| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 14 Sep 2013 03:17:56 +0100 From: Al Viro <viro@...IV.linux.org.uk> To: Kees Cook <keescook@...omium.org> Cc: Joe Perches <joe@...ches.com>, George Spelvin <linux@...izon.com>, Andrew Morton <akpm@...ux-foundation.org>, Dan Carpenter <dan.carpenter@...cle.com>, "David S. Miller" <davem@...emloft.net>, Eldad Zack <eldad@...refinery.com>, Jan Beulich <jbeulich@...e.com>, Jiri Kosina <jkosina@...e.cz>, LKML <linux-kernel@...r.kernel.org>, Randy Dunlap <rdunlap@...radead.org>, Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp> Subject: Re: [PATCH] vsprintf: drop comment claiming %n is ignored On Fri, Sep 13, 2013 at 04:03:25PM -0700, Kees Cook wrote: > Maybe I missed this somewhere in the thread, but I'm not sure I > understand the move to "void". Here's what I see, please correct me: > > 1- seq_printf currently returns success/failure > 2- some callers of seq_printf (correctly) use the return value as > success/failure indication Not all uses as success/failure are right, at that - you should *NOT* return non-zero from ->show() on overflow. Ever. It should only happen when you have a hard error and do *not* want the operation retried. On success ->show() returns zero - not the number of characters written or anything like that. > 3- some callers of seq_printf (incorrectly) use the return value as a > length indication > 4- both success/failure and length are important outputs from seq_printf Not really. Success/failure is used if you want to optimize ->show() a bit; usually you don't. Again, failure == overflow and it's both rare *and* will cause all subsequent seq_...() to be no-ops until the retry. Which retry will follow. Shortly. > 5- we need a way to access the length written during the call _Very_ rarely. And I'd seriously suggest the use of %n in such cases. > 6- want to minimize impact on the code base Majority of the code base simply calls seq_printf() without caring what it returns. Very small minority is broken and needs to be fixed. > Due to 1 and 2, it seems like there's no sense in changing the return > value to void. Success/failure is already returned, and there are > users of it. No sense changing them. ... most of them incorrect. > The normal way to handle multiple return values (4 and 5) is to add a > pointer argument. For example: seq_printf(s, &len, fmt, args...) where > len can be NULL. But this runs against 6. > > Due to 6, to solve 4 and 5, usually macro or inline tricks are used, > for example: > > __printf(3, 4) int seq_printf_len(struct seq_file *, size_t *len, ...); > #define seq_printf(s, fmt, ...) seq_printf_len(s, NULL, fmt, ##__VA_ARGS__) > > With this, solving 3 becomes possible (your void patch has already > detected all the users of the return value, so we can sort out which > expect length and which expect success/failure), and lets us actually > remove the %n uses trivially too. Consider that NAKed. Reason: fucking ugly and pointless at the same time. I don't believe that seq_printf() itself needs to be changed at all (or that %n should be removed, actually). Callers should be audited and fixed, of course. With dire warnings added to seq_file.[ch]. And no, it shouldn't be returning void - the current calling conventions are actually right. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists