Re: [PATCH] env: let setenv() take printf arguments

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Sascha,

On 20.06.22 09:47, Sascha Hauer wrote:
> On Mon, Jun 20, 2022 at 09:21:39AM +0200, Ahmad Fatoum wrote:
>> From: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx>
>>
>> It's a common pattern to (ba)sprintf to a string and then call setenv()
>> with this string. Let setenv() take printf arguments to make that
>> easier. To avoid the overhead that goes with changing other callers
>> to using setenv(var, "%s", val) to avoid security implications (and
>> GCC warnings), fallback to the non-formatted version when there are
>> only two arguments.
>>
>> Signed-off-by: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx>
>> [afa: fall back to non-formatted version on old two arg version]
>> Signed-off-by: Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx>
>> ---
>> Thoughts?
> 
> While I'm impressed by this macro I don't like this very much. My desire
> was to simplify things, now with this patch I'm no longer sure I reached
> that goal.

Usage _is_ simpler. Declaration indeed looks a bit odd, but ¯\_(ツ)_/¯

> 
> Alternatively we could
> 
> a) Drop the original patch
> b) Replace the problematic places with setenv(foo, "%s", not_a_string_literal);
> c) Pass -Wno-format-security, The Kernel does this for over a decade.

Then it probably needs to be revisited there then.

> My vote is c)

I am not fine with c). We don't sanitize for % in environment variable values
and ignoring the warning has very clear security implications.

Cheers,
Ahmad

> 
> Sascha
> 
>> ---
>>  common/env.c           | 37 +++++++++++++++++++++++++++++++++----
>>  include/environment.h  | 19 +++++++++++++++++--
>>  include/linux/kernel.h | 12 ++++++++++++
>>  3 files changed, 62 insertions(+), 6 deletions(-)
>>
>> diff --git a/common/env.c b/common/env.c
>> index 05add63f625c..c36f6846ee21 100644
>> --- a/common/env.c
>> +++ b/common/env.c
>> @@ -243,15 +243,15 @@ static int dev_setenv(const char *name, const char *val)
>>  }
>>  
>>  /**
>> - * setenv - set environment variables
>> + * __setenv_str - set environment variables
>>   * @_name - Variable name
>>   * @value - the value to set, empty string not handled specially
>>   *
>>   * Returns 0 for success and a negative error code otherwise
>> - * Use unsetenv() to unset.
>> + * Use unsetenv() to unset. Don't use directly, use setenv()
>>   */
>>  
>> -int setenv(const char *_name, const char *value)
>> +int __setenv_str(const char *_name, const char *value)
>>  {
>>  	char *name = strdup(_name);
>>  	int ret = 0;
>> @@ -275,7 +275,36 @@ out:
>>  
>>  	return ret;
>>  }
>> -EXPORT_SYMBOL(setenv);
>> +EXPORT_SYMBOL(__setenv_str);
>> +
>> +/**
>> + * __setenv_fmt - set environment variables
>> + * @name - Variable name
>> + * @fmt - format string describing how to format arguments to come
>> + *
>> + * Returns 0 for success and a negative error code otherwise
>> + * Use unsetenv() to unset. Don't use directly, use setenv()
>> + */
>> +
>> +int __setenv_fmt(const char *name, const char *fmt, ...)
>> +{
>> +	va_list ap;
>> +	int ret;
>> +	char *value;
>> +
>> +	va_start(ap, fmt);
>> +	ret = vasprintf(&value, fmt, ap);
>> +	va_end(ap);
>> +
>> +	if (ret < 0)
>> +		return ret;
>> +
>> +	ret = __setenv_str(name, value);
>> +
>> +	free(value);
>> +	return ret;
>> +}
>> +EXPORT_SYMBOL(__setenv_fmt);
>>  
>>  int export(const char *varname)
>>  {
>> diff --git a/include/environment.h b/include/environment.h
>> index 19e522cfb6b4..e5b9a9da3167 100644
>> --- a/include/environment.h
>> +++ b/include/environment.h
>> @@ -7,6 +7,7 @@
>>  #ifndef _ENVIRONMENT_H_
>>  #define _ENVIRONMENT_H_
>>  
>> +#include <linux/kernel.h>
>>  #include <linux/list.h>
>>  #include <errno.h>
>>  
>> @@ -31,7 +32,8 @@ char *var_name(struct variable_d *);
>>  
>>  #ifdef CONFIG_ENVIRONMENT_VARIABLES
>>  const char *getenv(const char *);
>> -int setenv(const char *, const char *);
>> +int __setenv_str(const char *, const char *val);
>> +int __setenv_fmt(const char *, const char *fmt, ...) __printf(2, 3);
>>  void export_env_ull(const char *name, unsigned long long val);
>>  int getenv_ull(const char *name, unsigned long long *val);
>>  int getenv_ul(const char *name, unsigned long *val);
>> @@ -44,7 +46,13 @@ static inline char *getenv(const char *var)
>>  	return NULL;
>>  }
>>  
>> -static inline int setenv(const char *var, const char *val)
>> +static inline int __setenv_str(const char *var, const char *val)
>> +{
>> +	return 0;
>> +}
>> +
>> +static inline __printf(2, 3) int __setenv_fmt(
>> +	const char *var, const char *fmt, ...)
>>  {
>>  	return 0;
>>  }
>> @@ -82,6 +90,13 @@ static inline const char *getenv_nonempty(const char *var)
>>  }
>>  #endif
>>  
>> +/*
>> + * avoid the varargs overhead when using a fixed string
>> + */
>> +#undef setenv
>> +#define setenv(args...) \
>> +	__optionally_variadic2(__setenv_str, __setenv_fmt, args)
>> +
>>  int env_pop_context(void);
>>  int env_push_context(void);
>>  
>> diff --git a/include/linux/kernel.h b/include/linux/kernel.h
>> index 4483d33e65bb..ebae8f666cf6 100644
>> --- a/include/linux/kernel.h
>> +++ b/include/linux/kernel.h
>> @@ -7,6 +7,7 @@
>>  #include <linux/barebox-wrapper.h>
>>  #include <linux/limits.h>
>>  #include <linux/math64.h>
>> +#include <linux/stringify.h>
>>  
>>  #define ALIGN(x, a)		__ALIGN_MASK(x, (typeof(x))(a) - 1)
>>  #define ALIGN_DOWN(x, a)	ALIGN((x) - ((a) - 1), (a))
>> @@ -17,6 +18,17 @@
>>  #define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]) + __must_be_array(arr))
>>  #define ARRAY_AND_SIZE(x)	(x), ARRAY_SIZE(x)
>>  
>> +/*
>> + * Call func_variadic, when more than 2 arguments and func_fixed otherwise
>> + */
>> +#define __optionally_variadic2(func_fixed, func_variadic, arg1, arg2, ...) ({ \
>> +		char _______STR[] = __stringify((__VA_ARGS__));  \
>> +		sizeof(_______STR) > 3 ?                         \
>> +			func_variadic(arg1, arg2, ##__VA_ARGS__) \
>> +		:                                                \
>> +			func_fixed(arg1, arg2);                  \
>> +	})
>> +
>>  /*
>>   * This looks more complex than it should be. But we need to
>>   * get the type for the ~ right in round_down (it needs to be
>> -- 
>> 2.30.2
>>
>>
>>
> 


-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |




[Index of Archives]     [Linux Embedded]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux