Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp3515015rwb;
        Mon, 16 Jan 2023 09:00:55 -0800 (PST)
X-Google-Smtp-Source: AMrXdXsHAFyZZOmDF/ZbZ6uUUZbt5pX0J2PtyKmgZn7cbWcET50WSREFZU39uyXMsZGsvCKqvKY8
X-Received: by 2002:a05:6a21:9101:b0:b8:7c95:de84 with SMTP id tn1-20020a056a21910100b000b87c95de84mr4690277pzb.33.1673888455595;
        Mon, 16 Jan 2023 09:00:55 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1673888455; cv=none;
        d=google.com; s=arc-20160816;
        b=mGdKvkllYAcPN6sIma6Wqzqts/zq2ZuixTTYm5FLN8jFra+bODMufmez2JjX9E7d/s
         wbUdLncn6Ydk//jzs1z4oj6qnaFM6iWhL43/0DaoMQUxCRh80lHflPDtkI5K8UrHHBmJ
         DJLcQDY6fLyzkq6GjcLmMjl967e+UI8WzquCzdqIMV7y4k9tkpK8CxyokOfxwg1xw9s5
         Jw6n1s3rLP2ojdeY8/heF2oj7GlwO6l0kINJEYbSoXQwVD1K56H7PSs3zmKl57NG5rJz
         cB+3d6G9utslDIOOxK7u3ZkUy6K95lJflqGISLOHlI0fjUzKj4TVYsAIXPDhT/xx2HR8
         hR4Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=x7t0YOJRqJkyR/v4+Wf24lPdcrODSmxqSGim8YzYnhs=;
        b=KpWXuno7y2FJI2JHIqM+8k1u4B/zx1q8qD2WV0pRfJRn9KyYWH7YfT1b56Lj0G1zfh
         HQSZPzyupL9ClRxhu2TCA8m/0303gww5owK5+64aSKQaG6/jMF62ItDl2SHTObSRjx0C
         ELoCKBUHLkWG/ZRF5KDFCf4nG6U86i+ODvbNg3GT1uhYgteUY7HBmColy50buHcq/8OW
         PjfWau+kmYQMxvdR/ynaUtFYsFUuIYU+mTBPu6WNfXMD4X82JRnuy5XOGRGXxYrANywW
         IZLpG4PwvAjwoQijzoDozwbH5BAlVL9QzNJ+N5JHbbYj1BNxIB7QvW6KQ8aIPYamp/1Y
         BCJA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@suse.com header.s=susede1 header.b=Io1NDW4D;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=suse.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id t18-20020a170902d15200b00189655d7144si24326313plt.161.2023.01.16.09.00.48;
        Mon, 16 Jan 2023 09:00:55 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@suse.com header.s=susede1 header.b=Io1NDW4D;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=suse.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233868AbjAPQry (ORCPT <rfc822;abelvesa@gmail.com> + 50 others);
        Mon, 16 Jan 2023 11:47:54 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39524 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233799AbjAPQrV (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 16 Jan 2023 11:47:21 -0500
Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1ACD940BEF;
        Mon, 16 Jan 2023 08:35:09 -0800 (PST)
Received: from relay2.suse.de (relay2.suse.de [149.44.160.134])
        by smtp-out2.suse.de (Postfix) with ESMTP id CC830671D6;
        Mon, 16 Jan 2023 16:35:07 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1;
        t=1673886907; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=x7t0YOJRqJkyR/v4+Wf24lPdcrODSmxqSGim8YzYnhs=;
        b=Io1NDW4DvizFFd/BfM+ziDxHHjtF5sOBp4nwfT08niOp80XKhwhwF/jZKscKxuc6k06VEx
        d0hQgX1MwimvRavIgcAbe6zgrgsCOiJ3Gm5gZ1adL09GDww4Pqd2NMkjqHGKUCOnmCt2Tn
        pMu7OCH1bCzfJx7+hPkUTJ5vVf+sYyk=
Received: from suse.cz (unknown [10.100.201.202])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by relay2.suse.de (Postfix) with ESMTPS id 3CF3F2C1AC;
        Mon, 16 Jan 2023 16:35:05 +0000 (UTC)
Date:   Mon, 16 Jan 2023 17:35:02 +0100
From:   Petr Mladek <pmladek@suse.com>
To:     Sergey Senozhatsky <senozhatsky@chromium.org>
Cc:     coverity-bot <keescook@chromium.org>,
        John Ogness <john.ogness@linutronix.de>,
        Steven Rostedt <rostedt@goodmis.org>,
        linux-kernel@vger.kernel.org,
        "Gustavo A. R. Silva" <gustavo@embeddedor.com>,
        linux-next@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Re: Coverity: console_prepend_dropped(): Memory - corruptions
Message-ID: <Y8V8tqMJeB7t+rcJ@alley>
References: <202301131544.D9E804CCD@keescook>
 <Y8KAhaiZQOWTcfyF@google.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Y8KAhaiZQOWTcfyF@google.com>
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,
        SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat 2023-01-14 19:14:29, Sergey Senozhatsky wrote:
> On (23/01/13 15:46), coverity-bot wrote:
> > *** CID 1530570:  Memory - corruptions  (OVERRUN)
> > kernel/printk/printk.c:2738 in console_prepend_dropped()
> > 2732     		/* Truncate the message, but keep it terminated. */
> > 2733     		pmsg->outbuf_len = outbuf_sz - (len + 1);
> > 2734     		outbuf[pmsg->outbuf_len] = 0;
> > 2735     	}
> > 2736
> > 2737     	memmove(outbuf + len, outbuf, pmsg->outbuf_len + 1);
> > vvv     CID 1530570:  Memory - corruptions  (OVERRUN)
> > vvv     Overrunning buffer pointed to by "scratchbuf" of 1024 bytes by passing it to a function which accesses it at byte offset 1998 using argument "len" (which evaluates to 1999). [Note: The source code implementation of the function has been overridden by a builtin model.]
> > 2738     	memcpy(outbuf, scratchbuf, len);
> > 2739     	pmsg->outbuf_len += len;
> > 2740     }
> > 2741     #else
> > 2742     #define console_prepend_dropped(pmsg, dropped)
> > 2743     #endif /* CONFIG_PRINTK */
> [..]
> > Human notes from Kees:
> > 
> > I'm not sure how it got 1998, but I do see that snprintf() should
> > probably be scnprintf(), otherwise "len" might be a lie (i.e. it'll hold
> > what it WANTED to write, rather than what it actually wrote).
> 
> Cannot imagine how "** %lu printk messages dropped **\n" can expand into
> 1998 bytes. Does coverity have a "verbose" mode?

I guess that coverity tries to pass some random string that is longer
than the provided buffer.

The code might be safe with the current size of the buffer and
the string. But it is true that the following is wrong:

	len = snprintf(scratchbuf, scratchbuf_sz,
		       "** %lu printk messages dropped **\n", dropped);


As Kees pointed out in the human comment, we should use scnprintf()
that will return the really written length of the string that fits
into the buffer.

I am going to send a patch.

Best Regards,
Petr