Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp5618235rwi; Tue, 18 Oct 2022 01:28:58 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7Gdfkv77mnp21/9rkC/bA/VUdp6OTjjrn5GZnSsIOoqANTz+ZsfhrK6SKJHX99ahdROe2/ X-Received: by 2002:a05:6402:27c9:b0:45d:4539:b462 with SMTP id c9-20020a05640227c900b0045d4539b462mr1569320ede.226.1666081738486; Tue, 18 Oct 2022 01:28:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666081738; cv=none; d=google.com; s=arc-20160816; b=Pur6CCxQFTWtaD7DDfsCN3wlw4PphQisZJlF9KeuuBsDP/FW8mHmG/mvQTXsyn/p1w KJ/ArNePbl+tfed1TldSSPNat1ANELuxT8tKn4/6LgRu6Yzy65pDe2rW1GsmCCxR3t+v BenIhY8WLOEhlym4WrcokLM5CQyugIJqTuYSl/Vj8TfeRl0s9Oh6ifc02eToHiVn73wu Ch7RRNymfqhzLruu9bCixRDtV1WzYHrWuw1l+j7sBoil6TL+O2TjL8GvPzZvYvawFC9p hhmoaUcZTcWy8HT1y5qWy+zlKzBAURm1ppFSJaRhEf5CGtmXpo6DVRjSJS6yVRUJWIp0 QSgg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=TSAE+c+dsC5XjlOC5IqazzYSnBRPPiiAmvwbhK4wdxE=; b=QvyZAGNmNKoM6dgPzDN92Lu1bYEW0fc57cqGo7e2C8Ose86T+wNI1KgBCh9fqEtfd+ LxN43vGt0SqvGmd/cNrjN4ywUTR4zWjBpOnl1A6Ei9741R5FSjGqhM/BUqpzsFgwpZ7B 3jvSWHttP6USboUixzlil4SK5syE/kBYAZKSn9hFMu4d6J8MyL4mF3/v/Eohe0jiNtdZ KpsObhKCuceSFO40vw8S4jm/zdv+7jGH9JxRQWQ0JwmgsjN0vvRpErHObXnOXmBMpwJC oGp/rn1DnunOrTzuWmL0lRYD3mnIEc2H3lItXyjqtIwdbVJW1pOZzjQUCr0DaLSvL4WR 9h2Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.com header.s=susede1 header.b=WgzzRjSO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=suse.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ho33-20020a1709070ea100b007418e87eea8si11100482ejc.770.2022.10.18.01.28.32; Tue, 18 Oct 2022 01:28:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.com header.s=susede1 header.b=WgzzRjSO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=suse.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229867AbiJRHlG (ORCPT + 99 others); Tue, 18 Oct 2022 03:41:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60378 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229848AbiJRHlE (ORCPT ); Tue, 18 Oct 2022 03:41:04 -0400 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4FECC5004F for ; Tue, 18 Oct 2022 00:41:01 -0700 (PDT) Received: from relay2.suse.de (relay2.suse.de [149.44.160.134]) by smtp-out2.suse.de (Postfix) with ESMTP id C01E91F9C5; Tue, 18 Oct 2022 07:40:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1666078859; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=TSAE+c+dsC5XjlOC5IqazzYSnBRPPiiAmvwbhK4wdxE=; b=WgzzRjSOd3P0Z2MlpBQ5DMO0OFuNMkf+8kmuZxz2+gKJeSSsQ53UGpaVbGt2LbmpbP32gI nl5Wv1ZR9H8YuJOAYfyZ6HrSt+eYRMD1In1wRGTqSwd7Fp6jx5oIqncTgCjNMRuWNJanI8 PIOWXE+aH0veENzPXxyfmoFf29LwroM= Received: from suse.cz (unknown [10.100.208.146]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by relay2.suse.de (Postfix) with ESMTPS id 6B1452C141; Tue, 18 Oct 2022 07:40:59 +0000 (UTC) Date: Tue, 18 Oct 2022 09:40:59 +0200 From: Petr Mladek To: Jane Chu Cc: Andy Shevchenko , "rostedt@goodmis.org" , "senozhatsky@chromium.org" , "linux@rasmusvillemoes.dk" , "linux-kernel@vger.kernel.org" Subject: Re: [PATCH v2] vsprintf: protect kernel from panic due to non-canonical pointer dereference Message-ID: References: <20221017194447.2579441-1-jane.chu@oracle.com> <71c9bce7-cd93-eb2f-5b69-de1a9ffe48b5@oracle.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <71c9bce7-cd93-eb2f-5b69-de1a9ffe48b5@oracle.com> X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon 2022-10-17 21:12:04, Jane Chu wrote: > On 10/17/2022 1:27 PM, Andy Shevchenko wrote: > > On Mon, Oct 17, 2022 at 01:44:47PM -0600, Jane Chu wrote: > >> While debugging a separate issue, it was found that an invalid string > >> pointer could very well contain a non-canical address, such as > > > > non-canical? > > Sorry, typo, will fix. > > > > >> 0x7665645f63616465. In that case, this line of defense isn't enough > >> to protect the kernel from crashing due to general protection fault > >> > >> if ((unsigned long)ptr < PAGE_SIZE || IS_ERR_VALUE(ptr)) > >> return "(efault)"; > >> > >> So run one more round of check via kern_addr_valid(). On architectures > >> that provide meaningful implementation, this line of check effectively > >> catches non-canonical pointers, etc. > > > > OK, but I don't see how this is useful in the form of returning efault here. > > Ideally we should inform user that the pointer is wrong and how it's wrong. > > But. It will crash somewhere else at some point, right? > Broadly speaking, yes. It's not a perfect line of defense, but again, > the bug scenario is a "cat" of some sysfs attributes that leads to > panic. Does it make sense for kernel to protect itself against panic > triggered by a "cat" from user if it could? From my view, the check might be useful. I agree with Andy that the broken pointer would cause crash later anyway. But the check in vsprintf() would allow to see a message that the pointer was wrong before the system crashes. That said, this was much more important in the past when printk() called vsprintf() under logbuf_lock. Nested printk() calls were redirected to per-CPU buffers and eventually lost. It works better now when printk() uses lockless ringbuffer and vsprintf() is called twice there. The first call is used to get the string length so that it could reserve the needed space in the ring buffer. If vsprintf() crashes during the 1st call then it would be possible to print the nested Oops messages. > I mean that there > > is no guarantee that kernel has protection in every single place against > > dangling / invalid pointers. One way or another it will crash. > > > > That said, honestly I have no idea how this patch may be considered > > anything but band-aid. OTOH, I don't see a harm. Perhaps others will > > share their opinions. > > > > 3+ years ago, commit 3e5903eb9cff7 ("vsprintf: Prevent crash when > dereferencing invalid pointers") provided the similar level of > protection as this patch. But it was soon revised by commit > 2ac5a3bf7042a ("vsprintf: Do not break early boot with probing > addresses"), and that's why the string() utility no longer detects > non-canonical string pointer. > > I only thought that kern_addr_valid() is less of a heavy hammer, and > could be safely deployed. Hmm, I see that kern_addr_valid() is available (defined) only on some architectures. This patch would break build on architectures where it is not defined. Also it is used only when reading /proc/kcore. It means that it is not tested during early boot. I wonder if it actually works during the very early boot. Result: The patch is not usable as is. IMHO, it is not worth the effort to get it working. Especially when printk() should be able to show Oops inside vsprintf() these days. Regards, Petr