Received: by 10.213.65.68 with SMTP id h4csp655147imn; Fri, 6 Apr 2018 06:51:35 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/b0peF5tqaOGYcR7rypn4le8Tzsju49YJVDeCezyYqMW4vYi2l/B0WHhBVHOC50Z2TTiBG X-Received: by 10.98.150.198 with SMTP id s67mr20711419pfk.191.1523022695303; Fri, 06 Apr 2018 06:51:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523022695; cv=none; d=google.com; s=arc-20160816; b=tOdkzYKH656qnmWOUctSszrHgHvu7Y3HpwGtiEVj2O8LWAQWNbHQRpCJv816dbGfry SDBGtMDQWdkPx592RNIUCBCP0MBTntqeXrcb1nRn20dSB/buRRXqg4A0AUTzbTbEIj7t RRxI78utqvF76QGTNW/1vFLXgsjlLn4Os8T54aq4CWfqpg0gfuCfkL92vlqcWGVHb1do k7KAhpNYKpdLK3RX65Mm8kf/poYk08AQVnbrew15aASOoSS6FWGJCEg3c/nfhs8EPelW RpqoK3j3wUPf4nKQxEYTg80+VZhisSW4t17KKhmAqCY5XEU/lkA7Whyoy2JiGe08eJ2F 0JtA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature :arc-authentication-results; bh=hCL3BVDTKGOjMi1pnqrd8YVGmtcyGXVMXL8j+J2VSTI=; b=W4LqV//0vm7EOYWIruOjGujmIk9WHgHtknx2U+MVbO7FyPwisPSiBRX1OX9rDh4N1N wKsKomNBjM9MGIKDgPn8J3fTMABnFpPYvmMTYQI7sLAc3ZlCePAs/42ff5GztE2GHAxp U8eIg9Xo0i9lBG1xjyLn8rWG7+yQ9lLcOo+DdzByFuh7e/7lnUJ8vfHED6frvAc3/6Tp gFN2AdQ1sJHRkZ7v61RN24+A9K+i5kNRzWpfpVKLpAya7gvQrsK8KcEgIDq6qJzhqVFx 5c5YTJEgXsNsb7LwtpsAGl0FFG1yc4EHr0R//Jtk741RgC6r9BTiNhKx+cT2AoJ/2DWO mXZg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@rasmusvillemoes.dk header.s=google header.b=Zvd46TCv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k4-v6si8203736pls.240.2018.04.06.06.51.21; Fri, 06 Apr 2018 06:51:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@rasmusvillemoes.dk header.s=google header.b=Zvd46TCv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933073AbeDFNsd (ORCPT + 99 others); Fri, 6 Apr 2018 09:48:33 -0400 Received: from mail-lf0-f45.google.com ([209.85.215.45]:35502 "EHLO mail-lf0-f45.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756968AbeDFNpR (ORCPT ); Fri, 6 Apr 2018 09:45:17 -0400 Received: by mail-lf0-f45.google.com with SMTP id j20-v6so635715lfk.2 for ; Fri, 06 Apr 2018 06:45:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rasmusvillemoes.dk; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=hCL3BVDTKGOjMi1pnqrd8YVGmtcyGXVMXL8j+J2VSTI=; b=Zvd46TCvi73vEgqfLS1CCnmEtHPGzfCrNZg1z4Ba9P4duttkqpx3DjiRK5wIYbSpk5 +iG04X61EfRWQK4LfGT8HUhX69hXuqCa2bibMkdv9SIUO9iMCiSykmAWQkxMHZQdxU6O xPcrKWbb1JRczNtAyCs6OIsp5re5V7RAquQuU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=hCL3BVDTKGOjMi1pnqrd8YVGmtcyGXVMXL8j+J2VSTI=; b=Si4qR8JmU+dt8nSh7xl5Xmzw6oD3xhV7pOmIdL5o/gh3DScmOApBrT7e67xg7HUj2Q qnSbHsRXySzMe63VR7hAcvGisKHLYvibC4FdJ+Xh9wgQFuMVEttPbH8o90tt/kAXvApF mSooB3oZiCSIvpY3NpBPRr9wLFtUXVwHHBNFAsVYGTPdV4VSK3sCcpspKgyNtnkKIPE3 ATn+AOcdaV8xSudlKoklBwpbzEoVO1UrFO7GCZhQIUz2yoRsZec+NucvnkPw9m/1LvM5 VLCpebBDpnYIRzrLzSCZx8W+2Nac4YoUfcbRXuznv6s/pvOmB8f3mSa+jWk4wfC9/ugL L4Og== X-Gm-Message-State: ALQs6tCESGIHk7pfRcPDhoRle78JjTqkkgU84ju3zjBkqkwCRmPXrmRc 1q5O1JQKAZyHZGThuHpakzhT1g== X-Received: by 2002:a19:a949:: with SMTP id s70-v6mr2632167lfe.53.1523022315991; Fri, 06 Apr 2018 06:45:15 -0700 (PDT) Received: from [172.16.11.29] ([81.216.59.226]) by smtp.gmail.com with ESMTPSA id 63-v6sm2102550lfr.61.2018.04.06.06.45.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 06 Apr 2018 06:45:15 -0700 (PDT) Subject: Re: [PATCH?] reiserfs: prevent panic: don't allow %-char in journal dev. name To: Rasmus Villemoes , Andrew Morton , Randy Dunlap Cc: LKML , reiserfs-devel@vger.kernel.org, Alexander Viro , Jeff Mahoney , Jan Kara , Frederic Weisbecker , Artem Bityutskiy References: <20180404184517.9f2b91b856a56f71464f5f7f@linux-foundation.org> <6b575956-6498-43c8-dc2c-9e2a0d5564a9@rasmusvillemoes.dk> From: Rasmus Villemoes Message-ID: Date: Fri, 6 Apr 2018 15:45:14 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <6b575956-6498-43c8-dc2c-9e2a0d5564a9@rasmusvillemoes.dk> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2018-04-05 11:04, Rasmus Villemoes wrote: > On 2018-04-05 03:45, Andrew Morton wrote: >> >> Isn't the bug in journal_init_dev()? > > Urgh. At first I was about to reply that the real bug was in reiserfs.h > for failing to annotate __reiserfs_warning with __printf(). But digging > into it, it turns out that it implements its own printf extensions, so > that's obviously a non-starter. Now, one thing is that some of those > extension clash with existing standard modifiers (%z and %h, so if > someone adds a correct %zu thing to print a size_t in reiserfs things > will break). But, and I hope I'm wrong about this and just hasn't had > enough coffee, this seems completely broken: > > while ((k = is_there_reiserfs_struct(fmt1, &what)) != NULL) { > *k = 0; > > p += vsprintf(p, fmt1, args); > > switch (what) { > case 'k': > sprintf_le_key(p, va_arg(args, struct > reiserfs_key *)); > break; > > On architectures where va_list is a typedef for a one-element array of > some struct (x86-64), that works ok, because the vsprintf call can and > does update the args metadata. But when args is just a pointer into the > stack (i386), we don't know how much vsprintf consumed, and end up > consuming the same arguments again - only this time we may interpret > some random integer as a struct pointer... OK, so maybe -mregparm=3 would be the thing making i386 behave like x86-64 wrt. varargs, but no, when calling a variadic function, gcc pushes all arguments on the stack, and va_list is still just a pointer (passed by value to vsprintf) into the stack. It is only a problem when the format string contains ordinary specifiers before a reiserfs-specific one, and such calls happen to be rare, but not non-existing. One example would be reiserfs_warning(tb->tb_sb, "vs-12339", "%s (%b)", which, bh);. Ok, treating which as a buffer_head would probably just give some garbage numbers. But "reiserfs-16100", "STATDATA, index %d, type 0x%x, %h", vi->vi_index, vi->vi_type, vi->vi_ih ends up treating vi->vi_index as a struct item_head*, no? Rasmus