Received: by 10.213.65.68 with SMTP id h4csp254493imn; Fri, 16 Mar 2018 01:57:13 -0700 (PDT) X-Google-Smtp-Source: AG47ELvY0cACoA0YWFRzHIK9cGGLqTOxGbDl0hbnef5dYCDrybX64RzDDj/5m1AsPst9vzml0fJr X-Received: by 10.98.214.218 with SMTP id a87mr928407pfl.146.1521190633595; Fri, 16 Mar 2018 01:57:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521190633; cv=none; d=google.com; s=arc-20160816; b=rP9pXDvAzuG0joLT/prsL3jEoXfuCEBY4zEU9YU/+v9F1GEPFZRnCZvkIQbeq03wF8 RvslBIu7rq8W61y9uE89Hu8vrskSuSEu1ujwybFAum+qnhLLmNOi30ie6FAXfUdP4bdP KovVHSa+vE1Lcyew7nduxUlSOPBmcSRoAJAaKQgD01TI7SWKdH9tam1Gq07OExv/c9Ck G/PhE7WBgE2XK0m1Z3MpgBxEdXPXMONaMfT0Z0esU2RJ8eVBv3G76xFn7j4Hn34I5AtO 5fSCtxkC+ybo+fAuleZ3/5OSTfSd71zjepU4FZS/TTsZ65RO2uFt3h3FpYl7VJIH5FaI Ft+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=qlnQw3EmtedPXgoM2mcoUwPCxO3uLRaFsyoSS6/m0n4=; b=gATfJw2Wyr1+zNBHehQyNFVizL007Vjit/p+chFKG6SsL9VBhQne2u+DPnGtn/5miW 3ZoI0nLNVfpiL9hxcLrWDAtjcauJv2/jZOgEp9eOVfOsVOj2VcW8xPyHKRtcOxx9YThG H8yvHQ5kM7cdBaQExcIorh04PF/RReiwt2mWcFmxWCcVK9Jh3JCLUnYOMeupCRk9cxkN Sf/iZWHavF30jHbUFzN6V++lvRUXgSrcWo/FmYxGFe0AFJZlO6O8xaZt+mtvlThe97Z/ uCoXX+jaltHmHeUpgx37EX6qKI8LBWOeADERjgHJS/YEBk8k0xTHgACh0QYwpoTjpfUT P6hQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y1-v6si6255178pli.586.2018.03.16.01.57.00; Fri, 16 Mar 2018 01:57:13 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753318AbeCPI4B (ORCPT + 99 others); Fri, 16 Mar 2018 04:56:01 -0400 Received: from mx2.suse.de ([195.135.220.15]:56803 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751094AbeCPIz7 (ORCPT ); Fri, 16 Mar 2018 04:55:59 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id E08F6AD4C; Fri, 16 Mar 2018 08:55:57 +0000 (UTC) Date: Fri, 16 Mar 2018 09:55:56 +0100 From: Petr Mladek To: Sergey Senozhatsky Cc: Linus Torvalds , Steven Rostedt , Andy Shevchenko , Rasmus Villemoes , "Tobin C . Harding" , Joe Perches , Linux Kernel Mailing List , Andrew Morton , Michal Hocko , Sergey Senozhatsky Subject: Re: [PATCH v3] vsprintf: Prevent crash when dereferencing invalid pointers Message-ID: <20180316085556.t3j65zyuyjzro3n3@pathway.suse.cz> References: <20180309150153.3sxbbpd6jdn2d5yy@pathway.suse.cz> <20180314140947.rs3b6i5gguzzu5wi@pathway.suse.cz> <20180315075842.GD3628@jagdpanzerIV> <20180315080309.GF3628@jagdpanzerIV> <20180315130117.7c2fb761@vmware.local.home> <20180316011852.GA5139@jagdpanzerIV> <20180316055346.GB5139@jagdpanzerIV> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180316055346.GB5139@jagdpanzerIV> User-Agent: NeoMutt/20170421 (1.8.2) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri 2018-03-16 14:53:46, Sergey Senozhatsky wrote: > On (03/15/18 18:35), Linus Torvalds wrote: > > On Thu, Mar 15, 2018 at 6:18 PM, Sergey Senozhatsky > > wrote: > > > > > > Hm, may be sizeof(ptr) still won't suffice. It would be great if we > > > could always look at spec.field_width, which can be up to 2 * sizeof(void *), > > > and then just probe_kernel_read(spec.field_width). E.g., %b/%bl prints out a > > > bitmap, accessing max_t(int, spec.field_width, 0) bits, which is good. But, > > > for instance, %U (uuid printout) doesn't look at spec.field_width, and reads > > > in 16 bytes from the given memory address. Then we have ipv4/ipv6, mac, etc. > > > So I think that checking just 1 byte or sizeof(ptr) is not really enough if > > > we want to fix vsprintf. What do you think? > > > > Honestly, I think it would be better to move the whole logic to the > > functions that actually do the printout. > > > Would it be a few more lines? Yes. But it would also clarify the code > > and get all the cases right. Look at hex_string() for example, and > > imagine fetching a byte at a time and just getting the corner cases > > automatically right. I am learning every day. I like this idea and am happy that it is acceptable to others. > So, basically, what I tried to say - any byte past the first sizeof(ptr) > bytes or past the first byte that we check_access() can cause problems, > which this patch is trying to address. As an example, FORMAT_TYPE_STR > case > > printk("%.*s\n", p->buf) > vsnprintf() > string() > > Where ->buf is a _nearly always_ properly nul terminated char buf[128] > array in struct foo. So moving that check_access() to every function that > does printout sounds good to me, as well as checking every byte we access > [assuming that we want to cure vsprintf], not just the first one or the > first sizeof(ptr) bytes. I am not sure if it is worth it. I think that we would catch 99% of problems by checking the first byte. This patch was motivated by a code clean up rather than bug reports. The original patch removed two more strict checks and kept only the check for pure NULL. I suggested that it was the wrong way to go... I do not want to go suddenly to the other extreme. I suggest to start with simple check for the first byte and see how often it helps in the real life. We could always extend it later. Best Regards, Petr