Re: [PATCH V3 1/8] sysfs: Add sysfs_emit and sysfs_emit_at to format sysfs output

From: Kees Cook <keescook@chromium.org>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Joe Perches <joe@perches.com>,
	"Rafael J . Wysocki" <rafael@kernel.org>,
	Denis Efremov <efremov@linux.com>,
	Julia Lawall <julia.lawall@inria.fr>,
	Alex Dewar <alex.dewar90@gmail.com>,
	linux-kernel@vger.kernel.org, Jonathan Corbet <corbet@lwn.net>,
	linux-doc@vger.kernel.org
Subject: Re: [PATCH V3 1/8] sysfs: Add sysfs_emit and sysfs_emit_at to format sysfs output
Date: Wed, 30 Sep 2020 21:17:03 -0700	[thread overview]
Message-ID: <202009302108.18B05CA38@keescook> (raw)
In-Reply-To: <20200930115740.GA1611809@kroah.com>

On Wed, Sep 30, 2020 at 01:57:40PM +0200, Greg Kroah-Hartman wrote:
> Kees, and Rafael, I don't know if you saw this proposal from Joe for
> sysfs files, questions below:

I'm a fan. I think the use of sprintf() in sysfs might have been one of
my earliest complaints about unsafe code patterns in the kernel. ;)

> > +/**
> > + *	sysfs_emit - scnprintf equivalent, aware of PAGE_SIZE buffer.
> > + *	@buf:	start of PAGE_SIZE buffer.
> > + *	@fmt:	format
> > + *	@...:	optional arguments to @format
> > + *
> > + *
> > + * Returns number of characters written to @buf.
> > + */
> > +int sysfs_emit(char *buf, const char *fmt, ...)
> > +{
> > +	va_list args;
> > +	int len;
> > +
> > +	if (WARN(!buf || offset_in_page(buf),
> > +		 "invalid sysfs_emit: buf:%p\n", buf))

I don't want the %p here, but otherwise, sure. I'd also make it a _ONCE
variant:

	if (WARN_ONCE(!buf || offset_in_page(buf),
		 "invalid sysfs_emit: offset_in_page(buf):%zd\n",
		  buf ? offset_in_page(buf) : 0))

> > +		return 0;
> > +
> > +	va_start(args, fmt);
> > +	len = vscnprintf(buf, PAGE_SIZE, fmt, args);
> > +	va_end(args);
> > +
> > +	return len;
> > +}
> > +EXPORT_SYMBOL_GPL(sysfs_emit);
> > +
> > +/**
> > + *	sysfs_emit_at - scnprintf equivalent, aware of PAGE_SIZE buffer.
> > + *	@buf:	start of PAGE_SIZE buffer.
> > + *	@at:	offset in @buf to start write in bytes
> > + *		@at must be >= 0 && < PAGE_SIZE
> > + *	@fmt:	format
> > + *	@...:	optional arguments to @fmt
> > + *
> > + *
> > + * Returns number of characters written starting at &@buf[@at].
> > + */
> > +int sysfs_emit_at(char *buf, int at, const char *fmt, ...)
> > +{
> > +	va_list args;
> > +	int len;
> > +
> > +	if (WARN(!buf || offset_in_page(buf) || at < 0 || at >= PAGE_SIZE,
> > +		 "invalid sysfs_emit_at: buf:%p at:%d\n", buf, at))

Same:

	if (WARN_ONCE(!buf || offset_in_page(buf) || at < 0 || at >= PAGE_SIZE,
		 "invalid sysfs_emit_at: offset_in_page(buf):%zd at:%d\n",
		  buf ? offset_in_page(buf) : 0, at))

> > +		return 0;
> > +
> > +	va_start(args, fmt);
> > +	len = vscnprintf(buf + at, PAGE_SIZE - at, fmt, args);
> > +	va_end(args);
> > +
> > +	return len;
> > +}
> > +EXPORT_SYMBOL_GPL(sysfs_emit_at);
> 
> These feel sane, but I'm loath to have a ton of churn for no good
> reason.

I think the churn is worth it if we remove "seemingly wrong" code
patterns from the kernel. It's especially useful, IMO, for when there
are future mutations/refactorings and we don't end up with a bare
sprintf somewhere else.

> If we make all sysfs show/store functions use these calls instead of
> sprintf(), it "feels" like that might address the objections that people
> have had in the past where they are nervous about "bare" sprintf()
> calls, right?

I would think so. This is the kind of thing we did for %n in seq_file:
remove potential foot-gun API in favor of subsystem-specific safe API.

> It also might make things easier to audit where we can see much easier
> where sysfs files are doing "foolish" things by calling sysfs_emit_at()
> a bunch of times they shouldn't be, and maybe automate the documentation
> of sysfs files in a better way.

Indeed!

> So I guess I'm asking for another developer to at least agree that this
> feels like the right way forward here.  I don't want to start down this
> path, only to roll them all back as it feels like pointless churn.

With the changes above, I'd Ack it. :)

-- 
Kees Cook