lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sun, 30 Aug 2020 00:37:17 +0100
From:   Alex Dewar <alex.dewar90@...il.com>
To:     unlisted-recipients:; (no To-header on input)
Cc:     Alex Dewar <alex.dewar90@...il.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        "Rafael J. Wysocki" <rafael@...nel.org>,
        Christian Brauner <christian.brauner@...ntu.com>,
        "David S. Miller" <davem@...emloft.net>,
        Nayna Jain <nayna@...ux.ibm.com>,
        Dan Williams <dan.j.williams@...el.com>,
        Mauro Carvalho Chehab <mchehab+huawei@...nel.org>,
        Sourabh Jain <sourabhjain@...ux.ibm.com>,
        linux-kernel@...r.kernel.org
Subject: [PATCH RFC 2/2] sysfs: add helper macro for showing simple integer values

sysfs attributes are supposed to be only single values, which are
printed into a buffer of PAGE_SIZE. Accordingly, for many simple
attributes, sprintf() can be used like so:
	static ssize_t my_show(..., char *buf)
	{
		...
		return sprintf("%d\n", my_integer);
	}

The problem is that whilst this use of sprintf() is memory safe, other
cases where e.g. a possibly unterminated string is passed as input, are
not and so use of sprintf() here might make it more difficult to
identify these problematic cases.

Define a macro, sysfs_sprinti(), which outputs the value of a single
integer to a buffer (with terminating "\n\0") and returns the size written.
This way, we can convert over the some of the trivially correct users of
sprintf() and decrease its usage in the kernel source tree.

Another advantage of this approach is that we can now statically check
the type of the integer so that e.g. an unsigned long long will be
formatted as %llu. This will fix cases where the wrong format string has
been passed to sprintf().

Signed-off-by: Alex Dewar <alex.dewar90@...il.com>
---
 include/linux/sysfs.h | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/include/linux/sysfs.h b/include/linux/sysfs.h
index 26e7d9f69dfd..763316788153 100644
--- a/include/linux/sysfs.h
+++ b/include/linux/sysfs.h
@@ -197,6 +197,37 @@ sysfs_strscpy((dest), (src),                                         \
 		)                                                     \
 )
 
+/**
+ *	sysfs_sprinti - emit an integer-type value from a sysfs show method
+ *	@buf: destination buffer
+ *	@x: the variable whose value is to be shown
+ *
+ *	The appropriate format is passed to sprintf() according to the type of
+ *	x, preventing accidental misuse of format strings.
+ */
+#define sysfs_sprinti(buf, x)                                                               \
+({                                                                                          \
+	BUILD_BUG_ON(!__builtin_types_compatible_p(typeof(x), unsigned int) &&               \
+			!__builtin_types_compatible_p(typeof(x), unsigned long) &&           \
+			!__builtin_types_compatible_p(typeof(x), unsigned long long) &&      \
+			!__builtin_types_compatible_p(typeof(x), int) &&                     \
+			!__builtin_types_compatible_p(typeof(x), short) &&                   \
+			!__builtin_types_compatible_p(typeof(x), unsigned short));           \
+	__builtin_choose_expr(                                                               \
+		__builtin_types_compatible_p(typeof(x), unsigned int),                       \
+		sprintf(buf, "%u\n", (unsigned int)(x)),                                     \
+		__builtin_choose_expr(                                                       \
+			__builtin_types_compatible_p(typeof(x), unsigned long),              \
+			sprintf(buf, "%lu\n", (unsigned long)(x)),                           \
+			__builtin_choose_expr(                                               \
+				__builtin_types_compatible_p(typeof(x), unsigned long long), \
+				sprintf(buf, "%llu\n", (unsigned long long)(x)),             \
+				sprintf(buf, "%d\n", (int)(x))                               \
+			)                                                                    \
+		)                                                                            \
+	);                                                                                   \
+})
+
 struct file;
 struct vm_area_struct;
 
-- 
2.28.0

Powered by blists - more mailing lists