From: Julia Lawall <julia.lawall@inria.fr> To: Joe Perches <joe@perches.com> Cc: Alex Dewar <alex.dewar90@gmail.com>, Rasmus Villemoes <linux@rasmusvillemoes.dk>, cocci <cocci@systeme.lip6.fr>, Kees Cook <keescook@chromium.org>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, "Gustavo A. R. Silva" <gustavoars@kernel.org>, accessrunner-general@lists.sourceforge.net Subject: Re: [Cocci] [PATCH] usb: atm: don't use snprintf() for sysfs attrs Date: Thu, 27 Aug 2020 21:42:42 +0200 (CEST) [thread overview] Message-ID: <alpine.DEB.2.22.394.2008272141220.2482@hadrien> (raw) In-Reply-To: <5d1dfb9b031130d4d20763ec621233a19d6a88a2.camel@perches.com> On Thu, 27 Aug 2020, Joe Perches wrote: > On Thu, 2020-08-27 at 15:48 +0100, Alex Dewar wrote: > > On Thu, Aug 27, 2020 at 03:41:06PM +0200, Rasmus Villemoes wrote: > > > On 27/08/2020 15.18, Alex Dewar wrote: > > > > On Thu, Aug 27, 2020 at 09:15:37AM +0200, Greg Kroah-Hartman wrote: > > > > > On Thu, Aug 27, 2020 at 08:42:06AM +0200, Rasmus Villemoes wrote: > > > > > > On 25/08/2020 00.23, Alex Dewar wrote: > > > > > > > kernel/cpu.c: don't use snprintf() for sysfs attrs > > > > > > > > > > > > > > As per the documentation (Documentation/filesystems/sysfs.rst), > > > > > > > snprintf() should not be used for formatting values returned by sysfs. > > > > > > > > > > > > > > > > > > > Can we have a sysfs_sprintf() (could just be a macro that does sprintf) > > > > > > to make it clear to the next reader that we know we're in a sysfs show > > > > > > method? It would make auditing uses of sprintf() much easier. > > > > > > > > > > Code churn to keep code checkers quiet for pointless reasons? What > > > > > could go wrong with that... > > > > > > I did not (mean to) suggest replacing existing sprintf() calls in sysfs > > > show methods. But when changes _are_ being made, such as when replacing > > > snprintf() calls for whatever reasons, can we please not make it harder > > > for people doing manual audits (those are "code checkers" as well, I > > > suppose, but they do tend to only make noise when finding something). > > > > > > > > It should be pretty obvious to any reader that you are in a sysfs show > > > > > method, as almost all of them are trivially tiny and obvious. > > > > > > git grep doesn't immediately show that, not even with a suitable -C > > > argument, as you can't really know the potential callers unless you open > > > the file and see that the function is only assigned as a .show method. > > > And even that can be a pain because it's all hidden behind five levels > > > of magic macros that build identifiers with ##. > > > > > > > Perhaps I should have mentioned this in the commit message, but the problem > > > > is that snprintf() doesn't return the number of bytes written to the > > > > destination buffer, > > > > > > I'm perfectly well aware of that, TYVM (you may want to 'git log > > > --author Villemoes lib/vsprintf.c'). > > > > > > but the number of bytes that *would have been written if > > > > they fitted*, which may be more than the bounds specified [1]. So "return > > > > snprintf(...)" for sysfs attributes is an antipattern. If you need bounded > > > > string ops, scnprintf() is the way to go. Using snprintf() can give a > > > > false sense of security, because it isn't necessarily safe. > > > > > > Huh? This all seems utterly irrelevant WRT a change that replaces > > > PAGE_SIZE by INT_MAX (because that's what sprintf() is going to pretend > > > you passed). You get the same return value. > > > > > > But I'm not at all concerned about whether one passes the proper buffer > > > size or not in sysfs show methods; with my embedded hat on, I'm all for > > > saving a few bytes of .text here and there. The problem, as far as I'm > > > concerned, is merely that adding sprintf() callers makes it harder to > > > find the problematic sprintf() instances. > > > > > > > Apologies, I think I might have expressed myself poorly, being a kernel noob > > ;-). I know that this is a stylistic change rather than a functional > > one -- I meant that I was hoping that it would be helpful to get rid of bad > > uses of snprintf(). > > > > I really like your idea of helper methods though :-). If in show() > > methods we could have something like: > > return sysfs_itoa(buf, i); > > in place of: > > return sprintf(buf, "%d\n", i); > > > > ... then we wouldn't be introducing any new calls to sprintf() as you > > say, but we'd still be removing a call to snprintf() (which also may be > > problematic). Plus we'd have type checking on the argument. > > > > For returning strings, we could have a bounded and unbounded variant of > > the function. As it seems like only single values should be returned via > > sysfs, if we did things this way then it would only be these > > string-returning functions which could cause buffer overflow problems > > and kernel devs could focus their attention accordingly... > > > > What do people think? I'm happy to have a crack, provided this is > > actually a sensible thing to do! I'm looking for a newbie-level project > > to get started with. > > Not a bad idea. > > Coccinelle should be able to transform the various .show > methods to something sysfs_ prefixed in a fairly automated > way. Something like identifier f; fresh identifier = "sysfs" ## f; may be useful. Let me know if further help is needed. julia > > > > > _______________________________________________ > Cocci mailing list > Cocci@systeme.lip6.fr > https://systeme.lip6.fr/mailman/listinfo/cocci >
WARNING: multiple messages have this Message-ID (diff)
From: Julia Lawall <julia.lawall@inria.fr> To: Joe Perches <joe@perches.com> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>, Kees Cook <keescook@chromium.org>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, linux-usb@vger.kernel.org, Rasmus Villemoes <linux@rasmusvillemoes.dk>, linux-kernel@vger.kernel.org, cocci <cocci@systeme.lip6.fr>, accessrunner-general@lists.sourceforge.net, Alex Dewar <alex.dewar90@gmail.com> Subject: Re: [Cocci] [PATCH] usb: atm: don't use snprintf() for sysfs attrs Date: Thu, 27 Aug 2020 21:42:42 +0200 (CEST) [thread overview] Message-ID: <alpine.DEB.2.22.394.2008272141220.2482@hadrien> (raw) In-Reply-To: <5d1dfb9b031130d4d20763ec621233a19d6a88a2.camel@perches.com> On Thu, 27 Aug 2020, Joe Perches wrote: > On Thu, 2020-08-27 at 15:48 +0100, Alex Dewar wrote: > > On Thu, Aug 27, 2020 at 03:41:06PM +0200, Rasmus Villemoes wrote: > > > On 27/08/2020 15.18, Alex Dewar wrote: > > > > On Thu, Aug 27, 2020 at 09:15:37AM +0200, Greg Kroah-Hartman wrote: > > > > > On Thu, Aug 27, 2020 at 08:42:06AM +0200, Rasmus Villemoes wrote: > > > > > > On 25/08/2020 00.23, Alex Dewar wrote: > > > > > > > kernel/cpu.c: don't use snprintf() for sysfs attrs > > > > > > > > > > > > > > As per the documentation (Documentation/filesystems/sysfs.rst), > > > > > > > snprintf() should not be used for formatting values returned by sysfs. > > > > > > > > > > > > > > > > > > > Can we have a sysfs_sprintf() (could just be a macro that does sprintf) > > > > > > to make it clear to the next reader that we know we're in a sysfs show > > > > > > method? It would make auditing uses of sprintf() much easier. > > > > > > > > > > Code churn to keep code checkers quiet for pointless reasons? What > > > > > could go wrong with that... > > > > > > I did not (mean to) suggest replacing existing sprintf() calls in sysfs > > > show methods. But when changes _are_ being made, such as when replacing > > > snprintf() calls for whatever reasons, can we please not make it harder > > > for people doing manual audits (those are "code checkers" as well, I > > > suppose, but they do tend to only make noise when finding something). > > > > > > > > It should be pretty obvious to any reader that you are in a sysfs show > > > > > method, as almost all of them are trivially tiny and obvious. > > > > > > git grep doesn't immediately show that, not even with a suitable -C > > > argument, as you can't really know the potential callers unless you open > > > the file and see that the function is only assigned as a .show method. > > > And even that can be a pain because it's all hidden behind five levels > > > of magic macros that build identifiers with ##. > > > > > > > Perhaps I should have mentioned this in the commit message, but the problem > > > > is that snprintf() doesn't return the number of bytes written to the > > > > destination buffer, > > > > > > I'm perfectly well aware of that, TYVM (you may want to 'git log > > > --author Villemoes lib/vsprintf.c'). > > > > > > but the number of bytes that *would have been written if > > > > they fitted*, which may be more than the bounds specified [1]. So "return > > > > snprintf(...)" for sysfs attributes is an antipattern. If you need bounded > > > > string ops, scnprintf() is the way to go. Using snprintf() can give a > > > > false sense of security, because it isn't necessarily safe. > > > > > > Huh? This all seems utterly irrelevant WRT a change that replaces > > > PAGE_SIZE by INT_MAX (because that's what sprintf() is going to pretend > > > you passed). You get the same return value. > > > > > > But I'm not at all concerned about whether one passes the proper buffer > > > size or not in sysfs show methods; with my embedded hat on, I'm all for > > > saving a few bytes of .text here and there. The problem, as far as I'm > > > concerned, is merely that adding sprintf() callers makes it harder to > > > find the problematic sprintf() instances. > > > > > > > Apologies, I think I might have expressed myself poorly, being a kernel noob > > ;-). I know that this is a stylistic change rather than a functional > > one -- I meant that I was hoping that it would be helpful to get rid of bad > > uses of snprintf(). > > > > I really like your idea of helper methods though :-). If in show() > > methods we could have something like: > > return sysfs_itoa(buf, i); > > in place of: > > return sprintf(buf, "%d\n", i); > > > > ... then we wouldn't be introducing any new calls to sprintf() as you > > say, but we'd still be removing a call to snprintf() (which also may be > > problematic). Plus we'd have type checking on the argument. > > > > For returning strings, we could have a bounded and unbounded variant of > > the function. As it seems like only single values should be returned via > > sysfs, if we did things this way then it would only be these > > string-returning functions which could cause buffer overflow problems > > and kernel devs could focus their attention accordingly... > > > > What do people think? I'm happy to have a crack, provided this is > > actually a sensible thing to do! I'm looking for a newbie-level project > > to get started with. > > Not a bad idea. > > Coccinelle should be able to transform the various .show > methods to something sysfs_ prefixed in a fairly automated > way. Something like identifier f; fresh identifier = "sysfs" ## f; may be useful. Let me know if further help is needed. julia > > > > > _______________________________________________ > Cocci mailing list > Cocci@systeme.lip6.fr > https://systeme.lip6.fr/mailman/listinfo/cocci > _______________________________________________ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
next prev parent reply other threads:[~2020-08-27 19:42 UTC|newest] Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-08-24 22:23 [PATCH] usb: atm: don't use snprintf() for sysfs attrs Alex Dewar 2020-08-25 8:12 ` David Laight 2020-08-25 8:17 ` Alex Dewar 2020-08-25 9:07 ` David Laight 2020-08-25 8:24 ` Greg Kroah-Hartman 2020-08-27 16:49 ` Kees Cook 2020-08-27 17:45 ` Greg Kroah-Hartman 2020-08-27 6:42 ` Rasmus Villemoes 2020-08-27 7:15 ` Greg Kroah-Hartman 2020-08-27 13:18 ` Alex Dewar 2020-08-27 13:41 ` Rasmus Villemoes 2020-08-27 14:48 ` Alex Dewar 2020-08-27 16:58 ` Joe Perches 2020-08-27 16:58 ` [Cocci] " Joe Perches 2020-08-27 19:42 ` Julia Lawall [this message] 2020-08-27 19:42 ` Julia Lawall 2020-08-27 20:29 ` Joe Perches 2020-08-27 20:29 ` Joe Perches 2020-08-27 21:00 ` Joe Perches 2020-08-27 21:00 ` Joe Perches 2020-08-27 21:29 ` Julia Lawall 2020-08-27 21:29 ` Julia Lawall 2020-08-27 22:03 ` David Laight 2020-08-27 22:03 ` David Laight 2020-08-27 22:11 ` Joe Perches 2020-08-27 22:11 ` Joe Perches 2020-08-27 22:16 ` Kees Cook 2020-08-27 22:16 ` Kees Cook 2020-08-27 21:01 ` Denis Efremov 2020-08-27 21:01 ` Denis Efremov 2020-08-27 21:36 ` Julia Lawall 2020-08-27 21:36 ` Julia Lawall 2020-08-27 21:44 ` Joe Perches 2020-08-27 21:44 ` Joe Perches 2020-08-27 22:38 ` Denis Efremov 2020-08-27 22:38 ` Denis Efremov 2020-08-27 22:48 ` Joe Perches 2020-08-27 22:48 ` Joe Perches 2020-08-27 22:20 ` Kees Cook 2020-08-27 22:20 ` Kees Cook 2020-08-27 22:45 ` Joe Perches 2020-08-27 22:45 ` Joe Perches 2020-08-28 4:12 ` Joe Perches 2020-08-28 4:12 ` Joe Perches 2020-08-28 7:58 ` Kees Cook 2020-08-28 7:58 ` Kees Cook 2020-08-28 8:10 ` Joe Perches 2020-08-28 8:10 ` Joe Perches 2020-08-28 8:22 ` Joe Perches 2020-08-28 8:22 ` Joe Perches 2020-08-28 7:39 ` David Laight 2020-08-28 7:39 ` David Laight 2020-08-27 21:54 ` David Laight 2020-08-27 21:54 ` [Cocci] " David Laight
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=alpine.DEB.2.22.394.2008272141220.2482@hadrien \ --to=julia.lawall@inria.fr \ --cc=accessrunner-general@lists.sourceforge.net \ --cc=alex.dewar90@gmail.com \ --cc=cocci@systeme.lip6.fr \ --cc=gregkh@linuxfoundation.org \ --cc=gustavoars@kernel.org \ --cc=joe@perches.com \ --cc=keescook@chromium.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-usb@vger.kernel.org \ --cc=linux@rasmusvillemoes.dk \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.