[PATCH 1/5] lib/vsprintf.c: make sure vsnprintf() never returns a negative value

Tom Rini trini at konsulko.com
Fri May 21 16:27:26 CEST 2021 

On Fri, May 21, 2021 at 04:15:39PM +0200, Heinrich Schuchardt wrote:
> On 21.05.21 14:53, Rasmus Villemoes wrote:
> > On 20/05/2021 19.51, Simon Glass wrote:
> >> Hi Rasmus,
> >>
> >> On Thu, 20 May 2021 at 04:05, Rasmus Villemoes
> >> <rasmus.villemoes at prevas.dk> wrote:
> >>>
> >>> Most callers (or callers of callers, etc.) of vsnprintf() are not
> >>> prepared for it to return a negative value.
> >>>
> >>> The only case where that can currently happen is %pD, and it's IMO
> >>> more user-friendly to produce some output that clearly shows that some
> >>> "impossible" thing happened instead of having the message completely
> >>> ignored - or mishandled as for example log.c would currently do.
> >>>
> >>> Signed-off-by: Rasmus Villemoes <rasmus.villemoes at prevas.dk>
> >>> ---
> >>>  lib/vsprintf.c | 10 +---------
> >>>  1 file changed, 1 insertion(+), 9 deletions(-)
> >>
> >> I think that is debatable. If we want the calling code to be fixed,
> >> then it needs to get an error code back. Otherwise the error will be
> >> apparent to the user but (perhaps) not ever debugged.
> >
> > But it is not the calling code that is at fault for the vsnprintf()
> > implementation (1) being able to fail and (2) actually encountering an
> > ENOMEM situation. There's _nothing_ the calling code can do about that.
> 
> include/vsnprintf.h states:
> 
> "This function follows C99 vsnprintf, but has some extensions:".
> 
> The C99 spec says:
> 
> "The vsnprintf function returns the number of characters that would have
> been written had n been sufficiently large, not counting  the
> terminating  null  character, or a negative value if an encoding error
> occurred."
> 
> It is obvious that the calling code needs to be fixed if it cannot
> handle negative return values.
> 
> So NAK to the patch.
> 
> Best regards
> 
> Heinrich
> 
> >
> > The calling code can be said to be responsible for not passing NULL
> > pointers, but that case is actually handled gracefully in various places
> > in the printf code (both for %pD, but also plain %s).
> >
> >> The definition of printf() allows for the possibility of a negative
> >> return value.
> >
> > First, please distinguish printf() from vsnprintf(). The former (in the
> > normal userspace version) obviously can fail for the obvious EIO, ENOSPC
> > reasons. The latter is indeed allowed to fail per the posix spec, but
> > from a QoI perspective, I'd say it's much better to have a guarantee
> > _for our particular implementation_ that it does not fail (meaning:
> > returns a negative result). There's simply too many direct and indirect
> > users of vsnprintf() that assume the result is non-negative; if we do
> > not provide that guarantee, the alternative is to play a whack-a-mole
> > game and add tons of error-checking code (adding bloat to the image),
> > with almost never any good way to handle it.
> >
> > Take that log_info(" ... %pD") as an example. Suppose we "fix" log.c so
> > that it ignores the message if vsnprintf (or vscnprintf, whatever)
> > returns a negative result, just as print() currently does [which is the
> > other thing that log_info could end up being handled by]. That means
> > nothing gets printed on the console, and nobody gets told about the
> > ENOMEM. In contrast, with this patch, we get
> >
> >   Booting <%pD:ENOMEM>
> >
> > printed on the console, so at least _some_ part of the message gets out,
> > and it's apparent that something odd happened. Of course, all of that is
> > in the entirely unlikely sitation where the (efi) allocation would
> > actually fail.
> >
> > If we don't want that <%pD:ENOMEM> thing, I'd still argue that we should
> > ensure vsnprintf returns non-negative; e.g. by changing the "return
> > PTR_ERR()" to a "goto out", i.e. simply stop the processing of the
> > format string at the %pD which failed, but still go through the epilogue
> > that ensures the resulting string becomes nul-terminated (another
> > reasonable assumption made by tons of callers), and return how much got
> > printed till then.

So, how can we fix the callers without the above noted problems?

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210521/4cce18ce/attachment.sig>

More information about the U-Boot mailing list