On Mon, Jun 20, 2022 at 09:21:39AM +0200, Ahmad Fatoum wrote:
> From: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx>
>
> It's a common pattern to (ba)sprintf to a string and then call setenv()
> with this string. Let setenv() take printf arguments to make that
> easier. To avoid the overhead that goes with changing other callers
> to using setenv(var, "%s", val) to avoid security implications (and
> GCC warnings), fallback to the non-formatted version when there are
> only two arguments.
>
> Signed-off-by: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx>
> [afa: fall back to non-formatted version on old two arg version]
> Signed-off-by: Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx>
> ---
> Thoughts?
While I'm impressed by this macro I don't like this very much. My desire
was to simplify things, now with this patch I'm no longer sure I reached
that goal.
Alternatively we could
a) Drop the original patch
b) Replace the problematic places with setenv(foo, "%s", not_a_string_literal);
c) Pass -Wno-format-security, The Kernel does this for over a decade.
My vote is c)
Sascha
> ---
> common/env.c | 37 +++++++++++++++++++++++++++++++++----
> include/environment.h | 19 +++++++++++++++++--
> include/linux/kernel.h | 12 ++++++++++++
> 3 files changed, 62 insertions(+), 6 deletions(-)
>
> diff --git a/common/env.c b/common/env.c
> index 05add63f625c..c36f6846ee21 100644
> --- a/common/env.c
> +++ b/common/env.c
> @@ -243,15 +243,15 @@ static int dev_setenv(const char *name, const char *val)
> }
>
> /**
> - * setenv - set environment variables
> + * __setenv_str - set environment variables
> * @_name - Variable name
> * @value - the value to set, empty string not handled specially
> *
> * Returns 0 for success and a negative error code otherwise
> - * Use unsetenv() to unset.
> + * Use unsetenv() to unset. Don't use directly, use setenv()
> */
>
> -int setenv(const char *_name, const char *value)
> +int __setenv_str(const char *_name, const char *value)
> {
> char *name = strdup(_name);
> int ret = 0;
> @@ -275,7 +275,36 @@ out:
>
> return ret;
> }
> -EXPORT_SYMBOL(setenv);
> +EXPORT_SYMBOL(__setenv_str);
> +
> +/**
> + * __setenv_fmt - set environment variables
> + * @name - Variable name
> + * @fmt - format string describing how to format arguments to come
> + *
> + * Returns 0 for success and a negative error code otherwise
> + * Use unsetenv() to unset. Don't use directly, use setenv()
> + */
> +
> +int __setenv_fmt(const char *name, const char *fmt, ...)
> +{
> + va_list ap;
> + int ret;
> + char *value;
> +
> + va_start(ap, fmt);
> + ret = vasprintf(&value, fmt, ap);
> + va_end(ap);
> +
> + if (ret < 0)
> + return ret;
> +
> + ret = __setenv_str(name, value);
> +
> + free(value);
> + return ret;
> +}
> +EXPORT_SYMBOL(__setenv_fmt);
>
> int export(const char *varname)
> {
> diff --git a/include/environment.h b/include/environment.h
> index 19e522cfb6b4..e5b9a9da3167 100644
> --- a/include/environment.h
> +++ b/include/environment.h
> @@ -7,6 +7,7 @@
> #ifndef _ENVIRONMENT_H_
> #define _ENVIRONMENT_H_
>
> +#include <linux/kernel.h>
> #include <linux/list.h>
> #include <errno.h>
>
> @@ -31,7 +32,8 @@ char *var_name(struct variable_d *);
>
> #ifdef CONFIG_ENVIRONMENT_VARIABLES
> const char *getenv(const char *);
> -int setenv(const char *, const char *);
> +int __setenv_str(const char *, const char *val);
> +int __setenv_fmt(const char *, const char *fmt, ...) __printf(2, 3);
> void export_env_ull(const char *name, unsigned long long val);
> int getenv_ull(const char *name, unsigned long long *val);
> int getenv_ul(const char *name, unsigned long *val);
> @@ -44,7 +46,13 @@ static inline char *getenv(const char *var)
> return NULL;
> }
>
> -static inline int setenv(const char *var, const char *val)
> +static inline int __setenv_str(const char *var, const char *val)
> +{
> + return 0;
> +}
> +
> +static inline __printf(2, 3) int __setenv_fmt(
> + const char *var, const char *fmt, ...)
> {
> return 0;
> }
> @@ -82,6 +90,13 @@ static inline const char *getenv_nonempty(const char *var)
> }
> #endif
>
> +/*
> + * avoid the varargs overhead when using a fixed string
> + */
> +#undef setenv
> +#define setenv(args...) \
> + __optionally_variadic2(__setenv_str, __setenv_fmt, args)
> +
> int env_pop_context(void);
> int env_push_context(void);
>
> diff --git a/include/linux/kernel.h b/include/linux/kernel.h
> index 4483d33e65bb..ebae8f666cf6 100644
> --- a/include/linux/kernel.h
> +++ b/include/linux/kernel.h
> @@ -7,6 +7,7 @@
> #include <linux/barebox-wrapper.h>
> #include <linux/limits.h>
> #include <linux/math64.h>
> +#include <linux/stringify.h>
>
> #define ALIGN(x, a) __ALIGN_MASK(x, (typeof(x))(a) - 1)
> #define ALIGN_DOWN(x, a) ALIGN((x) - ((a) - 1), (a))
> @@ -17,6 +18,17 @@
> #define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]) + __must_be_array(arr))
> #define ARRAY_AND_SIZE(x) (x), ARRAY_SIZE(x)
>
> +/*
> + * Call func_variadic, when more than 2 arguments and func_fixed otherwise
> + */
> +#define __optionally_variadic2(func_fixed, func_variadic, arg1, arg2, ...) ({ \
> + char _______STR[] = __stringify((__VA_ARGS__)); \
> + sizeof(_______STR) > 3 ? \
> + func_variadic(arg1, arg2, ##__VA_ARGS__) \
> + : \
> + func_fixed(arg1, arg2); \
> + })
> +
> /*
> * This looks more complex than it should be. But we need to
> * get the type for the ~ right in round_down (it needs to be
> --
> 2.30.2
>
>
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
