Re: [PATCH 1/1] lib/vsprintf: Implement ssprintf() to catch truncated strings

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Lee Jones <lee@kernel.org>
To: David Laight <David.Laight@aculab.com>
Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"linux-hardening@vger.kernel.org"
	<linux-hardening@vger.kernel.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Petr Mladek <pmladek@suse.com>,
	Steven Rostedt <rostedt@goodmis.org>,
	Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
	Sergey Senozhatsky <senozhatsky@chromium.org>,
	Crutcher Dunnavant <crutcher+kernel@datastacks.com>,
	Juergen Quade <quade@hsnr.de>
Subject: Re: [PATCH 1/1] lib/vsprintf: Implement ssprintf() to catch truncated strings
Date: Tue, 30 Jan 2024 15:07:21 +0000	[thread overview]
Message-ID: <20240130150721.GA692144@google.com> (raw)
In-Reply-To: <20240129095237.GC1708181@google.com>

On Mon, 29 Jan 2024, Lee Jones wrote:

> On Mon, 29 Jan 2024, David Laight wrote:
> 
> > ...
> > > > I'm sure that the safest return for 'truncated' is the buffer length.
> > > > The a series of statements like:
> > > > 	buf += xxx(buf, buf_end - buf, .....);
> > > > can all be called with a single overflow check at the end.
> > > >
> > > > Forget the check, and the length just contains a trailing '\0'
> > > > which might cause confusion but isn't going to immediately
> > > > break the world.
> > > 
> > > snprintf() does this and has been proven to cause buffer-overflows.
> > > There have been multiple articles authored describing why using
> > > snprintf() is not generally a good idea for the masses including the 2
> > > linked in the commit message:
> > 
> > snprintf() returns the number of bytes that would have been output [1].
> > I'm not suggesting that, or not terminating the buffer.
> > Just returning the length including the '\0' (unless length was zero).
> > This still lets the code check for overflow but isn't going to
> > generate a pointer outside the buffer if used to update a pointer.
> 
> I see.  Well I'm not married to my solution.  However, I am convinced
> that the 2 solutions currently offered can be improved upon.  If you or
> anyone else has a better solution, I'd be more than happy to implement
> and switch to it.
> 
> Let me have a think about the solution you suggest and get back to you.

Okay, I've written a bunch of simple test cases and results are
positive.  It seems to achieve my aim whilst minimising any potential
pitfalls.

 - Success returns Bytes actually written - no functional change
 - Overflow returns the size of the buffer - which makes the result
   a) testable for overflow
   b) non-catastrophic if accidentally used to manipulate later sizes

    int size = 10;
    char buf[size];
    char *b = buf;

    ret = spprintf(b, size, "1234");
    size -= ret;
    b += ret;
    // ret = 4  size = 6  buf = "1234\0"

    ret = spprintf(b, size, "5678");
    size -= ret;
    b += ret;
    // ret = 4  size = 2  buf = "12345678\0"

    ret = spprintf(b, size, "9***");
    size -= ret;
    b += ret;
    // ret = 2  size = 0  buf = "123456789\0"

Since size is now 0, further calls result in no changes of state.

    ret = spprintf(b, size, "----");
    size -= ret;
    b += ret;
    // ret = 0  size = 0  buf = "123456789\0"

I'll knock this up and submit a patch.

-- 
Lee Jones [李琼斯]

next prev parent reply	other threads:[~2024-01-30 15:07 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-01-25  8:39 [PATCH 1/1] lib/vsprintf: Implement ssprintf() to catch truncated strings Lee Jones
2024-01-25  9:04 ` Rasmus Villemoes
2024-01-25 10:36   ` Lee Jones
2024-01-27 14:32     ` David Laight
2024-01-29  9:24       ` Lee Jones
2024-01-29  9:39         ` David Laight
2024-01-29  9:52           ` Lee Jones
2024-01-30 15:07             ` Lee Jones [this message]
2024-01-30 15:18               ` Rasmus Villemoes
2024-01-30 15:53                 ` Lee Jones
2024-02-08 16:24                   ` Petr Mladek
2024-02-08 17:05                     ` Lee Jones
2024-01-30 21:55                 ` Kees Cook
2024-01-31  8:36                   ` Lee Jones
  -- strict thread matches above, loose matches on Subject: below --
2024-01-29  9:27 Lee Jones
2024-01-29  9:31 ` Lee Jones

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240130150721.GA692144@google.com \
    --to=lee@kernel.org \
    --cc=David.Laight@aculab.com \
    --cc=akpm@linux-foundation.org \
    --cc=andriy.shevchenko@linux.intel.com \
    --cc=crutcher+kernel@datastacks.com \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux@rasmusvillemoes.dk \
    --cc=pmladek@suse.com \
    --cc=quade@hsnr.de \
    --cc=rostedt@goodmis.org \
    --cc=senozhatsky@chromium.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox