[PATCH 1/5] lib/vsprintf.c: make sure vsnprintf() never returns a negative value

Heinrich Schuchardt xypron.glpk at gmx.de
Fri May 21 16:42:04 CEST 2021


On 21.05.21 16:27, Tom Rini wrote:
> On Fri, May 21, 2021 at 04:15:39PM +0200, Heinrich Schuchardt wrote:
>> On 21.05.21 14:53, Rasmus Villemoes wrote:
>>> On 20/05/2021 19.51, Simon Glass wrote:
>>>> Hi Rasmus,
>>>>
>>>> On Thu, 20 May 2021 at 04:05, Rasmus Villemoes
>>>> <rasmus.villemoes at prevas.dk> wrote:
>>>>>
>>>>> Most callers (or callers of callers, etc.) of vsnprintf() are not
>>>>> prepared for it to return a negative value.
>>>>>
>>>>> The only case where that can currently happen is %pD, and it's IMO
>>>>> more user-friendly to produce some output that clearly shows that some
>>>>> "impossible" thing happened instead of having the message completely
>>>>> ignored - or mishandled as for example log.c would currently do.
>>>>>
>>>>> Signed-off-by: Rasmus Villemoes <rasmus.villemoes at prevas.dk>
>>>>> ---
>>>>>  lib/vsprintf.c | 10 +---------
>>>>>  1 file changed, 1 insertion(+), 9 deletions(-)
>>>>
>>>> I think that is debatable. If we want the calling code to be fixed,
>>>> then it needs to get an error code back. Otherwise the error will be
>>>> apparent to the user but (perhaps) not ever debugged.
>>>
>>> But it is not the calling code that is at fault for the vsnprintf()
>>> implementation (1) being able to fail and (2) actually encountering an
>>> ENOMEM situation. There's _nothing_ the calling code can do about that.
>>
>> include/vsnprintf.h states:
>>
>> "This function follows C99 vsnprintf, but has some extensions:".
>>
>> The C99 spec says:
>>
>> "The vsnprintf function returns the number of characters that would have
>> been written had n been sufficiently large, not counting  the
>> terminating  null  character, or a negative value if an encoding error
>> occurred."
>>
>> It is obvious that the calling code needs to be fixed if it cannot
>> handle negative return values.
>>
>> So NAK to the patch.
>>
>> Best regards
>>
>> Heinrich
>>
>>>
>>> The calling code can be said to be responsible for not passing NULL
>>> pointers, but that case is actually handled gracefully in various places
>>> in the printf code (both for %pD, but also plain %s).
>>>
>>>> The definition of printf() allows for the possibility of a negative
>>>> return value.
>>>
>>> First, please distinguish printf() from vsnprintf(). The former (in the
>>> normal userspace version) obviously can fail for the obvious EIO, ENOSPC
>>> reasons. The latter is indeed allowed to fail per the posix spec, but
>>> from a QoI perspective, I'd say it's much better to have a guarantee
>>> _for our particular implementation_ that it does not fail (meaning:
>>> returns a negative result). There's simply too many direct and indirect
>>> users of vsnprintf() that assume the result is non-negative; if we do
>>> not provide that guarantee, the alternative is to play a whack-a-mole
>>> game and add tons of error-checking code (adding bloat to the image),
>>> with almost never any good way to handle it.
>>>
>>> Take that log_info(" ... %pD") as an example. Suppose we "fix" log.c so
>>> that it ignores the message if vsnprintf (or vscnprintf, whatever)
>>> returns a negative result, just as print() currently does [which is the
>>> other thing that log_info could end up being handled by]. That means
>>> nothing gets printed on the console, and nobody gets told about the
>>> ENOMEM. In contrast, with this patch, we get
>>>
>>>   Booting <%pD:ENOMEM>
>>>
>>> printed on the console, so at least _some_ part of the message gets out,
>>> and it's apparent that something odd happened. Of course, all of that is
>>> in the entirely unlikely sitation where the (efi) allocation would
>>> actually fail.
>>>
>>> If we don't want that <%pD:ENOMEM> thing, I'd still argue that we should
>>> ensure vsnprintf returns non-negative; e.g. by changing the "return
>>> PTR_ERR()" to a "goto out", i.e. simply stop the processing of the
>>> format string at the %pD which failed, but still go through the epilogue
>>> that ensures the resulting string becomes nul-terminated (another
>>> reasonable assumption made by tons of callers), and return how much got
>>> printed till then.
>
> So, how can we fix the callers without the above noted problems?
>

The assumption that vsnprintf() is used to print to the console and that
writing some arbitrary string to the buffer is allowable is utterly wrong.

vsnprintf_internal() is used to implement snprintf(). snprintf() is used
in numerous places where it will not lead to console output.

Trying to solve one problem this patch creates a bunch of new ones.

Best regards

Heinrich


More information about the U-Boot mailing list