Hello Sascha,
On 20.06.22 09:47, Sascha Hauer wrote:
> On Mon, Jun 20, 2022 at 09:21:39AM +0200, Ahmad Fatoum wrote:
>> From: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx>
>>
>> It's a common pattern to (ba)sprintf to a string and then call setenv()
>> with this string. Let setenv() take printf arguments to make that
>> easier. To avoid the overhead that goes with changing other callers
>> to using setenv(var, "%s", val) to avoid security implications (and
>> GCC warnings), fallback to the non-formatted version when there are
>> only two arguments.
>>
>> Signed-off-by: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx>
>> [afa: fall back to non-formatted version on old two arg version]
>> Signed-off-by: Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx>
>> ---
>> Thoughts?
>
> While I'm impressed by this macro I don't like this very much. My desire
> was to simplify things, now with this patch I'm no longer sure I reached
> that goal.
Usage _is_ simpler. Declaration indeed looks a bit odd, but ¯\_(ツ)_/¯
>
> Alternatively we could
>
> a) Drop the original patch
> b) Replace the problematic places with setenv(foo, "%s", not_a_string_literal);
> c) Pass -Wno-format-security, The Kernel does this for over a decade.
Then it probably needs to be revisited there then.
> My vote is c)
I am not fine with c). We don't sanitize for % in environment variable values
and ignoring the warning has very clear security implications.
Cheers,
Ahmad
>
> Sascha
>
>> ---
>> common/env.c | 37 +++++++++++++++++++++++++++++++++----
>> include/environment.h | 19 +++++++++++++++++--
>> include/linux/kernel.h | 12 ++++++++++++
>> 3 files changed, 62 insertions(+), 6 deletions(-)
>>
>> diff --git a/common/env.c b/common/env.c
>> index 05add63f625c..c36f6846ee21 100644
>> --- a/common/env.c
>> +++ b/common/env.c
>> @@ -243,15 +243,15 @@ static int dev_setenv(const char *name, const char *val)
>> }
>>
>> /**
>> - * setenv - set environment variables
>> + * __setenv_str - set environment variables
>> * @_name - Variable name
>> * @value - the value to set, empty string not handled specially
>> *
>> * Returns 0 for success and a negative error code otherwise
>> - * Use unsetenv() to unset.
>> + * Use unsetenv() to unset. Don't use directly, use setenv()
>> */
>>
>> -int setenv(const char *_name, const char *value)
>> +int __setenv_str(const char *_name, const char *value)
>> {
>> char *name = strdup(_name);
>> int ret = 0;
>> @@ -275,7 +275,36 @@ out:
>>
>> return ret;
>> }
>> -EXPORT_SYMBOL(setenv);
>> +EXPORT_SYMBOL(__setenv_str);
>> +
>> +/**
>> + * __setenv_fmt - set environment variables
>> + * @name - Variable name
>> + * @fmt - format string describing how to format arguments to come
>> + *
>> + * Returns 0 for success and a negative error code otherwise
>> + * Use unsetenv() to unset. Don't use directly, use setenv()
>> + */
>> +
>> +int __setenv_fmt(const char *name, const char *fmt, ...)
>> +{
>> + va_list ap;
>> + int ret;
>> + char *value;
>> +
>> + va_start(ap, fmt);
>> + ret = vasprintf(&value, fmt, ap);
>> + va_end(ap);
>> +
>> + if (ret < 0)
>> + return ret;
>> +
>> + ret = __setenv_str(name, value);
>> +
>> + free(value);
>> + return ret;
>> +}
>> +EXPORT_SYMBOL(__setenv_fmt);
>>
>> int export(const char *varname)
>> {
>> diff --git a/include/environment.h b/include/environment.h
>> index 19e522cfb6b4..e5b9a9da3167 100644
>> --- a/include/environment.h
>> +++ b/include/environment.h
>> @@ -7,6 +7,7 @@
>> #ifndef _ENVIRONMENT_H_
>> #define _ENVIRONMENT_H_
>>
>> +#include <linux/kernel.h>
>> #include <linux/list.h>
>> #include <errno.h>
>>
>> @@ -31,7 +32,8 @@ char *var_name(struct variable_d *);
>>
>> #ifdef CONFIG_ENVIRONMENT_VARIABLES
>> const char *getenv(const char *);
>> -int setenv(const char *, const char *);
>> +int __setenv_str(const char *, const char *val);
>> +int __setenv_fmt(const char *, const char *fmt, ...) __printf(2, 3);
>> void export_env_ull(const char *name, unsigned long long val);
>> int getenv_ull(const char *name, unsigned long long *val);
>> int getenv_ul(const char *name, unsigned long *val);
>> @@ -44,7 +46,13 @@ static inline char *getenv(const char *var)
>> return NULL;
>> }
>>
>> -static inline int setenv(const char *var, const char *val)
>> +static inline int __setenv_str(const char *var, const char *val)
>> +{
>> + return 0;
>> +}
>> +
>> +static inline __printf(2, 3) int __setenv_fmt(
>> + const char *var, const char *fmt, ...)
>> {
>> return 0;
>> }
>> @@ -82,6 +90,13 @@ static inline const char *getenv_nonempty(const char *var)
>> }
>> #endif
>>
>> +/*
>> + * avoid the varargs overhead when using a fixed string
>> + */
>> +#undef setenv
>> +#define setenv(args...) \
>> + __optionally_variadic2(__setenv_str, __setenv_fmt, args)
>> +
>> int env_pop_context(void);
>> int env_push_context(void);
>>
>> diff --git a/include/linux/kernel.h b/include/linux/kernel.h
>> index 4483d33e65bb..ebae8f666cf6 100644
>> --- a/include/linux/kernel.h
>> +++ b/include/linux/kernel.h
>> @@ -7,6 +7,7 @@
>> #include <linux/barebox-wrapper.h>
>> #include <linux/limits.h>
>> #include <linux/math64.h>
>> +#include <linux/stringify.h>
>>
>> #define ALIGN(x, a) __ALIGN_MASK(x, (typeof(x))(a) - 1)
>> #define ALIGN_DOWN(x, a) ALIGN((x) - ((a) - 1), (a))
>> @@ -17,6 +18,17 @@
>> #define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]) + __must_be_array(arr))
>> #define ARRAY_AND_SIZE(x) (x), ARRAY_SIZE(x)
>>
>> +/*
>> + * Call func_variadic, when more than 2 arguments and func_fixed otherwise
>> + */
>> +#define __optionally_variadic2(func_fixed, func_variadic, arg1, arg2, ...) ({ \
>> + char _______STR[] = __stringify((__VA_ARGS__)); \
>> + sizeof(_______STR) > 3 ? \
>> + func_variadic(arg1, arg2, ##__VA_ARGS__) \
>> + : \
>> + func_fixed(arg1, arg2); \
>> + })
>> +
>> /*
>> * This looks more complex than it should be. But we need to
>> * get the type for the ~ right in round_down (it needs to be
>> --
>> 2.30.2
>>
>>
>>
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
