Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20180601005954.GP1392@brightrain.aerifal.cx>
Date: Thu, 31 May 2018 20:59:54 -0400
From: Rich Felker <dalias@...c.org>
To: musl@...ts.openwall.com
Subject: Re: Re: [PATCH] scanf: handle the L modifier for integers

On Fri, Jun 01, 2018 at 02:30:50AM +0200, Szabolcs Nagy wrote:
> * Rich Felker <dalias@...c.org> [2018-05-31 19:44:36 -0400]:
> > On Thu, May 31, 2018 at 10:44:42PM +0200, Natanael Copa wrote:
> > > Also many developers seems to think that
> > > Linux == glibc so they only read the GNU manuals, so yeah, implement
> > > glibc behavior here seems like a good idea, unless someone else has a
> > > brilliant idea how to catch this at compile time.
> > 
> > Aside from fixing gcc at compile time, this has come up before (with
> > regard to printf, not scanf), and my leaning then and now was to
> > detect the UB at runtime by crashing rather than reporting an error as
> > we do now, since (1) it's UB, so an application can't reasonably
> > expect an error, and (2) applications seem to be ignoring errors
> > anyway.
> > 
> > We should also get the man page fixed. The printf man page is clear
> > that L with integer specifiers is a nonstandard extension and should
> > not be used (they're not documented under L, only as a note at the
> > end) but it seems whoever fixed this overlooked changing scanf at the
> > same time.
> > 
> 
> also note that adding extensions to printf this way can break
> forward compatibility, because the standard can introduce %Ld
> with a different meaning, this happend before: in glibc scanf
> %a was used for 'allocation modifier' then later iso c introduced
> it for hex floats, now scanf behaves differently based on CFLAGS
> (standard conform mode uses different scanf), this involves hacks
> in glibc which nobody wants to repeat so nowadays new extensions
> are only added once they are expected to be standardized.

Yes. Not implementing nonstandard printf extensions was an intentional
choice, the only exception being %m which POSIX already specifies for
syslog(). The %a mess with scanf is a strong motivation for this
choice.

> (if musl aimed for full glibc compatibility then it would have
> to copy the messy %a behaviour too, fortunately that's not in
> widespread use just like the %Ld extension..)

musl also has general policy regarding inclusion or exclusion of
nonstandard functionality, and printf/scanf extensions fall pretty
strongly under exclude. They're not widely supported on other
implementations, already have portable alternatives, and have no way
to detect whether they're supported and work or not (since there are
no corresponding macros or configure-time symbol tests you could do to
check for them, and even runtime checks would invoke undefined
behavior.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.