From: Lee Jones <lee@kernel.org>
To: Joe Perches <joe@perches.com>
Cc: Kees Cook <keescook@chromium.org>,
Justin Stitt <justinstitt@google.com>,
Andy Whitcroft <apw@canonical.com>,
Dwaipayan Ray <dwaipayanray1@gmail.com>,
Lukas Bulwahn <lukas.bulwahn@gmail.com>,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org,
Finn Thain <fthain@linux-m68k.org>
Subject: Re: [PATCH v6] checkpatch: add check for snprintf to scnprintf
Date: Thu, 2 May 2024 10:29:43 +0100 [thread overview]
Message-ID: <20240502092943.GG5338@google.com> (raw)
In-Reply-To: <aacd7c3a5ad5bb4df71ec5dd107ef12b6ebf4079.camel@perches.com>
On Mon, 29 Apr 2024, Joe Perches wrote:
> On Mon, 2024-04-29 at 12:49 -0700, Kees Cook wrote:
> > On Mon, Apr 29, 2024 at 06:39:28PM +0000, Justin Stitt wrote:
> > > I am going to quote Lee Jones who has been doing some snprintf ->
> > > scnprintf refactorings:
> > >
> > > "There is a general misunderstanding amongst engineers that
> > > {v}snprintf() returns the length of the data *actually* encoded into the
> > > destination array. However, as per the C99 standard {v}snprintf()
> > > really returns the length of the data that *would have been* written if
> > > there were enough space for it. This misunderstanding has led to
> > > buffer-overruns in the past. It's generally considered safer to use the
> > > {v}scnprintf() variants in their place (or even sprintf() in simple
> > > cases). So let's do that."
> > >
> > > To help prevent new instances of snprintf() from popping up, let's add a
> > > check to checkpatch.pl.
> > >
> > > Suggested-by: Finn Thain <fthain@linux-m68k.org>
> > > Signed-off-by: Justin Stitt <justinstitt@google.com>
> >
> > Thanks!
> >
> > Reviewed-by: Kees Cook <keescook@chromium.org>
> >
>
> $ git grep -P '\b((v|)snprintf)\s*\(' | wc -l
> 7745
> $ git grep -P '(?:return\s+|=\s*)\b((v|)snprintf)\s*\(' | wc -l
> 1626
>
> Given there are ~5000 uses of these that don't care
> whether or not it's snprintf or scnprintf, I think this
> is not great.
>
> I'd much rather make sure the return value of the call
> is used before suggesting an alternative.
>
> $ git grep -P '\b((v|)snprintf)\s*\(.*PAGE_SIZE' | wc -l
> 515
>
> And about 1/3 of these snprintf calls are for sysfs style
> output that ideally would be converted to sysfs_emit or
> sysfs_emit_at instead.
I am working on the migration of these (this patch was spun off from
that project in fact). Some subsystems are currently prioritising the
status quo (a.k.a. "no churn"), but most have been accepting of the
changes.
Planning to get back to it once the CVE project has calmed a little.
Those numbers should diminish over time.
--
Lee Jones [李琼斯]
next prev parent reply other threads:[~2024-05-02 9:29 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-29 18:39 [PATCH v6] checkpatch: add check for snprintf to scnprintf Justin Stitt
2024-04-29 19:49 ` Kees Cook
2024-04-30 3:21 ` Joe Perches
2024-05-02 9:29 ` Lee Jones [this message]
2024-05-02 22:57 ` Kees Cook
2024-05-02 9:30 ` Lee Jones
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240502092943.GG5338@google.com \
--to=lee@kernel.org \
--cc=apw@canonical.com \
--cc=dwaipayanray1@gmail.com \
--cc=fthain@linux-m68k.org \
--cc=joe@perches.com \
--cc=justinstitt@google.com \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lukas.bulwahn@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox