From: Dave Hansen <dave@sr71.net>
To: Ingo Molnar <mingo@kernel.org>
Cc: linux-kernel@vger.kernel.org, dave.hansen@linux.intel.com,
peterz@infradead.org, mingo@redhat.com, ak@linux.intel.com,
tim.c.chen@linux.intel.com, akpm@linux-foundation.org,
cl@linux.com, penberg@kernel.org, linux-mm@kvack.org,
kirill@shutemov.name, lauraa@codeaurora.org,
Linus Torvalds <torvalds@linux-foundation.org>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
Thomas Gleixner <tglx@linutronix.de>
Subject: Re: [PATCH] [v3] warn on performance-impacting configs aka. TAINT_PERFORMANCE
Date: Sun, 24 Aug 2014 13:40:58 -0700 [thread overview]
Message-ID: <53FA4DDA.8020106@sr71.net> (raw)
In-Reply-To: <20140824144946.GC9455@gmail.com>
On 08/24/2014 07:49 AM, Ingo Molnar wrote:
>>>> > >> + buf_left = buf_len;
>>>> > >> + for (i = 0; i < ARRAY_SIZE(perfomance_killing_configs); i++) {
>>>> > >> + buf_written += snprintf(buf + buf_written, buf_left,
>>>> > >> + "%s%s\n", config_prefix,
>>>> > >> + perfomance_killing_configs[i]);
>>>> > >> + buf_left = buf_len - buf_written;
...
>>> > > Also, do you want to check buf_left and break out early from
>>> > > the loop if it goes non-positive?
>> >
>> > You're slowly inflating my patch for no practical gain. :)
> AFAICS it's a potential memory corruption and security bug,
> should the array ever grow large enough to overflow the passed
> in buffer size.
Let's say there is 1 "buf_left" and I attempt a 100-byte snprintf().
Won't snprintf() return 1, and buf_written will then equal buf_len?
buf_left=0 at that point, and will get passed in to the next snprintf()
as the buffer length. I'm expecting snprintf() to just return 0 when it
gets a 0 for its 'size'.
Exhausting the buffer will, at worst, mean a bunch of useless calls to
snprintf() that do nothing, but I don't think it will run over the end
of the buffer.
Or am I missing something?
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Dave Hansen <dave@sr71.net>
To: Ingo Molnar <mingo@kernel.org>
Cc: linux-kernel@vger.kernel.org, dave.hansen@linux.intel.com,
peterz@infradead.org, mingo@redhat.com, ak@linux.intel.com,
tim.c.chen@linux.intel.com, akpm@linux-foundation.org,
cl@linux.com, penberg@kernel.org, linux-mm@kvack.org,
kirill@shutemov.name, lauraa@codeaurora.org,
Linus Torvalds <torvalds@linux-foundation.org>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
Thomas Gleixner <tglx@linutronix.de>
Subject: Re: [PATCH] [v3] warn on performance-impacting configs aka. TAINT_PERFORMANCE
Date: Sun, 24 Aug 2014 13:40:58 -0700 [thread overview]
Message-ID: <53FA4DDA.8020106@sr71.net> (raw)
In-Reply-To: <20140824144946.GC9455@gmail.com>
On 08/24/2014 07:49 AM, Ingo Molnar wrote:
>>>> > >> + buf_left = buf_len;
>>>> > >> + for (i = 0; i < ARRAY_SIZE(perfomance_killing_configs); i++) {
>>>> > >> + buf_written += snprintf(buf + buf_written, buf_left,
>>>> > >> + "%s%s\n", config_prefix,
>>>> > >> + perfomance_killing_configs[i]);
>>>> > >> + buf_left = buf_len - buf_written;
...
>>> > > Also, do you want to check buf_left and break out early from
>>> > > the loop if it goes non-positive?
>> >
>> > You're slowly inflating my patch for no practical gain. :)
> AFAICS it's a potential memory corruption and security bug,
> should the array ever grow large enough to overflow the passed
> in buffer size.
Let's say there is 1 "buf_left" and I attempt a 100-byte snprintf().
Won't snprintf() return 1, and buf_written will then equal buf_len?
buf_left=0 at that point, and will get passed in to the next snprintf()
as the buffer length. I'm expecting snprintf() to just return 0 when it
gets a 0 for its 'size'.
Exhausting the buffer will, at worst, mean a bunch of useless calls to
snprintf() that do nothing, but I don't think it will run over the end
of the buffer.
Or am I missing something?
next prev parent reply other threads:[~2014-08-24 20:41 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-21 20:24 [PATCH] [v3] warn on performance-impacting configs aka. TAINT_PERFORMANCE Dave Hansen
2014-08-21 20:24 ` Dave Hansen
2014-08-21 20:57 ` Dave Jones
2014-08-21 20:57 ` Dave Jones
2014-08-21 21:03 ` Dave Hansen
2014-08-21 21:03 ` Dave Hansen
2014-08-22 7:20 ` Ingo Molnar
2014-08-22 7:20 ` Ingo Molnar
2014-08-22 15:02 ` Dave Hansen
2014-08-22 15:02 ` Dave Hansen
2014-08-24 14:49 ` Ingo Molnar
2014-08-24 14:49 ` Ingo Molnar
2014-08-24 20:40 ` Dave Hansen [this message]
2014-08-24 20:40 ` Dave Hansen
2014-08-24 22:13 ` Linus Torvalds
2014-08-22 16:32 ` Tim Chen
2014-08-22 16:45 ` Dave Hansen
2014-08-22 16:45 ` Dave Hansen
2014-08-22 18:12 ` Tim Chen
2014-08-22 18:12 ` Tim Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53FA4DDA.8020106@sr71.net \
--to=dave@sr71.net \
--cc=a.p.zijlstra@chello.nl \
--cc=ak@linux.intel.com \
--cc=akpm@linux-foundation.org \
--cc=cl@linux.com \
--cc=dave.hansen@linux.intel.com \
--cc=kirill@shutemov.name \
--cc=lauraa@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mingo@kernel.org \
--cc=mingo@redhat.com \
--cc=penberg@kernel.org \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=tim.c.chen@linux.intel.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.