Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp9244986rwl; Wed, 11 Jan 2023 03:27:33 -0800 (PST) X-Google-Smtp-Source: AMrXdXtWZh8nVYL8GCLEfTC7GYRk0/4d6sGv5/PJkJhtQG64VNf7am9IiHZpVvEyhTZ+EJqSGKYs X-Received: by 2002:a05:6a00:2999:b0:58a:9bef:5cd3 with SMTP id cj25-20020a056a00299900b0058a9bef5cd3mr6453393pfb.17.1673436453492; Wed, 11 Jan 2023 03:27:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673436453; cv=none; d=google.com; s=arc-20160816; b=bmqHwsXc1I3sdOR6jr1sItlkSEpSEh1MkWLsX7sDmhG3GxZzUFaSx0WSXx1qmhJDv1 UDFGIrfyD1SGFp4KL1WE71Yz17/oWGbvW9C0xTvyKX3PqcNs0a9YLdD5O3xxJwspcQpx LNLy0QAWyjj86IBbpWSphPOnPsPhkUP+HXyR9JhjmkehPFJ4Z5D299jF0unwcweOyp9J 0kBrmIMYIZP+ociDQxu5lVWGyycRPojKOcceq5jXGwYTFilPXFMm6LBU4U7dNio7kpVE 0gfebVJXL9S9bLGyX5wcuXSIsULIFBCmIjfeYkRk+OZsoG3/So1c+fJt2ZelazEU8YDC 7+Ng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :feedback-id:references:in-reply-to:message-id:subject:cc:from:to :dkim-signature:date; bh=o+PuleZmpSn/N3Ya5Al4hVV23Ksr3vGfrc/S9YnGjqM=; b=XoFFi6zOaJIKCjwm55Z5QmqTu3lZiOHnwfpmVtImvMdKIOINZv/R7iltpgpTVJO1Fv XV2xhItLYaRAiM9icUz+BsgICALlonsPXD8AMHDNKwVU7fPkvaqcWsDNOaTNbIXMvdoD Yh2OY/fugxRhcm8dqurMM/PXNajYw8Ytsy20tF71XkOeIOtLcT75+U80nXQ93nEaKVgp FA/yDy48Uvx3c5FcajphOBArU8Dm4qpGuswZEu/CGRzD1C9eg++QIk0V8PbXZFatPtpU QazD2TaDkaMTyuWRv3O4k2cG9dJKRolsPbHxbRk4IYGZKEu5RqBv7sOFfQNFXTW7eHQa ox5A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@protonmail.com header.s=protonmail3 header.b=rdLIvJkY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c123-20020a624e81000000b005775394c99fsi13370592pfb.52.2023.01.11.03.27.26; Wed, 11 Jan 2023 03:27:33 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@protonmail.com header.s=protonmail3 header.b=rdLIvJkY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233325AbjAKKnU (ORCPT + 53 others); Wed, 11 Jan 2023 05:43:20 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58480 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234048AbjAKKnS (ORCPT ); Wed, 11 Jan 2023 05:43:18 -0500 Received: from mail-0201.mail-europe.com (mail-0201.mail-europe.com [51.77.79.158]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E9E2826DC; Wed, 11 Jan 2023 02:43:16 -0800 (PST) Date: Wed, 11 Jan 2023 10:43:05 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1673433792; x=1673692992; bh=o+PuleZmpSn/N3Ya5Al4hVV23Ksr3vGfrc/S9YnGjqM=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=rdLIvJkY+rMENix8x8WopjFmdXzTQ5vCVHoH3dDUBLFK96mD7Ty4jdRufyx0q0/He cCvxoWiL0m5FdLjlR8yCbOKEmpbAMGf4ysZ46Ipj9QRV3uCVckY7qqt56Rl+F/8z89 1hjAbeYBtW6fUQN3sc84pEYWZjfoLseK5XGQJWLPOkCQG8msOnoONcyRN7wHU6l/dh VTsM8eKpBVeTgksuBu8tYR5joEiRevu+7bv/77P1vcwCKo6mBmxRxpm43CMwXsZNqt ImU+RWrm2ssilOfSlSy0LISsoj1/B1TLlmjZlBqMztP6zMwdNSVMNrowYdMQj63CBN fneoTVYIh4NJw== To: Miguel Ojeda From: =?utf-8?Q?Bj=C3=B6rn_Roy_Baron?= Cc: Wedson Almeida Filho , Alex Gaynor , Boqun Feng , Gary Guo , rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org, patches@lists.linux.dev, Domen Puncer Kugler Subject: Re: [PATCH] rust: print: avoid evaluating arguments in `pr_*` macros in `unsafe` blocks Message-ID: In-Reply-To: <20230109204912.539790-1-ojeda@kernel.org> References: <20230109204912.539790-1-ojeda@kernel.org> Feedback-ID: 27884398:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Monday, January 9th, 2023 at 21:49, Miguel Ojeda wrot= e: > At the moment it is possible to perform unsafe operations in > the arguments of `pr_*` macros since they are evaluated inside > an `unsafe` block: > > let x =3D &10u32 as *const u32; > pr_info!("{}", *x); > > In other words, this is a soundness issue. > > Fix it so that it requires an explicit `unsafe` block. > > Reported-by: Wedson Almeida Filho > Reported-by: Domen Puncer Kugler > Link: https://github.com/Rust-for-Linux/linux/issues/479 > Signed-off-by: Miguel Ojeda Reviewed-by: Bj=C3=B6rn Roy Baron > --- > rust/kernel/print.rs | 29 ++++++++++++++++++----------- > 1 file changed, 18 insertions(+), 11 deletions(-) > > diff --git a/rust/kernel/print.rs b/rust/kernel/print.rs > index 29bf9c2e8aee..30103325696d 100644 > --- a/rust/kernel/print.rs > +++ b/rust/kernel/print.rs > @@ -142,17 +142,24 @@ pub fn call_printk_cont(args: fmt::Arguments<'_>) { > macro_rules! print_macro ( > // The non-continuation cases (most of them, e.g. `INFO`). > ($format_string:path, false, $($arg:tt)+) =3D> ( > - // SAFETY: This hidden macro should only be called by the docume= nted > - // printing macros which ensure the format string is one of the = fixed > - // ones. All `__LOG_PREFIX`s are null-terminated as they are gen= erated > - // by the `module!` proc macro or fixed values defined in a kern= el > - // crate. > - unsafe { > - $crate::print::call_printk( > - &$format_string, > - crate::__LOG_PREFIX, > - format_args!($($arg)+), > - ); > + // To remain sound, `arg`s must be expanded outside the `unsafe`= block. > + // Typically one would use a `let` binding for that; however, `f= ormat_args!` > + // takes borrows on the arguments, but does not extend the scope= of temporaries. > + // Therefore, a `match` expression is used to keep them around, = since > + // the scrutinee is kept until the end of the `match`. > + match format_args!($($arg)+) { > + // SAFETY: This hidden macro should only be called by the do= cumented > + // printing macros which ensure the format string is one of = the fixed > + // ones. All `__LOG_PREFIX`s are null-terminated as they are= generated > + // by the `module!` proc macro or fixed values defined in a = kernel > + // crate. > + args =3D> unsafe { > + $crate::print::call_printk( > + &$format_string, > + crate::__LOG_PREFIX, > + args, > + ); > + } > } > ); > > > base-commit: b7bfaa761d760e72a969d116517eaa12e404c262 > -- > 2.39.0