On Mon, Jun 20, 2022 at 09:59:00AM +0200, Ahmad Fatoum wrote: > Hello Sascha, > > On 20.06.22 09:47, Sascha Hauer wrote: > > On Mon, Jun 20, 2022 at 09:21:39AM +0200, Ahmad Fatoum wrote: > >> From: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx> > >> > >> It's a common pattern to (ba)sprintf to a string and then call setenv() > >> with this string. Let setenv() take printf arguments to make that > >> easier. To avoid the overhead that goes with changing other callers > >> to using setenv(var, "%s", val) to avoid security implications (and > >> GCC warnings), fallback to the non-formatted version when there are > >> only two arguments. > >> > >> Signed-off-by: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx> > >> [afa: fall back to non-formatted version on old two arg version] > >> Signed-off-by: Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx> > >> --- > >> Thoughts? > > > > While I'm impressed by this macro I don't like this very much. My desire > > was to simplify things, now with this patch I'm no longer sure I reached > > that goal. > > Usage _is_ simpler. Declaration indeed looks a bit odd, but ¯\_(ツ)_/¯ > > > > > Alternatively we could > > > > a) Drop the original patch > > b) Replace the problematic places with setenv(foo, "%s", not_a_string_literal); > > c) Pass -Wno-format-security, The Kernel does this for over a decade. > > Then it probably needs to be revisited there then. > > > My vote is c) > > I am not fine with c). We don't sanitize for % in environment variable values > and ignoring the warning has very clear security implications. Ok, good point. Then there's of course d) keep setenv like it was before and introduce pr_setenv(const char *_name, const char *fmt, ...) Sascha -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
