From: "Ahmed S. Darwish" <darwish.07@gmail.com>
To: Alexey Dobriyan <adobriyan@gmail.com>
Cc: akpm@linux-foundation.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 11/13] proc: readdir /proc/*/task
Date: Tue, 28 Aug 2018 13:04:40 +0000 [thread overview]
Message-ID: <20180828130440.GA6464@darwi-kernel> (raw)
In-Reply-To: <20180828123622.GA2087@darwi-kernel>
On Tue, Aug 28, 2018 at 12:36:22PM +0000, Ahmed S. Darwish wrote:
> On Tue, Aug 28, 2018 at 02:15:01AM +0300, Alexey Dobriyan wrote:
> > ---
> > fs/proc/base.c | 8 ++++----
> > 1 file changed, 4 insertions(+), 4 deletions(-)
> >
>
> Missing description and S-o-b. Further comments below..
>
> > diff --git a/fs/proc/base.c b/fs/proc/base.c
> > index 33f444721965..668e465c86b3 100644
> > --- a/fs/proc/base.c
> > +++ b/fs/proc/base.c
> > @@ -3549,11 +3549,11 @@ static int proc_task_readdir(struct file *file, struct dir_context *ctx)
> > for (task = first_tid(proc_pid(inode), tid, ctx->pos - 2, ns);
> > task;
> > task = next_tid(task), ctx->pos++) {
> > - char name[10 + 1];
> > - unsigned int len;
> > + char name[10], *p = name + sizeof(name);
> > +
>
> Multiple issues:
>
> - len should be 11, as was in the original code
> (0xffffffff = 4294967295, 10 letters)
>
> - while we're at it, let's use a constant for the '11' instead of
> mysterious magic numbers
>
> - 'p' is clearly overflowing the stack here
>
See below:
> > tid = task_pid_nr_ns(task, ns);
> > - len = snprintf(name, sizeof(name), "%u", tid);
> > - if (!proc_fill_cache(file, ctx, name, len,
> > + p = _print_integer_u32(p, tid);
> > + if (!proc_fill_cache(file, ctx, p, name + sizeof(name) - p,
>
> You're replacing snprintf() code __that did proper len checking__
> with code that does not. That's not good.
>
> I can't see how the fourth proc_fill_cache() parameter, ``name +
> sizeof(name)'' safely ever replace the original 'len' parameter.
> It's a pointer value .. (!)
>
Ok, there's a "- p" in the end, so the length looks to be Ok.
Nonetheless, the whole patch series is introducing funny code
like:
+/*
+ * Print an integer in decimal.
+ * "p" initially points PAST THE END OF THE BUFFER!
+ *
+ * DO NOT USE THESE FUNCTIONS!
+ *
+ * Do not copy these functions.
+ * Do not document these functions.
+ * Do not move these functions to lib/ or elsewhere.
+ * Do not export these functions to modules.
+ * Do not tell anyone about these functions.
+ */
+noinline
+char *_print_integer_u32(char *p, u32 x)
+{
+ do {
+ *--p = '0' + (x % 10);
+ x /= 10;
+ } while (x != 0);
+ return p;
+}
And thus the code using these functions is throwing invalid
past-the-stack pointers and strings with no NULL terminators
like there's no tomorrow...
IMHO It's an accident waiting to happen to sprinkle pointers
like that everywhere. Are we really in a super hot path to
justify all that?
/me confused
--
Darwish
http://darwish.chasingpointers.com
next prev parent reply other threads:[~2018-08-28 13:04 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-27 23:14 [PATCH 01/13] seq_file: rewrite seq_puts() in terms of seq_write() Alexey Dobriyan
2018-08-27 23:14 ` [PATCH 02/13] proc: apply seq_puts() whenever possible Alexey Dobriyan
2018-08-27 23:14 ` [PATCH 03/13] proc: rename "p" variable in proc_readfd_common() Alexey Dobriyan
2018-08-27 23:14 ` [PATCH 04/13] proc: rename "p" variable in proc_map_files_readdir() Alexey Dobriyan
2018-08-27 23:14 ` [PATCH 05/13] proc: new and improved way to print decimals Alexey Dobriyan
2018-08-27 23:14 ` [PATCH 06/13] proc: convert /proc/self to _print_integer() Alexey Dobriyan
2018-08-29 9:50 ` David Laight
2018-08-30 13:13 ` Alexey Dobriyan
2018-08-27 23:14 ` [PATCH 07/13] proc: convert /proc/thread-self " Alexey Dobriyan
2018-08-27 23:14 ` [PATCH 08/13] proc: convert /proc/*/fd " Alexey Dobriyan
2018-08-27 23:14 ` [PATCH 09/13] proc: convert dentry flushing on exit " Alexey Dobriyan
2018-08-27 23:15 ` [PATCH 10/13] proc: convert readdir /proc " Alexey Dobriyan
2018-08-27 23:15 ` [PATCH 11/13] proc: readdir /proc/*/task Alexey Dobriyan
2018-08-28 12:36 ` Ahmed S. Darwish
2018-08-28 13:04 ` Ahmed S. Darwish [this message]
2018-08-28 19:35 ` Alexey Dobriyan
2018-08-29 23:43 ` Andrew Morton
2018-08-30 13:20 ` Alexey Dobriyan
2018-08-28 19:31 ` Alexey Dobriyan
2018-08-27 23:15 ` [PATCH 12/13] proc: convert /proc/*/statm to _print_integer() Alexey Dobriyan
2018-08-27 23:15 ` [PATCH 13/13] proc: convert /proc/*/task/*/children " Alexey Dobriyan
2018-08-28 18:24 ` [PATCH 01/13] seq_file: rewrite seq_puts() in terms of seq_write() Joe Perches
2018-08-28 20:48 ` Joe Perches
2018-09-03 14:17 ` Alexey Dobriyan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180828130440.GA6464@darwi-kernel \
--to=darwish.07@gmail.com \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.