Received: by 10.213.65.68 with SMTP id h4csp3535515imn; Tue, 3 Apr 2018 06:43:38 -0700 (PDT) X-Google-Smtp-Source: AIpwx49uWYzRowO+rQO/DA4647XQVDi6k5bMRR/AY9w+dqTWOySiAxWIfioHpR4h40ZPJ4Tmm/Y3 X-Received: by 2002:a17:902:3225:: with SMTP id y34-v6mr14709360plb.180.1522763018698; Tue, 03 Apr 2018 06:43:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522763018; cv=none; d=google.com; s=arc-20160816; b=nIwkzA6arN3+O6xijyoo5zv5rbNMSqOyLRxHj+cKZpX2jLG5UEzLTsJcWM/nyGyo+f FQ99RkTQ0mOPvBENg+u4R1/uUSWF01PxbmvSRfI8uRHHuoQ+h4cB1M3mKrHj4o+G4iuH klYWPQr9nnrV3oihJr0649cDAq/NFtK6G5mky9VBteJkNxRp205kG+0Y/tA8dGCxJdx4 anMnSz4xAr9oaEl5f/j+Q1R6K2AYmi/Xv9qiwmaaHp7LTY/GRkHiUX60YkFV++hhhVCM P10QoBeexFAGEsVyk52xugUgFKEQpCdXFJ8UrxqLClshIEJUclAe8SjJtyU9/OmFuKN0 ZtfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :organization:references:in-reply-to:date:cc:to:from:subject :message-id:arc-authentication-results; bh=UWrjpLWnxGH4S1BgBCipgHeZmYuvjSfojEJt3i2AD6k=; b=irDGQvqKUiLRN+qfTbRndO60e+1nteFAd7EEnVY+sUSBNluka4vjDBcLSwQr39eE1I URiPfujq3PpDcZFNAdi4c91NwSns6C3sk8PXXBxajr4OQyEHGppBO+u4r2rhLRPK805G Jsm8RC56cIS7YTVhIXkvmqy+3G1wbqwR7Y8kL8UTxx25T1OywEAcYFya9PC8APLlpKfO K/oqrGeD2JQsH44U6dUJwyR8zc2MMX5lcCZjwc3GC/Jw3KTRYzXemx/R08DEF4JfBaFl +rwkBAofaeNTPEa5zZwZE7Ly6x9RFEIZWsS+g7l7d7hnG7IZb/nDkF10k5/s8sxk++7U 8Pgw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i1si2019132pgp.542.2018.04.03.06.43.23; Tue, 03 Apr 2018 06:43:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751195AbeDCNlE (ORCPT + 99 others); Tue, 3 Apr 2018 09:41:04 -0400 Received: from mga02.intel.com ([134.134.136.20]:25192 "EHLO mga02.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750777AbeDCNlD (ORCPT ); Tue, 3 Apr 2018 09:41:03 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 03 Apr 2018 06:41:02 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.48,401,1517904000"; d="scan'208";a="217144280" Received: from smile.fi.intel.com (HELO smile) ([10.237.72.86]) by fmsmga006.fm.intel.com with ESMTP; 03 Apr 2018 06:40:59 -0700 Message-ID: <1522762858.21176.327.camel@linux.intel.com> Subject: Re: [PATCH v3] vsprintf: Prevent crash when dereferencing invalid pointers From: Andy Shevchenko To: Petr Mladek Cc: Linus Torvalds , Rasmus Villemoes , "Tobin C . Harding" , Joe Perches , Linux Kernel Mailing List , Andrew Morton , Michal Hocko , Sergey Senozhatsky , Steven Rostedt , Sergey Senozhatsky Date: Tue, 03 Apr 2018 16:40:58 +0300 In-Reply-To: <20180403131346.vwjpz475fzah5a6p@pathway.suse.cz> References: <20180309150153.3sxbbpd6jdn2d5yy@pathway.suse.cz> <20180314140947.rs3b6i5gguzzu5wi@pathway.suse.cz> <1521119343.10722.665.camel@linux.intel.com> <20180315152607.xgzjmj5as6lg42dy@pathway.suse.cz> <1521224375.23017.41.camel@linux.intel.com> <20180329145312.4uqygrjqy3fqyl26@pathway.suse.cz> <1522678523.21176.178.camel@linux.intel.com> <20180403114600.uc7sqeoqt7fmdd66@pathway.suse.cz> <1522756458.21176.314.camel@linux.intel.com> <20180403131346.vwjpz475fzah5a6p@pathway.suse.cz> Organization: Intel Finland Oy Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.26.5-1+b1 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2018-04-03 at 15:13 +0200, Petr Mladek wrote: > On Tue 2018-04-03 14:54:18, Andy Shevchenko wrote: > > On Tue, 2018-04-03 at 13:46 +0200, Petr Mladek wrote: > > > On Mon 2018-04-02 17:15:23, Andy Shevchenko wrote: > > > > On Thu, 2018-03-29 at 16:53 +0200, Petr Mladek wrote: > > > > > On Fri 2018-03-16 20:19:35, Andy Shevchenko wrote: > > > > > > On Thu, 2018-03-15 at 16:26 +0100, Petr Mladek wrote: > > > > > > > On Thu 2018-03-15 15:09:03, Andy Shevchenko wrote: > > > > > > > > I still think that printing a hex value of the error > > > > > > > > code is > > > > > > > > much > > > > > > > > better > > > > > > > > than some odd "(efault)". > > > > > > > > > > > > > > Do you mean (err:0e)? Google gives rather confusing > > > > > > > answers > > > > > > > for > > > > > > > this. > > > > > > > > > > > > More like "(0xHHHH)" (we have already more than 512 error > > > > > > code > > > > > > numbers. > > > > > > > > > > Hmm, I have never seen the error code in this form. > > > > > > > > We have limited space to print it and error numbers currently > > > > can be > > > > up > > > > to 0xfff (4095). So, I have no better idea how to squeeze them > > > > while > > > > thinking that "(efault)" is much harder to parse in case of > > > > error > > > > pointer. > > > > > > But this will not be used instead of address value. It is used in > > > situations > > > where we print the information that is stored at the address, for > > > example, > > > string, IP address, dentry name. > > > > We have a lot of API functions which returns: > > -ERR_PTR > > NULL > > struct foo * > > > > There is no guarantee that one of that API won't be used as a > > supplier > > for printf(). > > OK, I think that I have finally understood it. You would like to > detect ERR_PTR values and handle them specially? I mean to show > the value? > > But then we would need to distinguish three types of errors, > something like: > > + (null) for pure NULL address > + (e:XXXX) for address in IS_ERR_VALUE() range // Just IS_ERR(). IS_ERR_VALUE() is not meant to be used widely > + (efault) for any other invalid address > > Then people might want to see values also from the first 4096 bytes. > This is getting too complicated. No, it's not. (null) case is already in kernel, you came with (efault), but IS_ERR() case or any other case like it is just printing of standard pointer value. See in the code where special_hex_number() is called. > I am not sure if it is worth it. Your patch will hide values for error codes. Not good for debugging. > > > > You can't dereference ERR_PTR value, but anything else except the > > actual > > error value is worse than value itself... > > Yes and no, see below. Yes, there is no "no". > > > > > > > > > Also google gives > > > > > rather confusing results when searching, for example for > > > > > "(0x000E)". > > > > > > > > It's not primarily for google, though yeah, people would google > > > > for > > > > error messages... > > > > > > > > Another question is what the format: decimal versus hex for > > > > errors. > > > > Maybe just "(-DDDDD)"? > > > > > > This still looks confusing and google does not help. > > > > ...then we have a last option just to print a value as a pointer > > address. > > We could not print the real address from security reasons. The hashed > pointer value is not much helpful. IMHO, a common error string is > easier to spot or search for. Did you read what I'm writing? How on the earth the pointer in the range of -1...-4095 would be a security issue?! -- Andy Shevchenko Intel Finland Oy