Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp4618083pxb; Tue, 22 Feb 2022 02:43:10 -0800 (PST) X-Google-Smtp-Source: ABdhPJwwmzN8nIq4OgNHDL3CDc0MPi9Pgw5aa+T3LLsmc5TFfUoWA7s6r8oDOdfXYB/XABGdmlHf X-Received: by 2002:a63:4543:0:b0:374:87b6:c9f5 with SMTP id u3-20020a634543000000b0037487b6c9f5mr1036229pgk.302.1645526590748; Tue, 22 Feb 2022 02:43:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645526590; cv=none; d=google.com; s=arc-20160816; b=l3K0HC0OfEGT6K/7uJzin4x/HyxmSzgJpZbg2TDBPuxAc++7LLUqT7Xmsadrejmv+j 60bwx9VLUKRdL1omgQGcdYkAQyosyjG+g3PPMGSrnRAoEwvMAxs8RNdqAEDSuQFT81SM NlAPuZb54VTMwMxfSMriUooPAnGX2CWFLmTIVjvVJ1JMyBllHDUwL7+Dnn9ZxmoN0KYn ReANNcBBPAPHfmU2iy2p8hix6ENG3R2T+oVApXTa1snUNQj9tgB53NAh74L14ICi19mV f+sP15TmzEkzScfidswL/TZMEBuaAjb8+HnGJYZdih7cOxuqlKefKig4hDZmR6fRW2vd wHQw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=+lVCwDiOku8kLSVJnTfKoIgYRuSLH77+xI/uMbyK9OA=; b=HSUe3ffaqw8DjG5ENQoZaqvEMO6H1njT/rqDiVsq+p76BvcIIqUFQmwsltCZ59U+yc Mwb1FoWbqMSGUwIZs6nDjGtXU4wVctHgxLzE0JbamRsCRVjgg026GiyqtoaCiTH7LBJm cYfcrznO5iC5HPF1/ZJM46xC3LrmM+u9voIhBPCwiyH2o2ANHHpCNJps3m4Y5lyJ9UuS Hpq4WVAdOd5DfbLDNTnI0rMhyGlesa1atpj04/obOb20aeHr9GO+Pk3Fyo/TfW6pVRDP n/Mu5SuXg4AZrqZ+PvC6lFv/cFM43hKlXohtp6lcf4N/uhuWzjclFbAIByuXJ/dpVOf5 yRAA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@rasmusvillemoes.dk header.s=google header.b=g42GYshz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b16si31635387pll.168.2022.02.22.02.42.56; Tue, 22 Feb 2022 02:43:10 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@rasmusvillemoes.dk header.s=google header.b=g42GYshz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231287AbiBVKgL (ORCPT + 99 others); Tue, 22 Feb 2022 05:36:11 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34276 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230313AbiBVKgJ (ORCPT ); Tue, 22 Feb 2022 05:36:09 -0500 Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D864515B993 for ; Tue, 22 Feb 2022 02:35:42 -0800 (PST) Received: by mail-lf1-x12c.google.com with SMTP id bu29so23960072lfb.0 for ; Tue, 22 Feb 2022 02:35:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rasmusvillemoes.dk; s=google; h=message-id:date:mime-version:user-agent:subject:content-language:to :cc:references:from:in-reply-to:content-transfer-encoding; bh=+lVCwDiOku8kLSVJnTfKoIgYRuSLH77+xI/uMbyK9OA=; b=g42GYshzG9e6NElFaCS8Jefbr7OC5dly7FlECjdhp3xNpsCgJClndEfQTRjDb4e8u7 2jqdHuQ0aJKFx/7JdrgipgzJd3fTdqCpZ0f5/VE72oALWFrHqtBLylrIqUKokBuJmByw xSUNTd+M4uvzCWa91yZzcdnh5pqshAnihRmns= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=+lVCwDiOku8kLSVJnTfKoIgYRuSLH77+xI/uMbyK9OA=; b=Uso9NFB2rnJKW5tns3YsnURkEQBwovi1KiKrUkG+4cv6AIX1AWkO2IcXlknu1SkZC1 vKKNwYoA9Om6+JCcXho1PSmweDL8NeAnPu9fa3fcPeF+PsO3osWOF3e25fCjjfA8pA+7 IDRvrBcwFkCIqQT627g6JD1pSqazhE8Ze3JZk7a4s2ewvslr6+jaiazzJfezC7hQRqFI Zsb9AjtZmNLjV0N+ksIYWqOm0IwNOsDEZWEmKICYMpyKtdDy3mRqRq2CIpSqaWh+aXaW UdhYbh8RX2TXH+Qgt6FoxNa4CwjPfh71pm20apKc+gz59QFehK+h1SncP4nKlzKomTJG pcNw== X-Gm-Message-State: AOAM532LaX/3686ua1T84JoANPpY8Uof7fpGJ39bpEzp77dbeD8xXwWP x8Ad/Tg7tx+t8qRv6t7jO7GQPDXxz7y/E9GV X-Received: by 2002:ac2:46ef:0:b0:443:3c30:a372 with SMTP id q15-20020ac246ef000000b004433c30a372mr16966119lfo.626.1645526141133; Tue, 22 Feb 2022 02:35:41 -0800 (PST) Received: from [172.16.11.74] ([81.216.59.226]) by smtp.gmail.com with ESMTPSA id m7sm1638575ljb.87.2022.02.22.02.35.39 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 22 Feb 2022 02:35:40 -0800 (PST) Message-ID: <10bbffc2-f144-8555-d41b-fede69a13c16@rasmusvillemoes.dk> Date: Tue, 22 Feb 2022 11:35:39 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0 Subject: Re: [PATCH v4 12/20] vsprintf: add new `%pA` format specifier Content-Language: en-US To: Petr Mladek , Miguel Ojeda Cc: Andy Shevchenko , Miguel Ojeda , Linus Torvalds , Greg Kroah-Hartman , rust-for-linux , linux-kernel , Gary Guo , Alex Gaynor , Wedson Almeida Filho , Steven Rostedt , Sergey Senozhatsky References: <20220212130410.6901-1-ojeda@kernel.org> <20220212130410.6901-13-ojeda@kernel.org> From: Rasmus Villemoes In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 22/02/2022 10.29, Petr Mladek wrote: > On Mon 2022-02-14 13:12:24, Miguel Ojeda wrote: >> On Mon, Feb 14, 2022 at 11:52 AM Rasmus Villemoes >> wrote: >>> >>> I think the point is for vsnprintf() to call (back) into Rust code. >> >> Indeed, this is the case. >> >>> That said, I don't like the !CONFIG_RUST version to return NULL, that >>> will surely crash moments later. >>> >>> So I prefer something like >>> >>> [rust.h] >>> // no CONFIG_RUST conditional >>> +char *rust_fmt_argument(char* buf, char* end, void *ptr); >>> >>> [vsprintf.c] >>> + case 'A': >>> + if (IS_ENABLED(CONFIG_RUST)) >>> + return rust_fmt_argument(buf, end, ptr); >>> + else >>> + return string_nocheck(buf, end, "[%pA in non-Rust >>> code?!]", default_str_spec); > > Any long message might cause buffer overflow when the caller expects > fixed short string. If the caller (1) uses a %p extension from C code which should only be used from Rust and (2) uses sprintf() or another variant where he doesn't provide the real buffer bounds, well, then he certainly gets to keep the pieces. It is a much worse problem that if CONFIG_RUST is enabled, we can't know that we were actually called from Rust (but when !CONFIG_RUST, we certainly know that we weren't), so we could call into rust_fmt_argument with a pointer which certainly doesn't point to the/a data structure which that Rust code expects. But we can't do anything about it, we will just have to rely on static analysis to flag any use of %pA in C code. > The most safe solution would be to use WARN_ONCE(). Preferably no, we shouldn't call into the printk machinery from within vsnprintf(). I know I've added a few myself (AFAIR for use of %n or other unsupported specifiers, and for overflow of precision/field width), and I've often thought about a way to get rid of them while still making sure some message eventually gets logged (once). Rasmus