Re: [Cocci] [PATCH] usb: atm: don't use snprintf() for sysfs attrs
On Thu, 2020-08-27 at 15:45 -0700, Joe Perches wrote: > On Thu, 2020-08-27 at 15:20 -0700, Kees Cook wrote: > > On Fri, Aug 28, 2020 at 12:01:34AM +0300, Denis Efremov wrote: > > > Just FYI, I've send an addition to the device_attr_show.cocci script[1] > > > to turn > > > simple cases of snprintf (e.g. "%i") to sprintf. Looks like many > > > developers would > > > like it more than changing snprintf to scnprintf. As for me, I don't like > > > the idea > > > of automated altering of the original logic from bounded snprint to > > > unbouded one > > > with sprintf. > > > > Agreed. This just makes me cringe. If the API design declares that when > > a show() callback starts, buf has been allocated with PAGE_SIZE bytes, > > then that's how the logic should proceed, and it should be using > > scnprintf... > > > > show(...) { > > size_t remaining = PAGE_SIZE; > > > > ... > > remaining -= scnprintf(buf, remaining, "fmt", var args ...); > > remaining -= scnprintf(buf, remaining, "fmt", var args ...); > > remaining -= scnprintf(buf, remaining, "fmt", var args ...); > > > > return PAGE_SIZE - remaining; > > } > > It seems likely that coccinelle could do those transform > with any of sprintf/snprintf/scnprint too. > > Though my bikeshed would use a single function and have > that function know the maximum output size Perhaps something like the below with a sample conversion that uses single and multiple sysfs_emit uses. I believe coccinelle can _mostly_ automated this. --- fs/sysfs/file.c | 30 ++ include/linux/sysfs.h | 8 kernel/power/main.c | 49 ++--- 3 files changed, 64 insertions(+), 23 deletions(-) diff --git a/fs/sysfs/file.c b/fs/sysfs/file.c index eb6897ab78e7..c0ff3ba8e373 100644 --- a/fs/sysfs/file.c +++ b/fs/sysfs/file.c @@ -707,3 +707,33 @@ int sysfs_change_owner(struct kobject *kobj, kuid_t kuid, kgid_t kgid) return 0; } EXPORT_SYMBOL_GPL(sysfs_change_owner); + +/** + * sysfs_emit - scnprintf equivalent, aware of PAGE_SIZE buffer. + * @buf: start of PAGE_SIZE buffer. + * @pos: current position in buffer + * (pos - buf) must always be < PAGE_SIZE + * @fmt: format + * @...: arguments to format + * + * + * Returns number of characters written at pos. + */ +int sysfs_emit(char *buf, char *pos, const char *fmt, ...) +{ + int len; + va_list args; + + WARN(pos < buf, "pos < buf\n"); + WARN(pos - buf >= PAGE_SIZE, "pos >= PAGE_SIZE (%tu > %lu)\n", +pos - buf, PAGE_SIZE); + if (pos < buf || pos - buf >= PAGE_SIZE) + return 0; + + va_start(args, fmt); + len = vscnprintf(pos, PAGE_SIZE - (pos - buf), fmt, args); + va_end(args); + + return len; +} +EXPORT_SYMBOL_GPL(sysfs_emit); diff --git a/include/linux/sysfs.h b/include/linux/sysfs.h index 34e84122f635..5a21d3d30016 100644 --- a/include/linux/sysfs.h +++ b/include/linux/sysfs.h @@ -329,6 +329,8 @@ int sysfs_groups_change_owner(struct kobject *kobj, int sysfs_group_change_owner(struct kobject *kobj, const struct attribute_group *groups, kuid_t kuid, kgid_t kgid); +__printf(3, 4) +int sysfs_emit(char *buf, char *pos, const char *fmt, ...); #else /* CONFIG_SYSFS */ @@ -576,6 +578,12 @@ static inline int sysfs_group_change_owner(struct kobject *kobj, return 0; } +__printf(3, 4) +static inline int sysfs_emit(char *buf, char *pos, const char *fmt, ...) +{ + return 0; +} + #endif /* CONFIG_SYSFS */ static inline int __must_check sysfs_create_file(struct kobject *kobj, diff --git a/kernel/power/main.c b/kernel/power/main.c index 40f86ec4ab30..f3fb9f255234 100644 --- a/kernel/power/main.c +++ b/kernel/power/main.c @@ -100,7 +100,7 @@ int pm_async_enabled = 1; static ssize_t pm_async_show(struct kobject *kobj, struct kobj_attribute *attr, char *buf) { - return sprintf(buf, "%d\n", pm_async_enabled); + return sysfs_emit(buf, buf, "%d\n", pm_async_enabled); } static ssize_t pm_async_store(struct kobject *kobj, struct kobj_attribute *attr, @@ -124,7 +124,7 @@ power_attr(pm_async); static ssize_t mem_sleep_show(struct kobject *kobj, struct kobj_attribute *attr, char *buf) { - char *s = buf; + char *pos = buf; suspend_state_t i; for (i = PM_SUSPEND_MIN; i < PM_SUSPEND_MAX; i++) @@ -132,16 +132,16 @@ static ssize_t mem_sleep_show(struct kobject *kobj, struct kobj_attribute *attr, const char *label = mem_sleep_states[i]; if (mem_sleep_current == i) - s += sprintf(s, "[%s] ", label); + pos += sysfs_emit(buf, pos, "[%s] ", label); else - s += sprintf(s, "%s ", label); +
Re: [Cocci] [PATCH] usb: atm: don't use snprintf() for sysfs attrs
On Fri, 2020-08-28 at 01:38 +0300, Denis Efremov wrote: > > This will match it (the difference is in the ';'): thanks. ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
Re: [Cocci] [PATCH] usb: atm: don't use snprintf() for sysfs attrs
On Thu, 2020-08-27 at 15:20 -0700, Kees Cook wrote: > On Fri, Aug 28, 2020 at 12:01:34AM +0300, Denis Efremov wrote: > > Just FYI, I've send an addition to the device_attr_show.cocci script[1] to > > turn > > simple cases of snprintf (e.g. "%i") to sprintf. Looks like many developers > > would > > like it more than changing snprintf to scnprintf. As for me, I don't like > > the idea > > of automated altering of the original logic from bounded snprint to > > unbouded one > > with sprintf. > > Agreed. This just makes me cringe. If the API design declares that when > a show() callback starts, buf has been allocated with PAGE_SIZE bytes, > then that's how the logic should proceed, and it should be using > scnprintf... > > show(...) { > size_t remaining = PAGE_SIZE; > > ... > remaining -= scnprintf(buf, remaining, "fmt", var args ...); > remaining -= scnprintf(buf, remaining, "fmt", var args ...); > remaining -= scnprintf(buf, remaining, "fmt", var args ...); > > return PAGE_SIZE - remaining; > } It seems likely that coccinelle could do those transform with any of sprintf/snprintf/scnprint too. Though my bikeshed would use a single function and have that function know the maximum output size Something like: With single line use: return sysfs_emit(buf, buf, fmt, ...) - buf; and multi-line use: char *pos = buf; pos = sysfs_emit(buf, pos, fmt1, ...); pos = sysfs_emit(buf, pos, fmt2, ...); ... return pos - buf; ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
Re: [Cocci] [PATCH] usb: atm: don't use snprintf() for sysfs attrs
> > I tried: > @@ > identifier f_show =~ "^.*_show$"; This will miss this kind of functions: ./drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c:1953:static DEVICE_ATTR(vbios_version, 0444, amdgpu_atombios_get_vbios_version, ./drivers/gpu/drm/amd/amdgpu/df_v3_6.c:266:static DEVICE_ATTR(df_cntr_avail, S_IRUGO, df_v3_6_get_df_cntr_avail, NULL); ./drivers/input/touchscreen/melfas_mip4.c:1348:static DEVICE_ATTR(fw_version, S_IRUGO, mip4_sysfs_read_fw_version, NULL); ./drivers/input/touchscreen/melfas_mip4.c:1373:static DEVICE_ATTR(hw_version, S_IRUGO, mip4_sysfs_read_hw_version, NULL); ./drivers/input/touchscreen/melfas_mip4.c:1392:static DEVICE_ATTR(product_id, S_IRUGO, mip4_sysfs_read_product_id, NULL); ... > identifier dev, attr, buf; > const char *chr; > @@ > ssize_t f_show(struct device *dev, struct device_attribute *attr, char > *buf) > { > <... > ( > - sprintf > + sysfs_sprintf > (...); > | > - snprintf(buf, PAGE_SIZE, > + sysfs_sprintf(buf, > ...); > | > - scnprintf(buf, PAGE_SIZE, > + sysfs_sprintf(buf, > ...); > | > strcpy(buf, chr); > sysfs_strcpy(buf, chr); > ) > ...> > } > > which finds direct statements without an assign > but that doesn't find > > arch/arm/common/dmabounce.c:static ssize_t dmabounce_show(struct device *dev, > struct device_attribute *attr, char *buf) > arch/arm/common/dmabounce.c-{ > arch/arm/common/dmabounce.c-struct dmabounce_device_info *device_info = > dev->archdata.dmabounce; > arch/arm/common/dmabounce.c-return sprintf(buf, "%lu %lu %lu %lu %lu > %lu\n", > arch/arm/common/dmabounce.c-device_info->small.allocs, > arch/arm/common/dmabounce.c-device_info->large.allocs, > arch/arm/common/dmabounce.c-device_info->total_allocs - > device_info->small.allocs - > arch/arm/common/dmabounce.c-device_info->large.allocs, > arch/arm/common/dmabounce.c-device_info->total_allocs, > arch/arm/common/dmabounce.c-device_info->map_op_count, > arch/arm/common/dmabounce.c-device_info->bounce_count); > arch/arm/common/dmabounce.c-} > This will match it (the difference is in the ';'): @@ identifier f_show =~ "^.*_show$"; identifier dev, attr, buf; @@ ssize_t f_show(struct device *dev, struct device_attribute *attr, char *buf) { <... - sprintf + sysfs_sprintf (...) ...> } Regards, Denis ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
Re: [Cocci] [PATCH] usb: atm: don't use snprintf() for sysfs attrs
On Thu, 2020-08-27 at 22:03 +, David Laight wrote: > From: Joe Perches > > Sent: 27 August 2020 21:30 > ... > > Perhaps what's necessary is to find any > > appropriate .show function and change > > any use of strcpy/sprintf within those > > function to some other name. > > > > For instance: > > > > drivers/isdn/mISDN/core.c-static ssize_t name_show(struct device *dev, > > drivers/isdn/mISDN/core.c- struct device_attribute > > *attr, char *buf) > > drivers/isdn/mISDN/core.c-{ > > drivers/isdn/mISDN/core.c: strcpy(buf, dev_name(dev)); > > drivers/isdn/mISDN/core.c- return strlen(buf); > > drivers/isdn/mISDN/core.c-} > > drivers/isdn/mISDN/core.c-static DEVICE_ATTR_RO(name); > > That form ends up calculating the string length twice. > Better would be: > len = strlen(msg); > memcpy(buf, msg, len); > return len; or given clang's requirement for stpcpy return stpcpy(buf, dev_name(dev)) - buf; (I do not advocate for this ;) ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
Re: [Cocci] [PATCH] usb: atm: don't use snprintf() for sysfs attrs
On Fri, Aug 28, 2020 at 12:01:34AM +0300, Denis Efremov wrote: > Just FYI, I've send an addition to the device_attr_show.cocci script[1] to > turn > simple cases of snprintf (e.g. "%i") to sprintf. Looks like many developers > would > like it more than changing snprintf to scnprintf. As for me, I don't like the > idea > of automated altering of the original logic from bounded snprint to unbouded > one > with sprintf. Agreed. This just makes me cringe. If the API design declares that when a show() callback starts, buf has been allocated with PAGE_SIZE bytes, then that's how the logic should proceed, and it should be using scnprintf... show(...) { size_t remaining = PAGE_SIZE; ... remaining -= scnprintf(buf, remaining, "fmt", var args ...); remaining -= scnprintf(buf, remaining, "fmt", var args ...); remaining -= scnprintf(buf, remaining, "fmt", var args ...); return PAGE_SIZE - remaining; } -- Kees Cook ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
Re: [Cocci] [PATCH] usb: atm: don't use snprintf() for sysfs attrs
On Thu, Aug 27, 2020 at 03:11:57PM -0700, Joe Perches wrote: > On Thu, 2020-08-27 at 22:03 +, David Laight wrote: > > From: Joe Perches > > > Sent: 27 August 2020 21:30 > > ... > > > Perhaps what's necessary is to find any > > > appropriate .show function and change > > > any use of strcpy/sprintf within those > > > function to some other name. > > > > > > For instance: > > > > > > drivers/isdn/mISDN/core.c-static ssize_t name_show(struct device *dev, > > > drivers/isdn/mISDN/core.c- struct device_attribute > > > *attr, char *buf) > > > drivers/isdn/mISDN/core.c-{ > > > drivers/isdn/mISDN/core.c: strcpy(buf, dev_name(dev)); > > > drivers/isdn/mISDN/core.c- return strlen(buf); > > > drivers/isdn/mISDN/core.c-} > > > drivers/isdn/mISDN/core.c-static DEVICE_ATTR_RO(name); > > > > That form ends up calculating the string length twice. > > Better would be: > > len = strlen(msg); > > memcpy(buf, msg, len); > > return len; > > or given clang's requirement for stpcpy > > return stpcpy(buf, dev_name(dev)) - buf; > > (I do not advocate for this ;) Heh. And humans aren't allowed to use stpcpy() in the kernel. :) -- Kees Cook ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
Re: [Cocci] [PATCH] usb: atm: don't use snprintf() for sysfs attrs
On Thu, 2020-08-27 at 23:36 +0200, Julia Lawall wrote: > On Fri, 28 Aug 2020, Denis Efremov wrote: [] > Regarding current device_attr_show.cocci implementation, it detects the > functions > > by declaration: > > ssize_t any_name(struct device *dev, struct device_attribute *attr, char > > *buf) > > > > and I limited the check to: > > "return snprintf" > > pattern because there are already too many warnings. > > > > Actually, it looks more correct to check for: > > ssize_t show(struct device *dev, struct device_attribute *attr, char *buf) > > { > > <... > > * snprintf@p(...); > > ...> > > } > > > > This pattern should also highlight the snprintf calls there we save returned > > value in a var, e.g.: > > > > ret += snprintf(...); > > ... > > ret += snprintf(...); > > ... > > ret += snprintf(...); > > > > return ret; > > > > > Something like > > > > > > identifier f; > > > fresh identifier = "sysfs" ## f; > > > > > > may be useful. Let me know if further help is needed. > > > > Initially, I wrote the rule to search for DEVICE_ATTR(..., ..., func_name, > > ...) > > This is what I would have expected. > > > functions. However, it looks like matching function prototype is enough. At > > least, > > I failed to find false positives. I rejected the initial DEVICE_ATTR() > > searching > > because I thought that it's impossible to handle > > DEVICE_ATTR_RO()/DEVICE_ATTR_RW() > > macroses with coccinelle as they "generate" function names internally with > > "##". "fresh identifier" should really help here, but now I doubt it's > > required in > > device_attr_show.cocci, function prototype is enough. > > It's true that it is probably unique enough. I tried: @@ identifier f_show =~ "^.*_show$"; identifier dev, attr, buf; const char *chr; @@ ssize_t f_show(struct device *dev, struct device_attribute *attr, char *buf) { <... ( - sprintf + sysfs_sprintf (...); | - snprintf(buf, PAGE_SIZE, + sysfs_sprintf(buf, ...); | - scnprintf(buf, PAGE_SIZE, + sysfs_sprintf(buf, ...); | strcpy(buf, chr); sysfs_strcpy(buf, chr); ) ...> } which finds direct statements without an assign but that doesn't find arch/arm/common/dmabounce.c:static ssize_t dmabounce_show(struct device *dev, struct device_attribute *attr, char *buf) arch/arm/common/dmabounce.c-{ arch/arm/common/dmabounce.c-struct dmabounce_device_info *device_info = dev->archdata.dmabounce; arch/arm/common/dmabounce.c-return sprintf(buf, "%lu %lu %lu %lu %lu %lu\n", arch/arm/common/dmabounce.c-device_info->small.allocs, arch/arm/common/dmabounce.c-device_info->large.allocs, arch/arm/common/dmabounce.c-device_info->total_allocs - device_info->small.allocs - arch/arm/common/dmabounce.c-device_info->large.allocs, arch/arm/common/dmabounce.c-device_info->total_allocs, arch/arm/common/dmabounce.c-device_info->map_op_count, arch/arm/common/dmabounce.c-device_info->bounce_count); arch/arm/common/dmabounce.c-} ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
Re: [Cocci] [PATCH] usb: atm: don't use snprintf() for sysfs attrs
On Fri, 28 Aug 2020, Denis Efremov wrote: > Hi all, > > On 8/27/20 10:42 PM, Julia Lawall wrote: > > > > > > On Thu, 27 Aug 2020, Joe Perches wrote: > > > >> On Thu, 2020-08-27 at 15:48 +0100, Alex Dewar wrote: > >>> On Thu, Aug 27, 2020 at 03:41:06PM +0200, Rasmus Villemoes wrote: > On 27/08/2020 15.18, Alex Dewar wrote: > > On Thu, Aug 27, 2020 at 09:15:37AM +0200, Greg Kroah-Hartman wrote: > >> On Thu, Aug 27, 2020 at 08:42:06AM +0200, Rasmus Villemoes wrote: > >>> On 25/08/2020 00.23, Alex Dewar wrote: > kernel/cpu.c: don't use snprintf() for sysfs attrs > > As per the documentation (Documentation/filesystems/sysfs.rst), > snprintf() should not be used for formatting values returned by > sysfs. > > Just FYI, I've send an addition to the device_attr_show.cocci script[1] to > turn > simple cases of snprintf (e.g. "%i") to sprintf. Looks like many developers > would > like it more than changing snprintf to scnprintf. As for me, I don't like the > idea > of automated altering of the original logic from bounded snprint to unbouded > one > with sprintf. > > [1] https://lkml.org/lkml/2020/8/13/786 > > Regarding current device_attr_show.cocci implementation, it detects the > functions > by declaration: > ssize_t any_name(struct device *dev, struct device_attribute *attr, char *buf) > > and I limited the check to: > "return snprintf" > pattern because there are already too many warnings. > > Actually, it looks more correct to check for: > ssize_t show(struct device *dev, struct device_attribute *attr, char *buf) > { > <... > * snprintf@p(...); > ...> > } > > This pattern should also highlight the snprintf calls there we save returned > value in a var, e.g.: > > ret += snprintf(...); > ... > ret += snprintf(...); > ... > ret += snprintf(...); > > return ret; > > > > > Something like > > > > identifier f; > > fresh identifier = "sysfs" ## f; > > > > may be useful. Let me know if further help is needed. > > Initially, I wrote the rule to search for DEVICE_ATTR(..., ..., func_name, > ...) This is what I would have expected. > functions. However, it looks like matching function prototype is enough. At > least, > I failed to find false positives. I rejected the initial DEVICE_ATTR() > searching > because I thought that it's impossible to handle > DEVICE_ATTR_RO()/DEVICE_ATTR_RW() > macroses with coccinelle as they "generate" function names internally with > "##". "fresh identifier" should really help here, but now I doubt it's > required in > device_attr_show.cocci, function prototype is enough. It's true that it is probably unique enough. julia ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
Re: [Cocci] [PATCH] usb: atm: don't use snprintf() for sysfs attrs
On Thu, 27 Aug 2020, Joe Perches wrote: > On Thu, 2020-08-27 at 21:42 +0200, Julia Lawall wrote: > > > > On Thu, 27 Aug 2020, Joe Perches wrote: > > > > > On Thu, 2020-08-27 at 15:48 +0100, Alex Dewar wrote: > > > > On Thu, Aug 27, 2020 at 03:41:06PM +0200, Rasmus Villemoes wrote: > > > > > On 27/08/2020 15.18, Alex Dewar wrote: > > > > > > On Thu, Aug 27, 2020 at 09:15:37AM +0200, Greg Kroah-Hartman wrote: > > > > > > > On Thu, Aug 27, 2020 at 08:42:06AM +0200, Rasmus Villemoes wrote: > > > > > > > > On 25/08/2020 00.23, Alex Dewar wrote: > > > > > > > > > kernel/cpu.c: don't use snprintf() for sysfs attrs > > > > > > > > > > > > > > > > > > As per the documentation > > > > > > > > > (Documentation/filesystems/sysfs.rst), > > > > > > > > > snprintf() should not be used for formatting values returned > > > > > > > > > by sysfs. > > > > > > > > > > > > > > > > > > > > > > > > > Can we have a sysfs_sprintf() (could just be a macro that does > > > > > > > > sprintf) > > > > > > > > to make it clear to the next reader that we know we're in a > > > > > > > > sysfs show > > > > > > > > method? It would make auditing uses of sprintf() much easier. > > > > > > > > > > > > > > Code churn to keep code checkers quiet for pointless reasons? > > > > > > > What > > > > > > > could go wrong with that... > > > > > > > > > > I did not (mean to) suggest replacing existing sprintf() calls in > > > > > sysfs > > > > > show methods. But when changes _are_ being made, such as when > > > > > replacing > > > > > snprintf() calls for whatever reasons, can we please not make it > > > > > harder > > > > > for people doing manual audits (those are "code checkers" as well, I > > > > > suppose, but they do tend to only make noise when finding something). > > > > > > > > > > > > It should be pretty obvious to any reader that you are in a sysfs > > > > > > > show > > > > > > > method, as almost all of them are trivially tiny and obvious. > > > > > > > > > > git grep doesn't immediately show that, not even with a suitable -C > > > > > argument, as you can't really know the potential callers unless you > > > > > open > > > > > the file and see that the function is only assigned as a .show method. > > > > > And even that can be a pain because it's all hidden behind five levels > > > > > of magic macros that build identifiers with ##. > > > > > > > > > > > Perhaps I should have mentioned this in the commit message, but the > > > > > > problem > > > > > > is that snprintf() doesn't return the number of bytes written to the > > > > > > destination buffer, > > > > > > > > > > I'm perfectly well aware of that, TYVM (you may want to 'git log > > > > > --author Villemoes lib/vsprintf.c'). > > > > > > > > > > but the number of bytes that *would have been written if > > > > > > they fitted*, which may be more than the bounds specified [1]. So > > > > > > "return > > > > > > snprintf(...)" for sysfs attributes is an antipattern. If you need > > > > > > bounded > > > > > > string ops, scnprintf() is the way to go. Using snprintf() can give > > > > > > a > > > > > > false sense of security, because it isn't necessarily safe. > > > > > > > > > > Huh? This all seems utterly irrelevant WRT a change that replaces > > > > > PAGE_SIZE by INT_MAX (because that's what sprintf() is going to > > > > > pretend > > > > > you passed). You get the same return value. > > > > > > > > > > But I'm not at all concerned about whether one passes the proper > > > > > buffer > > > > > size or not in sysfs show methods; with my embedded hat on, I'm all > > > > > for > > > > > saving a few bytes of .text here and there. The problem, as far as I'm > > > > > concerned, is merely that adding sprintf() callers makes it harder to > > > > > find the problematic sprintf() instances. > > > > > > > > > > > > > Apologies, I think I might have expressed myself poorly, being a kernel > > > > noob > > > > ;-). I know that this is a stylistic change rather than a functional > > > > one -- I meant that I was hoping that it would be helpful to get rid of > > > > bad > > > > uses of snprintf(). > > > > > > > > I really like your idea of helper methods though :-). If in show() > > > > methods we could have something like: > > > > return sysfs_itoa(buf, i); > > > > in place of: > > > > return sprintf(buf, "%d\n", i); > > > > > > > > ... then we wouldn't be introducing any new calls to sprintf() as you > > > > say, but we'd still be removing a call to snprintf() (which also may be > > > > problematic). Plus we'd have type checking on the argument. > > > > > > > > For returning strings, we could have a bounded and unbounded variant of > > > > the function. As it seems like only single values should be returned via > > > > sysfs, if we did things this way then it would only be these > > > > string-returning functions which could cause buffer overflow problems > > > > and kernel devs could focus their attention accordingly... > > > > > > > > What do people
Re: [Cocci] [PATCH] usb: atm: don't use snprintf() for sysfs attrs
On Thu, 2020-08-27 at 13:29 -0700, Joe Perches wrote: > On Thu, 2020-08-27 at 21:42 +0200, Julia Lawall wrote: > > On Thu, 27 Aug 2020, Joe Perches wrote: > > > > > On Thu, 2020-08-27 at 15:48 +0100, Alex Dewar wrote: > > > > On Thu, Aug 27, 2020 at 03:41:06PM +0200, Rasmus Villemoes wrote: > > > > > On 27/08/2020 15.18, Alex Dewar wrote: > > > > > > On Thu, Aug 27, 2020 at 09:15:37AM +0200, Greg Kroah-Hartman wrote: > > > > > > > On Thu, Aug 27, 2020 at 08:42:06AM +0200, Rasmus Villemoes wrote: > > > > > > > > On 25/08/2020 00.23, Alex Dewar wrote: > > > > > > > > > kernel/cpu.c: don't use snprintf() for sysfs attrs > > > > > > > > > > > > > > > > > > As per the documentation > > > > > > > > > (Documentation/filesystems/sysfs.rst), > > > > > > > > > snprintf() should not be used for formatting values returned > > > > > > > > > by sysfs. > > > > > > > > > > > > > > > > > > > > > > > > > Can we have a sysfs_sprintf() (could just be a macro that does > > > > > > > > sprintf) > > > > > > > > to make it clear to the next reader that we know we're in a > > > > > > > > sysfs show > > > > > > > > method? It would make auditing uses of sprintf() much easier. > > > > > > > > > > > > > > Code churn to keep code checkers quiet for pointless reasons? > > > > > > > What > > > > > > > could go wrong with that... > > > > > > > > > > I did not (mean to) suggest replacing existing sprintf() calls in > > > > > sysfs > > > > > show methods. But when changes _are_ being made, such as when > > > > > replacing > > > > > snprintf() calls for whatever reasons, can we please not make it > > > > > harder > > > > > for people doing manual audits (those are "code checkers" as well, I > > > > > suppose, but they do tend to only make noise when finding something). > > > > > > > > > > > > It should be pretty obvious to any reader that you are in a sysfs > > > > > > > show > > > > > > > method, as almost all of them are trivially tiny and obvious. > > > > > > > > > > git grep doesn't immediately show that, not even with a suitable -C > > > > > argument, as you can't really know the potential callers unless you > > > > > open > > > > > the file and see that the function is only assigned as a .show method. > > > > > And even that can be a pain because it's all hidden behind five levels > > > > > of magic macros that build identifiers with ##. > > > > > > > > > > > Perhaps I should have mentioned this in the commit message, but the > > > > > > problem > > > > > > is that snprintf() doesn't return the number of bytes written to the > > > > > > destination buffer, > > > > > > > > > > I'm perfectly well aware of that, TYVM (you may want to 'git log > > > > > --author Villemoes lib/vsprintf.c'). > > > > > > > > > > but the number of bytes that *would have been written if > > > > > > they fitted*, which may be more than the bounds specified [1]. So > > > > > > "return > > > > > > snprintf(...)" for sysfs attributes is an antipattern. If you need > > > > > > bounded > > > > > > string ops, scnprintf() is the way to go. Using snprintf() can give > > > > > > a > > > > > > false sense of security, because it isn't necessarily safe. > > > > > > > > > > Huh? This all seems utterly irrelevant WRT a change that replaces > > > > > PAGE_SIZE by INT_MAX (because that's what sprintf() is going to > > > > > pretend > > > > > you passed). You get the same return value. > > > > > > > > > > But I'm not at all concerned about whether one passes the proper > > > > > buffer > > > > > size or not in sysfs show methods; with my embedded hat on, I'm all > > > > > for > > > > > saving a few bytes of .text here and there. The problem, as far as I'm > > > > > concerned, is merely that adding sprintf() callers makes it harder to > > > > > find the problematic sprintf() instances. > > > > > > > > > > > > > Apologies, I think I might have expressed myself poorly, being a kernel > > > > noob > > > > ;-). I know that this is a stylistic change rather than a functional > > > > one -- I meant that I was hoping that it would be helpful to get rid of > > > > bad > > > > uses of snprintf(). > > > > > > > > I really like your idea of helper methods though :-). If in show() > > > > methods we could have something like: > > > > return sysfs_itoa(buf, i); > > > > in place of: > > > > return sprintf(buf, "%d\n", i); > > > > > > > > ... then we wouldn't be introducing any new calls to sprintf() as you > > > > say, but we'd still be removing a call to snprintf() (which also may be > > > > problematic). Plus we'd have type checking on the argument. > > > > > > > > For returning strings, we could have a bounded and unbounded variant of > > > > the function. As it seems like only single values should be returned via > > > > sysfs, if we did things this way then it would only be these > > > > string-returning functions which could cause buffer overflow problems > > > > and kernel devs could focus their attention accordingly... > > > >
Re: [Cocci] [PATCH] usb: atm: don't use snprintf() for sysfs attrs
Hi all, On 8/27/20 10:42 PM, Julia Lawall wrote: > > > On Thu, 27 Aug 2020, Joe Perches wrote: > >> On Thu, 2020-08-27 at 15:48 +0100, Alex Dewar wrote: >>> On Thu, Aug 27, 2020 at 03:41:06PM +0200, Rasmus Villemoes wrote: On 27/08/2020 15.18, Alex Dewar wrote: > On Thu, Aug 27, 2020 at 09:15:37AM +0200, Greg Kroah-Hartman wrote: >> On Thu, Aug 27, 2020 at 08:42:06AM +0200, Rasmus Villemoes wrote: >>> On 25/08/2020 00.23, Alex Dewar wrote: kernel/cpu.c: don't use snprintf() for sysfs attrs As per the documentation (Documentation/filesystems/sysfs.rst), snprintf() should not be used for formatting values returned by sysfs. Just FYI, I've send an addition to the device_attr_show.cocci script[1] to turn simple cases of snprintf (e.g. "%i") to sprintf. Looks like many developers would like it more than changing snprintf to scnprintf. As for me, I don't like the idea of automated altering of the original logic from bounded snprint to unbouded one with sprintf. [1] https://lkml.org/lkml/2020/8/13/786 Regarding current device_attr_show.cocci implementation, it detects the functions by declaration: ssize_t any_name(struct device *dev, struct device_attribute *attr, char *buf) and I limited the check to: "return snprintf" pattern because there are already too many warnings. Actually, it looks more correct to check for: ssize_t show(struct device *dev, struct device_attribute *attr, char *buf) { <... * snprintf@p(...); ...> } This pattern should also highlight the snprintf calls there we save returned value in a var, e.g.: ret += snprintf(...); ... ret += snprintf(...); ... ret += snprintf(...); return ret; > > Something like > > identifier f; > fresh identifier = "sysfs" ## f; > > may be useful. Let me know if further help is needed. Initially, I wrote the rule to search for DEVICE_ATTR(..., ..., func_name, ...) functions. However, it looks like matching function prototype is enough. At least, I failed to find false positives. I rejected the initial DEVICE_ATTR() searching because I thought that it's impossible to handle DEVICE_ATTR_RO()/DEVICE_ATTR_RW() macroses with coccinelle as they "generate" function names internally with "##". "fresh identifier" should really help here, but now I doubt it's required in device_attr_show.cocci, function prototype is enough. Thanks, Denis ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
Re: [Cocci] [PATCH] usb: atm: don't use snprintf() for sysfs attrs
On Thu, 2020-08-27 at 21:42 +0200, Julia Lawall wrote: > > On Thu, 27 Aug 2020, Joe Perches wrote: > > > On Thu, 2020-08-27 at 15:48 +0100, Alex Dewar wrote: > > > On Thu, Aug 27, 2020 at 03:41:06PM +0200, Rasmus Villemoes wrote: > > > > On 27/08/2020 15.18, Alex Dewar wrote: > > > > > On Thu, Aug 27, 2020 at 09:15:37AM +0200, Greg Kroah-Hartman wrote: > > > > > > On Thu, Aug 27, 2020 at 08:42:06AM +0200, Rasmus Villemoes wrote: > > > > > > > On 25/08/2020 00.23, Alex Dewar wrote: > > > > > > > > kernel/cpu.c: don't use snprintf() for sysfs attrs > > > > > > > > > > > > > > > > As per the documentation (Documentation/filesystems/sysfs.rst), > > > > > > > > snprintf() should not be used for formatting values returned by > > > > > > > > sysfs. > > > > > > > > > > > > > > > > > > > > > > Can we have a sysfs_sprintf() (could just be a macro that does > > > > > > > sprintf) > > > > > > > to make it clear to the next reader that we know we're in a sysfs > > > > > > > show > > > > > > > method? It would make auditing uses of sprintf() much easier. > > > > > > > > > > > > Code churn to keep code checkers quiet for pointless reasons? What > > > > > > could go wrong with that... > > > > > > > > I did not (mean to) suggest replacing existing sprintf() calls in sysfs > > > > show methods. But when changes _are_ being made, such as when replacing > > > > snprintf() calls for whatever reasons, can we please not make it harder > > > > for people doing manual audits (those are "code checkers" as well, I > > > > suppose, but they do tend to only make noise when finding something). > > > > > > > > > > It should be pretty obvious to any reader that you are in a sysfs > > > > > > show > > > > > > method, as almost all of them are trivially tiny and obvious. > > > > > > > > git grep doesn't immediately show that, not even with a suitable -C > > > > argument, as you can't really know the potential callers unless you open > > > > the file and see that the function is only assigned as a .show method. > > > > And even that can be a pain because it's all hidden behind five levels > > > > of magic macros that build identifiers with ##. > > > > > > > > > Perhaps I should have mentioned this in the commit message, but the > > > > > problem > > > > > is that snprintf() doesn't return the number of bytes written to the > > > > > destination buffer, > > > > > > > > I'm perfectly well aware of that, TYVM (you may want to 'git log > > > > --author Villemoes lib/vsprintf.c'). > > > > > > > > but the number of bytes that *would have been written if > > > > > they fitted*, which may be more than the bounds specified [1]. So > > > > > "return > > > > > snprintf(...)" for sysfs attributes is an antipattern. If you need > > > > > bounded > > > > > string ops, scnprintf() is the way to go. Using snprintf() can give a > > > > > false sense of security, because it isn't necessarily safe. > > > > > > > > Huh? This all seems utterly irrelevant WRT a change that replaces > > > > PAGE_SIZE by INT_MAX (because that's what sprintf() is going to pretend > > > > you passed). You get the same return value. > > > > > > > > But I'm not at all concerned about whether one passes the proper buffer > > > > size or not in sysfs show methods; with my embedded hat on, I'm all for > > > > saving a few bytes of .text here and there. The problem, as far as I'm > > > > concerned, is merely that adding sprintf() callers makes it harder to > > > > find the problematic sprintf() instances. > > > > > > > > > > Apologies, I think I might have expressed myself poorly, being a kernel > > > noob > > > ;-). I know that this is a stylistic change rather than a functional > > > one -- I meant that I was hoping that it would be helpful to get rid of > > > bad > > > uses of snprintf(). > > > > > > I really like your idea of helper methods though :-). If in show() > > > methods we could have something like: > > > return sysfs_itoa(buf, i); > > > in place of: > > > return sprintf(buf, "%d\n", i); > > > > > > ... then we wouldn't be introducing any new calls to sprintf() as you > > > say, but we'd still be removing a call to snprintf() (which also may be > > > problematic). Plus we'd have type checking on the argument. > > > > > > For returning strings, we could have a bounded and unbounded variant of > > > the function. As it seems like only single values should be returned via > > > sysfs, if we did things this way then it would only be these > > > string-returning functions which could cause buffer overflow problems > > > and kernel devs could focus their attention accordingly... > > > > > > What do people think? I'm happy to have a crack, provided this is > > > actually a sensible thing to do! I'm looking for a newbie-level project > > > to get started with. > > > > Not a bad idea. > > > > Coccinelle should be able to transform the various .show > > methods to something sysfs_ prefixed in a fairly automated > > way. > > Something like > >
Re: [Cocci] [PATCH] usb: atm: don't use snprintf() for sysfs attrs
On Thu, 27 Aug 2020, Joe Perches wrote: > On Thu, 2020-08-27 at 15:48 +0100, Alex Dewar wrote: > > On Thu, Aug 27, 2020 at 03:41:06PM +0200, Rasmus Villemoes wrote: > > > On 27/08/2020 15.18, Alex Dewar wrote: > > > > On Thu, Aug 27, 2020 at 09:15:37AM +0200, Greg Kroah-Hartman wrote: > > > > > On Thu, Aug 27, 2020 at 08:42:06AM +0200, Rasmus Villemoes wrote: > > > > > > On 25/08/2020 00.23, Alex Dewar wrote: > > > > > > > kernel/cpu.c: don't use snprintf() for sysfs attrs > > > > > > > > > > > > > > As per the documentation (Documentation/filesystems/sysfs.rst), > > > > > > > snprintf() should not be used for formatting values returned by > > > > > > > sysfs. > > > > > > > > > > > > > > > > > > > Can we have a sysfs_sprintf() (could just be a macro that does > > > > > > sprintf) > > > > > > to make it clear to the next reader that we know we're in a sysfs > > > > > > show > > > > > > method? It would make auditing uses of sprintf() much easier. > > > > > > > > > > Code churn to keep code checkers quiet for pointless reasons? What > > > > > could go wrong with that... > > > > > > I did not (mean to) suggest replacing existing sprintf() calls in sysfs > > > show methods. But when changes _are_ being made, such as when replacing > > > snprintf() calls for whatever reasons, can we please not make it harder > > > for people doing manual audits (those are "code checkers" as well, I > > > suppose, but they do tend to only make noise when finding something). > > > > > > > > It should be pretty obvious to any reader that you are in a sysfs show > > > > > method, as almost all of them are trivially tiny and obvious. > > > > > > git grep doesn't immediately show that, not even with a suitable -C > > > argument, as you can't really know the potential callers unless you open > > > the file and see that the function is only assigned as a .show method. > > > And even that can be a pain because it's all hidden behind five levels > > > of magic macros that build identifiers with ##. > > > > > > > Perhaps I should have mentioned this in the commit message, but the > > > > problem > > > > is that snprintf() doesn't return the number of bytes written to the > > > > destination buffer, > > > > > > I'm perfectly well aware of that, TYVM (you may want to 'git log > > > --author Villemoes lib/vsprintf.c'). > > > > > > but the number of bytes that *would have been written if > > > > they fitted*, which may be more than the bounds specified [1]. So > > > > "return > > > > snprintf(...)" for sysfs attributes is an antipattern. If you need > > > > bounded > > > > string ops, scnprintf() is the way to go. Using snprintf() can give a > > > > false sense of security, because it isn't necessarily safe. > > > > > > Huh? This all seems utterly irrelevant WRT a change that replaces > > > PAGE_SIZE by INT_MAX (because that's what sprintf() is going to pretend > > > you passed). You get the same return value. > > > > > > But I'm not at all concerned about whether one passes the proper buffer > > > size or not in sysfs show methods; with my embedded hat on, I'm all for > > > saving a few bytes of .text here and there. The problem, as far as I'm > > > concerned, is merely that adding sprintf() callers makes it harder to > > > find the problematic sprintf() instances. > > > > > > > Apologies, I think I might have expressed myself poorly, being a kernel noob > > ;-). I know that this is a stylistic change rather than a functional > > one -- I meant that I was hoping that it would be helpful to get rid of bad > > uses of snprintf(). > > > > I really like your idea of helper methods though :-). If in show() > > methods we could have something like: > > return sysfs_itoa(buf, i); > > in place of: > > return sprintf(buf, "%d\n", i); > > > > ... then we wouldn't be introducing any new calls to sprintf() as you > > say, but we'd still be removing a call to snprintf() (which also may be > > problematic). Plus we'd have type checking on the argument. > > > > For returning strings, we could have a bounded and unbounded variant of > > the function. As it seems like only single values should be returned via > > sysfs, if we did things this way then it would only be these > > string-returning functions which could cause buffer overflow problems > > and kernel devs could focus their attention accordingly... > > > > What do people think? I'm happy to have a crack, provided this is > > actually a sensible thing to do! I'm looking for a newbie-level project > > to get started with. > > Not a bad idea. > > Coccinelle should be able to transform the various .show > methods to something sysfs_ prefixed in a fairly automated > way. Something like identifier f; fresh identifier = "sysfs" ## f; may be useful. Let me know if further help is needed. julia > > > > > ___ > Cocci mailing list > Cocci@systeme.lip6.fr > https://systeme.lip6.fr/mailman/listinfo/cocci >
Re: [Cocci] [PATCH] usb: atm: don't use snprintf() for sysfs attrs
On Thu, 2020-08-27 at 15:48 +0100, Alex Dewar wrote: > On Thu, Aug 27, 2020 at 03:41:06PM +0200, Rasmus Villemoes wrote: > > On 27/08/2020 15.18, Alex Dewar wrote: > > > On Thu, Aug 27, 2020 at 09:15:37AM +0200, Greg Kroah-Hartman wrote: > > > > On Thu, Aug 27, 2020 at 08:42:06AM +0200, Rasmus Villemoes wrote: > > > > > On 25/08/2020 00.23, Alex Dewar wrote: > > > > > > kernel/cpu.c: don't use snprintf() for sysfs attrs > > > > > > > > > > > > As per the documentation (Documentation/filesystems/sysfs.rst), > > > > > > snprintf() should not be used for formatting values returned by > > > > > > sysfs. > > > > > > > > > > > > > > > > Can we have a sysfs_sprintf() (could just be a macro that does > > > > > sprintf) > > > > > to make it clear to the next reader that we know we're in a sysfs show > > > > > method? It would make auditing uses of sprintf() much easier. > > > > > > > > Code churn to keep code checkers quiet for pointless reasons? What > > > > could go wrong with that... > > > > I did not (mean to) suggest replacing existing sprintf() calls in sysfs > > show methods. But when changes _are_ being made, such as when replacing > > snprintf() calls for whatever reasons, can we please not make it harder > > for people doing manual audits (those are "code checkers" as well, I > > suppose, but they do tend to only make noise when finding something). > > > > > > It should be pretty obvious to any reader that you are in a sysfs show > > > > method, as almost all of them are trivially tiny and obvious. > > > > git grep doesn't immediately show that, not even with a suitable -C > > argument, as you can't really know the potential callers unless you open > > the file and see that the function is only assigned as a .show method. > > And even that can be a pain because it's all hidden behind five levels > > of magic macros that build identifiers with ##. > > > > > Perhaps I should have mentioned this in the commit message, but the > > > problem > > > is that snprintf() doesn't return the number of bytes written to the > > > destination buffer, > > > > I'm perfectly well aware of that, TYVM (you may want to 'git log > > --author Villemoes lib/vsprintf.c'). > > > > but the number of bytes that *would have been written if > > > they fitted*, which may be more than the bounds specified [1]. So "return > > > snprintf(...)" for sysfs attributes is an antipattern. If you need bounded > > > string ops, scnprintf() is the way to go. Using snprintf() can give a > > > false sense of security, because it isn't necessarily safe. > > > > Huh? This all seems utterly irrelevant WRT a change that replaces > > PAGE_SIZE by INT_MAX (because that's what sprintf() is going to pretend > > you passed). You get the same return value. > > > > But I'm not at all concerned about whether one passes the proper buffer > > size or not in sysfs show methods; with my embedded hat on, I'm all for > > saving a few bytes of .text here and there. The problem, as far as I'm > > concerned, is merely that adding sprintf() callers makes it harder to > > find the problematic sprintf() instances. > > > > Apologies, I think I might have expressed myself poorly, being a kernel noob > ;-). I know that this is a stylistic change rather than a functional > one -- I meant that I was hoping that it would be helpful to get rid of bad > uses of snprintf(). > > I really like your idea of helper methods though :-). If in show() > methods we could have something like: > return sysfs_itoa(buf, i); > in place of: > return sprintf(buf, "%d\n", i); > > ... then we wouldn't be introducing any new calls to sprintf() as you > say, but we'd still be removing a call to snprintf() (which also may be > problematic). Plus we'd have type checking on the argument. > > For returning strings, we could have a bounded and unbounded variant of > the function. As it seems like only single values should be returned via > sysfs, if we did things this way then it would only be these > string-returning functions which could cause buffer overflow problems > and kernel devs could focus their attention accordingly... > > What do people think? I'm happy to have a crack, provided this is > actually a sensible thing to do! I'm looking for a newbie-level project > to get started with. Not a bad idea. Coccinelle should be able to transform the various .show methods to something sysfs_ prefixed in a fairly automated way. ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci