Re: [PATCH v1 3/4] tracing/remotes: Add REMOTE_EVENT_CUSTOM_PRINTK() helper

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Vincent Donnefort" <vdonnefort@google.com>
Cc: "Oliver Upton" <oupton@kernel.org>,
	"Marc Zyngier" <maz@kernel.org>,
	kvmarm@lists.linux.dev
Subject: Re: [PATCH v1 3/4] tracing/remotes: Add REMOTE_EVENT_CUSTOM_PRINTK() helper
Date: Fri, 12 Jun 2026 14:40:41 +0000	[thread overview]
Message-ID: <20260612144041.C5BAB1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260612142245.1015744-4-vdonnefort@google.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Missing payload length validation and broken event pointer arithmetic causing Out-of-Bounds reads.
--

commit 08a76348182599b6627f69fa9a3f00bf4080d17a
Author: Vincent Donnefort <vdonnefort@google.com>

tracing/remotes: Add REMOTE_EVENT_CUSTOM_PRINTK() helper

This commit introduces a REMOTE_EVENT_CUSTOM_PRINTK() macro where the
__printk argument can be a function. This intends to support the creation
of a dynamic "printk" event for the arm64 nVHE/pKVM hypervisor.

> diff --git a/include/trace/define_remote_events.h b/include/trace/define_remote_events.h
> index 676e803dc144d..4f4d58e37b84b 100644
> --- a/include/trace/define_remote_events.h
> +++ b/include/trace/define_remote_events.h
[ ... ]
> +#define REMOTE_EVENT_PRINT_FUNC(__name, __printk)					\
>  	static void remote_event_print_##__name(void *evt, struct trace_seq *seq)	\
>  	{										\
>  		struct remote_event_format_##__name __maybe_unused *__entry = evt;	\

[Severity: High]
Does this direct cast of the evt payload pointer lack length validation?

It appears there is no check to ensure the event length from the ring
buffer is large enough to hold the format structure before casting.

Additionally, in the final state of the series, is there an issue
calculating the number of arguments in __hyp_trace_printk()?

arch/arm64/kvm/hyp_trace.c:__hyp_trace_printk() {
    struct ring_buffer_event *evt = (void *)entry - RB_EVNT_HDR_SIZE;
    ...
    nr_args = (ring_buffer_event_length(evt) - offsetof(struct remote_event_format_hyp_printk, args)) / sizeof(entry->args[0]);
}

Because the hypervisor uses simple_ring_buffer, it writes events with
type_len = 0 (indicating the length is stored in array[0]). Consequently,
ring_buffer_event_data() skips the 4-byte length field, meaning the entry
payload pointer actually points to &rb_event->array[1].

Subtracting RB_EVNT_HDR_SIZE (4 bytes) yields a pointer to
&rb_event->array[0], not the actual event header. 

When ring_buffer_event_length(evt) is called on this misaligned pointer,
could it interpret the original length or the payload's fmt_id field
as the type_len header?

This would lead to highly incorrect length calculations (e.g., treating
an event size of 20 as 64 bytes), guaranteeing that __hyp_trace_printk
will either silently drop arguments or read arguments out-of-bounds. 

If the event is near the end of a mapped page, could reading past
these boundaries trigger a host kernel panic?

>  		trace_seq_puts(seq, #__name);						\
> -		remote_printk(__printk);						\
> +		__printk;								\
>  	}

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260612142245.1015744-1-vdonnefort@google.com?part=3

next prev parent reply	other threads:[~2026-06-12 14:40 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-12 14:22 [PATCH v1 0/4] trace_hyp_printk() for pKVM/nVHE hypervisor Vincent Donnefort
2026-06-12 14:22 ` [PATCH v1 1/4] KVM: arm64: Allow early calls to pKVM host_share/unshare_hyp Vincent Donnefort
2026-06-12 14:43   ` sashiko-bot
2026-06-14 13:39   ` Fuad Tabba
2026-06-12 14:22 ` [PATCH v1 2/4] KVM: arm64: Move kvm_define_hypevents.h to arch/arm64/kvm/ Vincent Donnefort
2026-06-14 13:41   ` Fuad Tabba
2026-06-12 14:22 ` [PATCH v1 3/4] tracing/remotes: Add REMOTE_EVENT_CUSTOM_PRINTK() helper Vincent Donnefort
2026-06-12 14:40   ` sashiko-bot [this message]
2026-06-14 14:46   ` Fuad Tabba
2026-06-12 14:22 ` [PATCH v1 4/4] KVM: arm64: Add hyp_printk event to nVHE/pKVM hyp Vincent Donnefort
2026-06-12 14:33   ` sashiko-bot
2026-06-14 15:25   ` Fuad Tabba
2026-06-15  8:29     ` Vincent Donnefort
2026-06-14 12:57 ` [PATCH v1 0/4] trace_hyp_printk() for pKVM/nVHE hypervisor Fuad Tabba
2026-06-15  8:27   ` Vincent Donnefort
2026-06-15  8:30     ` Fuad Tabba
2026-06-15  8:57       ` Fuad Tabba

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260612144041.C5BAB1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=kvmarm@lists.linux.dev \
    --cc=maz@kernel.org \
    --cc=oupton@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=vdonnefort@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.