From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E7335C83F34
	for <linux-mm@archiver.kernel.org>; Fri, 18 Jul 2025 00:56:31 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 6B3906B00AB; Thu, 17 Jul 2025 20:56:31 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 663A86B00AE; Thu, 17 Jul 2025 20:56:31 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 504346B00B2; Thu, 17 Jul 2025 20:56:31 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10])
	by kanga.kvack.org (Postfix) with ESMTP id 3B53D6B00AB
	for <linux-mm@kvack.org>; Thu, 17 Jul 2025 20:56:31 -0400 (EDT)
Received: from smtpin29.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay01.hostedemail.com (Postfix) with ESMTP id D995E1D8A17
	for <linux-mm@kvack.org>; Fri, 18 Jul 2025 00:56:30 +0000 (UTC)
X-FDA: 83675569740.29.0D43742
Received: from sea.source.kernel.org (sea.source.kernel.org [172.234.252.31])
	by imf27.hostedemail.com (Postfix) with ESMTP id 1B2F840005
	for <linux-mm@kvack.org>; Fri, 18 Jul 2025 00:56:27 +0000 (UTC)
Authentication-Results: imf27.hostedemail.com;
	dkim=pass header.d=kernel.org header.s=k20201202 header.b=ZcIWXRcn;
	spf=pass (imf27.hostedemail.com: domain of alx@kernel.org designates 172.234.252.31 as permitted sender) smtp.mailfrom=alx@kernel.org;
	dmarc=pass (policy=quarantine) header.from=kernel.org
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1752800188;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=IILpd21Q8TYRGD7EQ676jjJfPfW+3gwlEDD+U7WON4U=;
	b=f/vubj9ISt6PT5YCW6mxDs4sp3arBE9unhiHUnWYC9CftdLenmkCCaWToxY2iVe98JXu7t
	b5x0wElI/A5kPLWuVjxXSQVmnramQd28CxWTeU4OkozK3QnUpb9ERAjKzj8eOs9SKlqHaz
	5y+GBOlXaoMqgLM1Cjx06Mrt36pRfb0=
ARC-Authentication-Results: i=1;
	imf27.hostedemail.com;
	dkim=pass header.d=kernel.org header.s=k20201202 header.b=ZcIWXRcn;
	spf=pass (imf27.hostedemail.com: domain of alx@kernel.org designates 172.234.252.31 as permitted sender) smtp.mailfrom=alx@kernel.org;
	dmarc=pass (policy=quarantine) header.from=kernel.org
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1752800188; a=rsa-sha256;
	cv=none;
	b=KO/8206UwYEx78jVMTbv9ojpUPK+ddkUFcR0+rAOO5Dxx+/fAukWJLKjbjoZCQaTRP8g2V
	hsbYl7MZHBn9XuyBaRZmXfuIeTzZTIlNWLpWSV55UaVxvgoRUG0ioEyAVi2c7InA2Lnpt9
	oj4MslWgcNylUey/DsKSFKcy6OrCkzQ=
Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58])
	by sea.source.kernel.org (Postfix) with ESMTP id C6E3843261;
	Fri, 18 Jul 2025 00:56:26 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 23233C4CEE3;
	Fri, 18 Jul 2025 00:56:21 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1752800186;
	bh=SY6veYEenY3ETaNp90Fgi3oqpoAKdNxhIi+bTZtizDM=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=ZcIWXRcnolHN2gWY2+iymLVYl3JeOO7lUYBB1V/8/qccbb7Cs1UveUcs6vLq4s+kH
	 JVddSr4+Aeyg/mmnDdBJhhZc2vxv81Drd97qre9tgQtxP2GDXen0YXRnY5AmXBD4ap
	 9hf0RAvYDwH9mz9feeH7pB87wljMljAvVtB6hUZ2QNAe0P6aT0jyStJfcTNzMWVxir
	 2yIQEL1k2Wv5SNrhLDFPaDk0sT78S40EhHJD/6y2fjzhEQzipxERScHsd/77irjhK9
	 QNRiD3LCHw29wcKAkxTe977EJSX8EHSjeII0tlPeJKhZnqIh1eK/Yi+oXXqwXQRP2k
	 w7SnrRkqiZAqQ==
Date: Fri, 18 Jul 2025 02:56:19 +0200
From: Alejandro Colomar <alx@kernel.org>
To: Kees Cook <kees@kernel.org>, 
	Linus Torvalds <torvalds@linux-foundation.org>
Cc: David Laight <david.laight.linux@gmail.com>, 
	Martin Uecker <ma.uecker@gmail.com>, linux-mm@kvack.org, linux-hardening@vger.kernel.org, 
	Christopher Bazley <chris.bazley.wg14@gmail.com>, shadow <~hallyn/shadow@lists.sr.ht>, 
	linux-kernel@vger.kernel.org, Andrew Morton <akpm@linux-foundation.org>, 
	kasan-dev@googlegroups.com, Dmitry Vyukov <dvyukov@google.com>, 
	Alexander Potapenko <glider@google.com>, Marco Elver <elver@google.com>, Christoph Lameter <cl@linux.com>, 
	David Rientjes <rientjes@google.com>, Vlastimil Babka <vbabka@suse.cz>, 
	Roman Gushchin <roman.gushchin@linux.dev>, Harry Yoo <harry.yoo@oracle.com>, 
	Andrew Clayton <andrew@digital-domain.net>, Rasmus Villemoes <linux@rasmusvillemoes.dk>, 
	Michal Hocko <mhocko@suse.com>, Al Viro <viro@zeniv.linux.org.uk>, Sam James <sam@gentoo.org>, 
	Andrew Pinski <pinskia@gmail.com>
Subject: Re: [RFC v5 6/7] sprintf: Add [v]sprintf_array()
Message-ID: <p2gl2w7gntydz4lpoyrazha2hqswwoggykdxo2un7us5wsc3lp@ij5my4epi3ot>
References: <cover.1751823326.git.alx@kernel.org>
 <cover.1752182685.git.alx@kernel.org>
 <04c1e026a67f1609167e834471d0f2fe977d9cb0.1752182685.git.alx@kernel.org>
 <CAHk-=wiNJQ6dVU8t7oM0sFpSqxyK8JZQXV5NGx7h+AE0PY4kag@mail.gmail.com>
 <28c8689c7976b4755c0b5c2937326b0a3627ebf6.camel@gmail.com>
 <20250711184541.68d770b9@pumpkin>
 <CAHk-=wjC0pAFfMBHKtCLOAcUvLs30PpjKoMfN9aP1-YwD0MZ5Q@mail.gmail.com>
 <202507142211.F1E0730A@keescook>
 <3o3ra7vjn44iey2dosunsm3wa4kagfeas2o4yzsl34girgn2eb@6rnktm2dmwul>
 <202507171644.7FB3379@keescook>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="k63pphsxoo2hl7dh"
Content-Disposition: inline
In-Reply-To: <202507171644.7FB3379@keescook>
X-Rspam-User: 
X-Rspamd-Queue-Id: 1B2F840005
X-Rspamd-Server: rspam06
X-Stat-Signature: cz3zu7fxzgf9kc3cerdq47yi9igeh31x
X-HE-Tag: 1752800187-51311
X-HE-Meta: U2FsdGVkX1+RBLoEw2w6v5IkL0ypDZMF8hZxQaSmEDkFxIiGgya1/MpwRez0kGegKfAWggqT+0xZLqSkM3Zk1XOXJrN/aZU76Df7fMMgqsrNP9d7nRFHpWlmsX05nGp+6LAqTDwkLw1VlkhwSR4AjpO5+dgdNL3WDlcWkfAehkihKdpr1N/HBmb6ne3LHajQP345RBW/ZbiLAml0pdy2xoOIaH5QkvnQxH0nKrZV3UclfrmrrpcUob+mnqI01CtOhZijp2mnck9D7icsDgdJFeT3BGLaZ6lke8NJyG8ihwu9XsznWGyEAB8mhtodu06KnBseVKZ9GKl4tR1q9yNTPUyM9leQDiDyC1CiSwbe06pQ2ANHh5a2pRT5AWy2LuICmoivIlSwKc/ZYktsKvOxrq8mMKoBFz1Q+kxwjbyi7J3PvW6b/AUMtCPMeView5wM0VUnNpIlWXx1YL8qLCYgYlZxIbVgFcnKucTFUc2K2W4pL+VlgjSwvuaKhGDiJPCcUfMBBpjWC82TJ9XCQGr2gbhOaIxONUQAGHpMbt+Bn2HtNvEBGa7frat7Frjv8JxOJ+q/UzGg3vnKgjFiR5NECuG725FZOnJX/cdPpRxg57LYYMBEGCPKR858YhI5KPyNDs4VJQsO+GfWoQBsTZJ9mIml5Hu1m5rUL8okFrqpozsUMPMjr2v6ZOOGD6j2yzlLF9bLqS/Br/rBfANeUwrI0AujIscSQIzWgjf6j2fBwK+3Gefks1Ipgr/FBZtFPk8nNdW+Jk3MXRrnPQsRTSb1Wr2w5J7XfmzKBBaHnu4t8NtgVMdc+uToBeuEhuCci4iQqcsCMfjY3fJpkYyZ99wPj4vN1+WzGIplWDOczKt8vk/UGOg7oJg3BeovwrBQqp97BeplJd3VXbZCa5AULLxENgaiRqAL4j8jyegrtPbCSjY/H+dtddQSmCIOQL+jH/hiVKwxPfObvChPV/7dWsD
 4l531Xlu
 +SvlHBgnh1y7gKSXFiwrSQqpjsNDgCYKqdZv5xsmsL7pU5k8+ze7nMijpHr/Jm5r8EQUfugZtMg6P4Bf+Cw0RxW7xxxg0LEqri5DoMaSyS/nhnpxvmrXslWq6KNJOhqwpsVoF+mnioS+3fmBTPzvNisyrizR1wiU58mx4WKzYAlQ074PCebsggbLHGqEyESnId+29HC71r/ZI1LsgTjJJNk5P5tqdOTZiT2eqloAhVJpLFvI8YG7y8y3lYHxjL4FuUXeKBaHKaH1cX3KsU5r8nfn30Fq/Sc4Lr9RvhIM1RZCoJ5/seD269no0NT9p6PkxrtFJTGLQ2JashMtY4aCrRTng0cdCGisun8Ho9l/3O+pIL2VQ5A/uplAPhhxM01HHGTCRQdb2NFNEunpGqJa9/biEDfcOigSVvTNethfYqL5W2rO8P6GCmlZjAepuVQmnfcFlcAunnBUHQgjSW9RtHczoCrmwJqbK6AzbS6yCrwjHrPdfz0bQSNrJTJYLPrGQYzgaNCNL7r9ztepOxbhnCV7qLw==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>


--k63pphsxoo2hl7dh
Content-Type: text/plain; protected-headers=v1; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
From: Alejandro Colomar <alx@kernel.org>
To: Kees Cook <kees@kernel.org>, 
	Linus Torvalds <torvalds@linux-foundation.org>
Cc: David Laight <david.laight.linux@gmail.com>, 
	Martin Uecker <ma.uecker@gmail.com>, linux-mm@kvack.org, linux-hardening@vger.kernel.org, 
	Christopher Bazley <chris.bazley.wg14@gmail.com>, shadow <~hallyn/shadow@lists.sr.ht>, 
	linux-kernel@vger.kernel.org, Andrew Morton <akpm@linux-foundation.org>, 
	kasan-dev@googlegroups.com, Dmitry Vyukov <dvyukov@google.com>, 
	Alexander Potapenko <glider@google.com>, Marco Elver <elver@google.com>, Christoph Lameter <cl@linux.com>, 
	David Rientjes <rientjes@google.com>, Vlastimil Babka <vbabka@suse.cz>, 
	Roman Gushchin <roman.gushchin@linux.dev>, Harry Yoo <harry.yoo@oracle.com>, 
	Andrew Clayton <andrew@digital-domain.net>, Rasmus Villemoes <linux@rasmusvillemoes.dk>, 
	Michal Hocko <mhocko@suse.com>, Al Viro <viro@zeniv.linux.org.uk>, Sam James <sam@gentoo.org>, 
	Andrew Pinski <pinskia@gmail.com>
Subject: Re: [RFC v5 6/7] sprintf: Add [v]sprintf_array()
References: <cover.1751823326.git.alx@kernel.org>
 <cover.1752182685.git.alx@kernel.org>
 <04c1e026a67f1609167e834471d0f2fe977d9cb0.1752182685.git.alx@kernel.org>
 <CAHk-=wiNJQ6dVU8t7oM0sFpSqxyK8JZQXV5NGx7h+AE0PY4kag@mail.gmail.com>
 <28c8689c7976b4755c0b5c2937326b0a3627ebf6.camel@gmail.com>
 <20250711184541.68d770b9@pumpkin>
 <CAHk-=wjC0pAFfMBHKtCLOAcUvLs30PpjKoMfN9aP1-YwD0MZ5Q@mail.gmail.com>
 <202507142211.F1E0730A@keescook>
 <3o3ra7vjn44iey2dosunsm3wa4kagfeas2o4yzsl34girgn2eb@6rnktm2dmwul>
 <202507171644.7FB3379@keescook>
MIME-Version: 1.0
In-Reply-To: <202507171644.7FB3379@keescook>

Hi Kees,

On Thu, Jul 17, 2025 at 04:47:04PM -0700, Kees Cook wrote:
> On Tue, Jul 15, 2025 at 09:08:14AM +0200, Alejandro Colomar wrote:
> > Hi Kees,
> >=20
> > On Mon, Jul 14, 2025 at 10:19:39PM -0700, Kees Cook wrote:
> > > On Fri, Jul 11, 2025 at 10:58:56AM -0700, Linus Torvalds wrote:
> > > >         struct seq_buf s;
> > > >         seq_buf_init(&s, buf, szie);
> > >=20
> > > And because some folks didn't like this "declaration that requires a
> > > function call", we even added:
> > >=20
> > > 	DECLARE_SEQ_BUF(s, 32);
> > >=20
> > > to do it in 1 line. :P
> > >=20
> > > I would love to see more string handling replaced with seq_buf.
> >=20
> > The thing is, it's not as easy as the fixes I'm proposing, and
> > sprintf_end() solves a lot of UB in a minimal diff that you can dumbly
> > apply.
>=20
> Note that I'm not arguing against your idea -- I just think it's not
> going to be likely to end up in Linux soon given Linus's objections.

It would be interesting to hear if Linus holds his objections on v6.

> My
> perspective is mainly one of pragmatic damage control: what *can* we do
> in Linux that would make things better? Currently, seq_buf is better
> than raw C strings...

TBH, I'm not fully convinced.  While it may look simpler at first
glance, I'm worried that it might bite in the details.  I default to not
trusting APIs that hide the complexity in hidden state.  On the other
hand, I agree that almost anything is safer than snprintf(3).

But one good thing of snprintf(3) is that it's simple, and thus
relatively obvious to see that it's wrong, so it's easy to fix (it's
easy to transition from snprintf(3) to sprintf_end()).  So, maybe
keeping it bogus until it's replaced by sprintf_end() is a better
approach than using seq_buf.  (Unless the current code is found
exploitable, but I assume not.)


Have a lovely night!
Alex

--=20
<https://www.alejandro-colomar.es/>

--k63pphsxoo2hl7dh
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEES7Jt9u9GbmlWADAi64mZXMKQwqkFAmh5m60ACgkQ64mZXMKQ
wqkLwBAAhgrJrpnkhBACfYY0eDqJcZh5qz8L/7W6xPGCf46NZSmjG/xJiYD2Ystf
j2+6m1UM6ynUzTMKK0hUo2nMhmBqqd3mmgFpTgWO6iwOt+Am5C7+RuLtBhCNrAh+
kYBPjichLntIH4Di6kHYlGevuH2NCR5zh5ImDK/fbBl56V6p0YTJCFGKqqWeiKo6
UI/SXQgqL1leL6clVP18x0WTaPfslnoZ9SlbGT2FpVIkhs/fLzcfJm+sXDQTzGff
1ccwyUPLGSJoiAD8jlrAxPson+KND8FtjU582aK/JwX05VVZSPzcKJLHm3Vu36j0
ye+DL97kD00ebWjS+w2u9F2Xfl5mc1cNqGJUHhmaK2jJV1JTlus1HhWgQp9rNe/K
49FWUIhnfqG2rz1kFzpGyTJY0zEXRmctcmm35K+qiGKnFHpO3DikvtBbgTPlOO2/
+8ODvnlfr0ffTLHZ3Zh0x+vvKqCXm/OI7Wm9H3utA9X3GvSeDIYHfYjtTuJFyO8F
Hw82ItMzcbi9h2mOgUQtVliLtxskzOxt+1jN+QgUfcRRQbV4K21MTQ/HzBioIKk1
JUQZbyYIaXqS1RsJ308A4fuDA+XR5zah2Zn7WiIbVmnU7/xt72UQ3Jrq/jr3f0aW
pXJ8aI2ggPuQXwUaF1pN3yHwlAXdAVziskVxXFiOXPTp7WXtC/c=
=mSgQ
-----END PGP SIGNATURE-----

--k63pphsxoo2hl7dh--