Received: by 10.223.185.116 with SMTP id b49csp5355359wrg; Wed, 7 Mar 2018 10:19:25 -0800 (PST) X-Google-Smtp-Source: AG47ELvz8sL0G+6gbj4NOgvnCwx/C0OWsFk79Yk+VmRVCn9Oj2ob8+svp2BknS36Yk2F8U7YQj3V X-Received: by 10.99.133.193 with SMTP id u184mr18396838pgd.401.1520446765554; Wed, 07 Mar 2018 10:19:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520446765; cv=none; d=google.com; s=arc-20160816; b=rf9BdOSMl/D952oW+cNftS7e6OHA/w0aX91NgArgOQitRsRnhKix/WuzcaQKyGbmDS BPpDx2yG9MPYs3nR/CGfg3NyuwBokeThMbmQcCZqedEDRtgSx6Mi4Xx/AoqGKhGBkLMv hagI/au2T0lbg2vzr/Ku85W/fvU13bqXYymvUieaeSyPMUNeY1MNxHqti7ppZsaLSVsy o4MCw5Y2Q0xViawfVH4vaG/L1qpO3LFY5/oLF7K8J18ysdDYyA7KpAp0POQG5mjAeLBH 3vbgvumdV1luuc3LfWmbq3vS9mvurLcFuv5pJbubhEeFqg7a+NNUV2XqHFjx9pcB6RBR sN/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :organization:references:in-reply-to:date:cc:to:from:subject :message-id:arc-authentication-results; bh=R7oryQz8kGIeEE2AYVuzsQ3Ee8qm2KpQI7tk7oSaJRE=; b=Lcf3W68VfCjvAvSU/Eu9w/ZF4r9Gv8ZF/zfrBHveuGjJu4UrjhCqEPOJ3fRmf9Lckq cvzvN89Iryv1lPw8xfAuRj2ZqKuni6byIpLAH/hV2yF0HSzslBxmPVhEK4afQIEs2FeQ E1qjlWQMOe+NT2t1+7tg4x/to8ojVEwqB6YuahSCgx+Xeca3LAdfKdqyol2t9CqSauB9 eGMVELtRjGVkzC/DxiOT6UGcskvrgAaRqoaT+AE0JZ5T5Y4J05B1hABn47YWCpi+CTDZ Oj0QqMUN71T6tOvuWMRZbjKYk5WLLXZxh6CyXWtPC35iBilqNmkYOtwCp7KAHJTZiTyB UJPw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x24si11635580pgv.124.2018.03.07.10.19.10; Wed, 07 Mar 2018 10:19:25 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754457AbeCGSSO (ORCPT + 99 others); Wed, 7 Mar 2018 13:18:14 -0500 Received: from mga11.intel.com ([192.55.52.93]:22769 "EHLO mga11.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751176AbeCGSSM (ORCPT ); Wed, 7 Mar 2018 13:18:12 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Mar 2018 10:18:12 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.47,436,1515484800"; d="scan'208";a="23735622" Received: from smile.fi.intel.com (HELO smile) ([10.237.72.86]) by orsmga006.jf.intel.com with ESMTP; 07 Mar 2018 10:18:10 -0800 Message-ID: <1520446689.10722.493.camel@linux.intel.com> Subject: Re: [PATCH] vsprintf: Make "null" pointer dereference more robust From: Andy Shevchenko To: Petr Mladek Cc: Rasmus Villemoes , "Tobin C . Harding" , Joe Perches , linux-kernel@vger.kernel.org, Andrew Morton , Michal Hocko Date: Wed, 07 Mar 2018 20:18:09 +0200 In-Reply-To: <20180307155244.b45c3fb5vcxb4q2l@pathway.suse.cz> References: <20180216210711.79901-8-andriy.shevchenko@linux.intel.com> <20180227155047.o74ohmoyj56up6pa@pathway.suse.cz> <1519752950.10722.231.camel@linux.intel.com> <20180228100437.o4juwxbzomkqjvjx@pathway.suse.cz> <1519814544.10722.266.camel@linux.intel.com> <20180302125118.bjd3tbuu72vgfczo@pathway.suse.cz> <20180302125359.szbin2kznxvoq7sc@pathway.suse.cz> <20180306092513.ibodfsnv4xrxdlub@pathway.suse.cz> <1520330185.10722.401.camel@linux.intel.com> <20180307155244.b45c3fb5vcxb4q2l@pathway.suse.cz> Organization: Intel Finland Oy Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.26.5-1 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2018-03-07 at 16:52 +0100, Petr Mladek wrote: > On Tue 2018-03-06 11:56:25, Andy Shevchenko wrote: > Anyway, I have discussed this with my colleagues. Different people had > different opinions. But I liked the following. I discussed as well, and... > We already prevent crash when derefencing some obviously broken > pointers. The handling is not consistent. Sometimes we print "(null)" > only for pure NULL pointer, sometimes for pointers in the first > page and sometimes also for pointers in the last page (error codes). > In general, we should do our best to get useful message from printk(). > This patch tries to find a wide range of invalid strings using > probe_kernel_read(). Also it makes the handling unified. We print: ...they are considering not crashing is a bad idea from debugging point of view. So, what is can be done is to: - print "(null)" only for null pointers - print error codes for IS_ERR() part - crash on everything else which partially what does my patch 1. > Note that we could not print the exact pointer value from security > reasons. If it's invalid we need to fix the code, not to hide a problem, right? > Developers need print the pointer using %px to get the real value. But how developer will know (w/o traceback) where to look for? > + if (probe_kernel_read(&byte, ptr, 1)) > + return "(efault)"; There is couple of flaws here: - If we asked to print 0 bytes of the value of pointer or something from extension (%*ph, %*pE, etc), we don't know if pointer valid or not, because we are going to print nothing. So, for now there is a ZERO_OR_NULL_PTR() check for them, but in reality I wouldn't know what the best to do in such case. So, the question is what we would like to know more: the pointer is invalid, or the spec.width is 0 and caller doesn't care in this case? - For IS_ERR() case it might be better to print an actual value of err, (4 chars + parens + 2 chars left, like (e:dddd) or similar. Unfortunately it doesn't scale good (ffff is a last error value we may print). So, perhaps printing as %p in this case is a good enough and scalable. -- Andy Shevchenko Intel Finland Oy