Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753543AbdLSXYc (ORCPT ); Tue, 19 Dec 2017 18:24:32 -0500 Received: from mail-it0-f49.google.com ([209.85.214.49]:43731 "EHLO mail-it0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752854AbdLSXYa (ORCPT ); Tue, 19 Dec 2017 18:24:30 -0500 X-Google-Smtp-Source: ACJfBot8mSy12PaV2B9W9sv7E2zVbvWzL7dNcXf0le9I/SXeIhMh2a4O2x1ky/1YnWaAsddjTpoNJcnFJp+PrQalli8= MIME-Version: 1.0 In-Reply-To: <20171219214849.GU21978@ZenIV.linux.org.uk> References: <001a113e9ca8a3affd05609d7ccf@google.com> <6a50d160-56d0-29f9-cfed-6c9202140b43@I-love.SAKURA.ne.jp> <20171219083746.GR19604@eros> <20171219132246.GD13680@bombadil.infradead.org> <20171219214849.GU21978@ZenIV.linux.org.uk> From: Linus Torvalds Date: Tue, 19 Dec 2017 15:24:29 -0800 X-Google-Sender-Auth: Eux4OcSeL1mBpItM2dfLwN6QsLY Message-ID: Subject: Re: BUG: bad usercopy in memdup_user To: Al Viro Cc: Matthew Wilcox , "Tobin C. Harding" , Dmitry Vyukov , Kees Cook , Tetsuo Handa , Linux-MM , syzbot , David Windsor , keun-o.park@darkmatter.ae, Laura Abbott , LKML , Mark Rutland , Ingo Molnar , syzkaller-bugs@googlegroups.com, Will Deacon Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1749 Lines: 41 On Tue, Dec 19, 2017 at 1:48 PM, Al Viro wrote: > On Tue, Dec 19, 2017 at 01:36:46PM -0800, Linus Torvalds wrote: > >> I suspect that an "offset and size within the kernel object" value >> might make sense. But what does the _pointer_ tell you? > > Well, for example seeing a 0xfffffffffffffff4 where a pointer to object > must have been is a pretty strong hint to start looking for a way for > that ERR_PTR(-ENOMEM) having ended up there... Something like > 0x6e69622f7273752f is almost certainly a misplaced "/usr/bin", i.e. a > pathname overwriting whatever it ends up in, etc. And yes, I have run > into both of those in real life. Sure. But that's for a faulting address when you have an invalid pointer. That's not the case here at all. Here, we've explicitly checked that it's a kernel pointer of some particular type (in a slab cache in this case), and the pointer is valid but shouldn't be copied to/from user space. So it's not something like 0xfffffffffffffff4 or 0x6e69622f7273752f. It's something like "in slab cache for size 1024". So the pointer value isn't interesting. But the offset within the slab could be. See? This is what I am talking about. People don't actually seem to *think* about what the %p is. There seems to be very little critical thinking about what should be printed out, and what is actually useful. The most common thing seems to be "I'm confused by a bad value". But that should *not* cause a mindless "let's not hash it" reaction. It should cause actual thinking about the situation! Not about %p in general, but very much about the situation of THAT PARTICULAR use of %p. That's what I'm looking for, and what I'm not seeing in these discussions. Linus