lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 07 Oct 2022 15:49:42 +0200
From:   Johannes Berg <johannes@...solutions.net>
To:     Edward Cree <ecree.xilinx@...il.com>, ecree@...inx.com,
        netdev@...r.kernel.org, linux-net-drivers@....com
Cc:     davem@...emloft.net, kuba@...nel.org, pabeni@...hat.com,
        edumazet@...gle.com, habetsm.xilinx@...il.com,
        marcelo.leitner@...il.com
Subject: Re: [RFC PATCH net-next 1/3] netlink: add support for formatted
 extack messages

On Fri, 2022-10-07 at 14:46 +0100, Edward Cree wrote:
> On 07/10/2022 14:35, Johannes Berg wrote:
> > 
> > > +#define NL_SET_ERR_MSG_FMT(extack, fmt, args...) do {		\
> > > +	struct netlink_ext_ack *__extack = (extack);		\
> > > +								\
> > > +	scnprintf(__extack->_msg_buf, NETLINK_MAX_FMTMSG_LEN,	\
> > > +		  (fmt), ##args);				\
> > 
> > Maybe that should print some kind of warning if the string was longer
> > than the buffer? OTOH, I guess the user would notice anyway, and until
> > you run the code nobody can possibly notice ... too bad then?
> > 
> > Maybe we could at least _statically_ make sure that the *format* string
> > (fmt) is shorter than say 60 chars or something to give some wiggle room
> > for the print expansion?
> > 
> > 	/* allow 20 chars for format expansion */
> > 	BUILD_BUG_ON(strlen(fmt) > NETLINK_MAX_FMTMSG_LEN - 20);
> > 
> > might even work? Just as a sanity check.
> 
> Hmm, I don't think we want to prohibit the case of (say) a 78-char format
>  string with one %d that's always small-valued in practice.
> In fact if you have lots of % in the format string the output could be
>  significantly *shorter* than fmt.
> So while I do like the idea of a sanity check, I don't see how to do it
>  without imposing unnecessary limitations.
> 

Yeah, I agree. We could runtime warn but that's also pretty useless.

I guess we just have to be careful - but I know from experience that
won't work ;-)

(and some things like %pM or even %p*H can expand a lot anyway)

Unless maybe we printed a warning together with the full string, so the
user could recover it? WARN_ON() isn't useful though, the string should
be enough to understand where it came from.

Anyway just thinking out loud :)

johannes

Powered by blists - more mailing lists