDYf+VVJsDUAozQWQJZugPsYE7zkqVadS1COMX2GPmBGgmCPtSjgeox+IOkZsgBT
 RRtZmYgJ
 10ZSAbG0sDHL2DoXuQRFN8XP/FsL9IPfPue8DZBMLus7pIwXlwR44hSofYDOBgSDRZ/oPk/R8eq7ZnwnMb2pXSyUe7USeAuLric+U03/NdBI8a//i+un20K9q32tjRi8VRfVm6DPUCgMPNy3bEI8smBOEsgBqFaJTEsEeO8OagNjFnT8mh7Pxe4AFJfYDLhlD/sG/ZE6npnYqOMHFelcHvKC7W+Q7WV8B5zd8oFhPkm4UTX/lFfPRaddAWbSmcvFj8v3rX41tpT9g3k5A6sx1Hk2gSV+fOrEIT1NJ1ZnFkmjF+ya/HG8he5w4uXSfuyAx5k0DelJuL6k9zdl+05ToAXAx2094G2ei1A087oBv37i975HmujgksEJ96i1KN8o1tp+5GnD+L3oYXQ7IYy4LPwlfSN4X2qt8jtSnS2SAjzA6/DajSisNrt5Y1UT1gcFos2VzRBAZZKfFqDuMKqfnrIFKe/YgdGD7y2ABi8eql4hx/WI=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>


--ltlrnmdc5i3ybtlp
Content-Type: text/plain; protected-headers=v1; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
From: Alejandro Colomar <alx@kernel.org>
To: Alexander Potapenko <glider@google.com>
Cc: linux-mm@kvack.org, linux-hardening@vger.kernel.org, 
	Kees Cook <kees@kernel.org>, Christopher Bazley <chris.bazley.wg14@gmail.com>, 
	shadow <~hallyn/shadow@lists.sr.ht>, linux-kernel@vger.kernel.org, 
	Andrew Morton <akpm@linux-foundation.org>, kasan-dev@googlegroups.com, Dmitry Vyukov <dvyukov@google.com>, 
	Marco Elver <elver@google.com>, Christoph Lameter <cl@linux.com>, 
	David Rientjes <rientjes@google.com>, Vlastimil Babka <vbabka@suse.cz>, 
	Roman Gushchin <roman.gushchin@linux.dev>, Harry Yoo <harry.yoo@oracle.com>
Subject: Re: [RFC v1 1/3] vsprintf: Add [v]seprintf(), [v]stprintf()
References: <cover.1751747518.git.alx@kernel.org>
 <2d20eaf1752efefcc23d0e7c5c2311dd5ae252af.1751747518.git.alx@kernel.org>
 <CAG_fn=UG3O-3_ik0TY_kstxzMVh4Z9noTP1cYfAiWvCnaXQ-6A@mail.gmail.com>
MIME-Version: 1.0
In-Reply-To: <CAG_fn=UG3O-3_ik0TY_kstxzMVh4Z9noTP1cYfAiWvCnaXQ-6A@mail.gmail.com>

Hi Alexander,

On Mon, Jul 07, 2025 at 11:47:43AM +0200, Alexander Potapenko wrote:
> > +/**
> > + * vseprintf - Format a string and place it in a buffer
> > + * @p: The buffer to place the result into
> > + * @end: A pointer to one past the last character in the buffer
> > + * @fmt: The format string to use
> > + * @args: Arguments for the format string
> > + *
> > + * The return value is a pointer to the trailing '\0'.
> > + * If @p is NULL, the function returns NULL.
> > + * If the string is truncated, the function returns NULL.
> > + *
> > + * If you're not already dealing with a va_list consider using seprint=
f().
> > + *
> > + * See the vsnprintf() documentation for format string extensions over=
 C99.
> > + */
> > +char *vseprintf(char *p, const char end[0], const char *fmt, va_list a=
rgs)
> > +{
> > +       int len;
> > +
> > +       if (unlikely(p =3D=3D NULL))
> > +               return NULL;
> > +
> > +       len =3D vstprintf(p, end - p, fmt, args);
>=20
> It's easy to imagine a situation in which `end` is calculated from the
> user input and may overflow.
> Maybe we can add a check for `end > p` to be on the safe side?

That would technically be already UB at the moment you hold the 'end'
pointer, so the verification should in theory happen much earlier.

However, if we've arrived here with an overflown 'end', the safety is in
vsnprintf(), which has

        /* Reject out-of-range values early.  Large positive sizes are
           used for unknown buffer sizes. */
        if (WARN_ON_ONCE(size > INT_MAX))
                return 0;

The sequence is:

-  vseprintf() calls vstprintf() where end-p =3D> size.
-  vstprintf() calls vsnprintf() with size.
-  vsnprintf() would return 0, and the contents of the string are
   undefined, as we haven't written anything.  It's not even truncated.

Which, indeed, doesn't sound like a safety.  We've reported a successful
copy of 0 bytes, but we actually failed.

Which BTW is a reminder that this implementation of vsnprintf() seems
dangerous to me, and not conforming to the standard vsnprintf(3).

Maybe we should do the check in vstprintf() and report an error as
-E2BIG (which is later translated into NULL by vseprintf()).  This is
what sized_strscpy() does, so sounds reasonable.  I'll add this test.

Thanks!


Have a lovely day!
Alex

--=20
<https://www.alejandro-colomar.es/>

--ltlrnmdc5i3ybtlp
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEES7Jt9u9GbmlWADAi64mZXMKQwqkFAmhr4M4ACgkQ64mZXMKQ
wqmu/w//WwZs9mMUUpehQAZpcLdKgHxOjWIoVERVVix9JXaMkRjvecmLbMcM09Gq
VaIcLpSsccjhDCyz1HKOgvnjIXR/s7bDsy13cjIDwQ7LA8dcT15srw5TAFJhdIlB
LgXQLbewhPidtpcqQBlZavyw2bhL6qhr/1RsI9vaRv6+fpz/TunEP6No1PogIwHB
jTtats/jSKw+PwMukd2a7ZAuBsuopcP+vehDSgr5C+L6v2bG7adoFaiyZT6w3zLS
Tp21Q1bZpQGtD2O6dHWcyn+mrr6i5XP/jKT9r0KQP/HEa28uHSEm/R4oi2RDtr7G
PgJokX5UT8Jfj1YOOebpi0gp30hHEpyWNDPIoLxTqxRYhUja4yJQr//qrSxI++ec
ZXEr4WNNMFDBiVLSfzan8TSJqxEL2KuexQbk89WfPdUw0xEV5bXbIRdIJAjoEM9o
ZWpD61Fsk5vhiB++H4vHK7xVKvlbbdydWGr4/gEhw2Fb6TTUeR7yw24aBXjUSvWh
TyDvLRfKpEy5GDmpzt3goQddiF3T4yP8mrcRXvvnJkyOyqJBX0TsMyLh32zTYoF/
GvrcWFlZvMYB6HuW470wsTDDmQR4NfMdvlD5S/8gBOsIdmjLOMhyViZgYDsb5S5G
xkvPd/+crvso450yOEVkbQMRMgQnx2IexlfON3fHYrQZ2EuSNi4=
=2l/v
-----END PGP SIGNATURE-----

--ltlrnmdc5i3ybtlp--