Received: by 2002:a05:7412:6592:b0:d7:7d3a:4fe2 with SMTP id m18csp2578901rdg; Mon, 14 Aug 2023 07:05:53 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEIHHo5kYPM5BI3ZsVKymK1J/tVgtEpwKdrIvElOcPJSKsUfM8KmFZvMA8mA+EgThoYKjan X-Received: by 2002:a17:906:3013:b0:991:d05c:f065 with SMTP id 19-20020a170906301300b00991d05cf065mr8765160ejz.52.1692021953446; Mon, 14 Aug 2023 07:05:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1692021953; cv=none; d=google.com; s=arc-20160816; b=EBC31sYydSCWNTzm9jQbj3WOAi/T6djo5JXOpl8Y0yb4/yycG49/t126eFQN1eoT/e /MkVzMKdi6lvgbhepMFpbDYbJtMd9C37mOQJfMa5c+ztNoicPsjOu2Bc/OABhaeTakpO dnl5bBOHy0KBfKy93Tticgw7WhXBy1K7AAE3eKamQ+brbXs0jSpxehamYZ6Rv+p49Bmn xh1VpgB4nV5Vv/4Bkai4YaQusRTrnKgqO69ks491VmX13XF9kVORgMHScMd6QHx0xYD8 Wok41LfY3+Rk7fff6vqoEvT5dDWXt07oqXqNnRVjTuzd7Q7pxhAcS5i3Nh+1tuf1+VA1 ZBEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :mime-version:accept-language:in-reply-to:references:message-id:date :thread-index:thread-topic:subject:cc:to:from; bh=zTggAkgmf8kDXsVJyphX4I/PgpHXfDS8pqfT7MfSl1I=; fh=Y5VnlHvkw4v3qEXYMWDBo4yjjhB7zgcr35qHOcckRkw=; b=wtNeQjSNed5ELwahSbo6WLs8b9TNxZulhbPOMMl+qTAF6gMXLQPybPLtwymg6C7YHs aBgPlNIL77uz2DtSOd18Vl+aKDGULIWW32K9+LL2V5LQ1I1VFw0xrVXLcQPPUCAcL7RI 1I9XJW1IfQyzFQgF9uN+b4GKMd+frB+gyziolUl0iL0LpTDHtepAK0vLuW2R6swBa6xV jGWwkzpZsjd6oPNDltjwROL5MC2dj4WOv5LnYFSRpUuOYxukmHepzx6QU8s3rAXGHYIv XIUobw4j0I391Ams2tP1AYqgmDuL+Jw6J5jQSelMNJqLAAdVpTh/cxfjjslP4ssjJHiv Lipw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z2-20020a170906944200b009888665e53fsi7910977ejx.190.2023.08.14.07.05.29; Mon, 14 Aug 2023 07:05:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231481AbjHNNdo convert rfc822-to-8bit (ORCPT + 99 others); Mon, 14 Aug 2023 09:33:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47430 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231582AbjHNNdZ (ORCPT ); Mon, 14 Aug 2023 09:33:25 -0400 Received: from eu-smtp-delivery-151.mimecast.com (eu-smtp-delivery-151.mimecast.com [185.58.86.151]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0110C10CE for ; Mon, 14 Aug 2023 06:33:23 -0700 (PDT) Received: from AcuMS.aculab.com (156.67.243.121 [156.67.243.121]) by relay.mimecast.com with ESMTP with both STARTTLS and AUTH (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id uk-mta-253-nY0m2V98Pem1hrz_0Np7AQ-1; Mon, 14 Aug 2023 14:33:21 +0100 X-MC-Unique: nY0m2V98Pem1hrz_0Np7AQ-1 Received: from AcuMS.Aculab.com (10.202.163.4) by AcuMS.aculab.com (10.202.163.4) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Mon, 14 Aug 2023 14:33:09 +0100 Received: from AcuMS.Aculab.com ([::1]) by AcuMS.aculab.com ([::1]) with mapi id 15.00.1497.048; Mon, 14 Aug 2023 14:33:09 +0100 From: David Laight To: 'Petr Mladek' CC: 'Kees Cook' , Sergey Senozhatsky , Steven Rostedt , John Ogness , Vijay Balakrishna , "stable@vger.kernel.org" , Tony Luck , "Guilherme G. Piccoli" , "Paul E. McKenney" , "linux-kernel@vger.kernel.org" , "linux-hardening@vger.kernel.org" Subject: RE: [PATCH] printk: ringbuffer: Fix truncating buffer size min_t cast Thread-Topic: [PATCH] printk: ringbuffer: Fix truncating buffer size min_t cast Thread-Index: AQHZzBcPYpG1g1kNlkm6DrLi5BIXA6/pnsfQgAAVrACAABVCEA== Date: Mon, 14 Aug 2023 13:33:09 +0000 Message-ID: References: <20230811054528.never.165-kees@kernel.org> <42a1e2099fe141c3a57e808cbf06d8a0@AcuMS.aculab.com> In-Reply-To: Accept-Language: en-GB, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.202.205.107] MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: aculab.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8BIT X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,PDS_BAD_THREAD_QP_64, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE, SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Petr Mladek > Sent: 14 August 2023 13:56 > > On Mon 2023-08-14 10:42:26, David Laight wrote: > > From: Kees Cook > > > Sent: 11 August 2023 06:46 > > > > > > If an output buffer size exceeded U16_MAX, the min_t(u16, ...) cast in > > > copy_data() was causing writes to truncate. This manifested as output > > > bytes being skipped, seen as %NUL bytes in pstore dumps when the available > > > record size was larger than 65536. Fix the cast to no longer truncate > > > the calculation. > > > > > ... > > > diff --git a/kernel/printk/printk_ringbuffer.c b/kernel/printk/printk_ringbuffer.c > > > index 2dc4d5a1f1ff..fde338606ce8 100644 > > > --- a/kernel/printk/printk_ringbuffer.c > > > +++ b/kernel/printk/printk_ringbuffer.c > > > @@ -1735,7 +1735,7 @@ static bool copy_data(struct prb_data_ring *data_ring, > > > if (!buf || !buf_size) > > > return true; > > > > > > - data_size = min_t(u16, buf_size, len); > > > + data_size = min_t(unsigned int, buf_size, len); > > > > I'd noticed that during one of my test compiles while looking > > at making min() less fussy. > > > > A better fix would be: > > data_size = min(buf_size + 0u, len); > > This looks like a magic to me. The types are: Not quite the right magic though, needs to be 'len + 0u'. > > unsigned int data_size; > unsigned int buf_size; > u16 len > > I would naively expect that > > data_size = min(buf_size, len); > > would do the right job and expand @len to "unsigned int". > > I do not remember why "min_t" was used. Was it an optimization? > Did we miss the problem with casting "u32" down to "u16"? The underlying problem is that (presumably) in order to stop min(signed_a, unsigned_b) converting a negative value to a large unsigned one (very nasty) min() contains (effectively) sizeof(&a == &b) so barfs if the types differ at all. I'm sure the intent was that the types would be fixed - in this case chasing 'len' back all the way back and using 'unsigned int'. (That probably generates better code as well.) However everyone just uses min_t(type,a,b) if type is 32bit unsigned they are mostly ok because the kernel only really deals in 'small' unsigned values. But, as in the case here, it is easy to pick a type that is too small. Pretty much all the min_t() with u8/u16 are likely to be dubious. I found an 'unsigned long' case in a filesystem where one value was u64 - could be problematic for a large file on 32bit. (The u64 definitely contained a 'file size' value.) The patch set I proposed (see https://lore.kernel.org/lkml/01e3e09005e9434b8f558a893a47c053@AcuMS.aculab.com/) changes the basic test to (is_signed(a) == is_signed(b)) which will never generate the 'nasty' conversion of -1 to 0xffffffffull. Of course, it is never quite that simple :-) Linus seems willing to accept min(unsigned_var, 20) but not min(signed_var, 20u) - typically as min(signed_var, sizeof(type)). ... > PS: I have already pushed the patch because it looked reasonable and > got testing. I have to admit that I am probably in a pre-vacation > hurry mode. Don't worry it is now not any worse than the other 4500 min_t(). Much the same as the number of min(). David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)