Received: by 10.213.65.68 with SMTP id h4csp1697133imn; Thu, 5 Apr 2018 02:06:19 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/IDn8h8ak11t6cXS2oUinuD4q9yLMcL+h43dBeh+sV5pYYAuoTo2TjK3thQRBFWfV3ozv3 X-Received: by 2002:a17:902:47aa:: with SMTP id r39-v6mr21563585pld.59.1522919179828; Thu, 05 Apr 2018 02:06:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522919179; cv=none; d=google.com; s=arc-20160816; b=EKhfBM/dFTjTvjnb+RmOj/TpZDgqJ9qt+DQt2oT08WtqlE97zTYxwkOFSiEPmDtvN7 Vw2Tl53oTpRiDWM0qqbAfNUVRH137YpbM8fVYJUKe4Uzqkl22WWfUrbg9mktVn3m2Pe7 CXGGa78ECkI+4kSGv3Lcnpd5PdNYN8omtrHfZO4MAORmSVw2MrbnaXuM10rwxNgHzLVj VV14a9mHLR7iK4IeG7TzFcZ+5l09pPSb7NRXN40iJxaQOZW4a6iZ3W+wF/JYu1KPhiWU HuezF5wZkZOxZ2IHfofEGP0QAlIbg4UuxG7haxi6mSzd3ByQ2/oAo8G4JNMhemZBOWLH TUmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature :arc-authentication-results; bh=g8aDB+bEX1MFrF/XsCMDCYXmtjls7uzajvoJK5+M1ag=; b=BAsxBxYJMJdS6Q3cqrC7vqa8AynOSDDsXxuhjGHfKPbOGP6Sdz1sv5doWQ6XCAq5cV ghiG1biReiyxCmg2o7tV5UjN9JNJyfIIMsRP1NO+1orAz5s+7iY67Monusu3R0nKikWK VK43Qir9s+lsLE4jGevC0mkEFO2yKRA5pAiMWBvVTUAnggt8loUM40pGzTgiURna8oVA 2C0TJ+I9v9qaQwjWZvlDUv4HopkUUDuTHqKpoQgdFFuKZYce9f++JDxAVUU/kcVEdoDA /VgfcBTNBvwS3P7y7Yy4nuXj8jJZ8TciyWVrYE1Bkf7irR3EBOCXtFYeufVHhxrLJhI/ AA0w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@rasmusvillemoes.dk header.s=google header.b=IlzCrwR0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w16-v6si5061958plp.621.2018.04.05.02.06.05; Thu, 05 Apr 2018 02:06:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@rasmusvillemoes.dk header.s=google header.b=IlzCrwR0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751470AbeDEJFB (ORCPT + 99 others); Thu, 5 Apr 2018 05:05:01 -0400 Received: from mail-wr0-f194.google.com ([209.85.128.194]:41999 "EHLO mail-wr0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751179AbeDEJE7 (ORCPT ); Thu, 5 Apr 2018 05:04:59 -0400 Received: by mail-wr0-f194.google.com with SMTP id s18so27105718wrg.9 for ; Thu, 05 Apr 2018 02:04:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rasmusvillemoes.dk; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=g8aDB+bEX1MFrF/XsCMDCYXmtjls7uzajvoJK5+M1ag=; b=IlzCrwR0/58uI8eMtOvbVVSFDwicJkBjN8VXL0nHBgMMTBggoEAxE3udiJikqBwZnk FwUy722qV0pP19/JS63OTNeBGxBbFOMXBG2rPO6f5/Pgul0iD4kItH3mU/pQqOWZLEIf 5+WBzfV/1gxG6gr8GyKW6q9EeH9iOehklgiPo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=g8aDB+bEX1MFrF/XsCMDCYXmtjls7uzajvoJK5+M1ag=; b=G1lXXOb9D9sMLBGiMxmhyuUrY4LIo2YCjL3DcOE4S/yWpyBMayieKqlPANGPl7S0F/ Hwiadp7CV7Hs2wJ16cLZYtZhwcNSKgo7kBsbpAW0ASYT352Yp7P7Opdy9l3VgUbGxjBX 8lpNK7gZGiv1mnpcRcR68JKgVatEkzHDWwZODMWGePlzdRb702XIHmnQ9OO7pyii9Kqc 5d6WAyjJAEjlV75RTH05QnhgqsXwmJ/0Wz+ukZm8/AwhUFU7fvtGto18jx85HyCloTo6 dVtJO4sRyjqINfdGRw+P4l2CRx0onG2fLteQXTKQOjW0zzjNSXi9ZFmNtCY29pnLmVDP lCXw== X-Gm-Message-State: ALQs6tAoMKO25EbG5a9/wPJ6JxrI7EAdv8ymBzfuT5Cadd5Wnu5hsBP8 Pd05SVqOHG08o0uj9AKw7bPuJQq50g4= X-Received: by 2002:a19:17d4:: with SMTP id 81-v6mr12898459lfx.22.1522919098208; Thu, 05 Apr 2018 02:04:58 -0700 (PDT) Received: from [172.16.11.29] ([81.216.59.226]) by smtp.gmail.com with ESMTPSA id h66-v6sm1422509lfi.89.2018.04.05.02.04.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 05 Apr 2018 02:04:57 -0700 (PDT) Subject: Re: [PATCH?] reiserfs: prevent panic: don't allow %-char in journal dev. name To: Andrew Morton , Randy Dunlap Cc: LKML , reiserfs-devel@vger.kernel.org, Alexander Viro , Jeff Mahoney , Jan Kara , Frederic Weisbecker , Artem Bityutskiy , syzkaller-bugs@googlegroups.com, syzbot+6bd77b88c1977c03f584@syzkaller.appspotmail.com References: <20180404184517.9f2b91b856a56f71464f5f7f@linux-foundation.org> From: Rasmus Villemoes Message-ID: <6b575956-6498-43c8-dc2c-9e2a0d5564a9@rasmusvillemoes.dk> Date: Thu, 5 Apr 2018 11:04:56 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <20180404184517.9f2b91b856a56f71464f5f7f@linux-foundation.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2018-04-05 03:45, Andrew Morton wrote: > On Wed, 4 Apr 2018 18:25:16 -0700 Randy Dunlap wrote: > >> From: Randy Dunlap >> >> If the reiserfs mount option's journal name contains a '%' character, >> it can lead to a WARN_ONCE() in lib/vsprintf.c::format_decode(), >> saying: "Please remove unsupported %/ in format string." >> That's OK until panic_on_warn is set, at which point it's dead, Jim. >> >> To placate this situation, check the journal name string for a '%' >> character and return an error if one is found. Also print a warning >> (one that won't panic the kernel) about the invalid journal name (e.g.): >> >> reiserfs: journal device name is invalid: %/file0 >> >> (In this example, the caller app specified the journal device name as >> "%/file0".) >> > > Well, that is a valid filename and we should support it... > > Isn't the bug in journal_init_dev()? Urgh. At first I was about to reply that the real bug was in reiserfs.h for failing to annotate __reiserfs_warning with __printf(). But digging into it, it turns out that it implements its own printf extensions, so that's obviously a non-starter. Now, one thing is that some of those extension clash with existing standard modifiers (%z and %h, so if someone adds a correct %zu thing to print a size_t in reiserfs things will break). But, and I hope I'm wrong about this and just hasn't had enough coffee, this seems completely broken: while ((k = is_there_reiserfs_struct(fmt1, &what)) != NULL) { *k = 0; p += vsprintf(p, fmt1, args); switch (what) { case 'k': sprintf_le_key(p, va_arg(args, struct reiserfs_key *)); break; On architectures where va_list is a typedef for a one-element array of some struct (x86-64), that works ok, because the vsprintf call can and does update the args metadata. But when args is just a pointer into the stack (i386), we don't know how much vsprintf consumed, and end up consuming the same arguments again - only this time we may interpret some random integer as a struct pointer... A minimal program showing the difference: #include #include void f(const char *dummy, ...) { va_list ap; int i; va_start(ap, dummy); for (i = 0; i < 5; ++i) { vprintf("%d\n", ap); printf("%d\n", va_arg(ap, int)); } va_end(ap); } int main(int argc, char *argv[]) { f("bla", 1, 2, 3, 4, 5, 6, 7, 8, 9, 10); return 0; } Compiling for native (x86-64), this produces $(seq 10). But with -m32, one gets 1,1,2,2,3,3,4,4,5,5. Assuming reiserfs (at least its debugging infrastructure) isn't broken on a bunch of architectures, I'm obviously missing something fundamental. Please enlighten me. Rasmus