* [PATCH] arch: arm64: kernel: sprintf(), 'str' needs additional 1 byte for failure processing @ 2013-05-26 10:28 Chen Gang 2013-05-27 1:42 ` Chen Gang 2013-05-27 2:00 ` [PATCH v2] " Chen Gang 0 siblings, 2 replies; 5+ messages in thread From: Chen Gang @ 2013-05-26 10:28 UTC (permalink / raw) To: linux-arm-kernel When failure occurs at the last looping cycle (when 'i == 0'), it will print "bad PC value" instead of "(%08x) ", which needs additional 1 byte. If not add 1 byte, the str will not be NUL terminated, and the next printk() will cause issue. Signed-off-by: Chen Gang <gang.chen@asianux.com> --- arch/arm64/kernel/traps.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c index 61d7dd2..c2f68d2 100644 --- a/arch/arm64/kernel/traps.c +++ b/arch/arm64/kernel/traps.c @@ -100,7 +100,7 @@ static void dump_instr(const char *lvl, struct pt_regs *regs) { unsigned long addr = instruction_pointer(regs); mm_segment_t fs; - char str[sizeof("00000000 ") * 5 + 2 + 1], *p = str; + char str[sizeof("00000000 ") * 5 + 2 + 1 + 1], *p = str; int i; /* -- 1.7.7.6 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH] arch: arm64: kernel: sprintf(), 'str' needs additional 1 byte for failure processing 2013-05-26 10:28 [PATCH] arch: arm64: kernel: sprintf(), 'str' needs additional 1 byte for failure processing Chen Gang @ 2013-05-27 1:42 ` Chen Gang 2013-05-27 2:00 ` [PATCH v2] " Chen Gang 1 sibling, 0 replies; 5+ messages in thread From: Chen Gang @ 2013-05-27 1:42 UTC (permalink / raw) To: linux-arm-kernel On 05/26/2013 06:28 PM, Chen Gang wrote: > > When failure occurs at the last looping cycle (when 'i == 0'), it will > print "bad PC value" instead of "(%08x) ", which needs additional 1 > byte. > > If not add 1 byte, the str will not be NUL terminated, and the next > printk() will cause issue. > Oh, I type incorrect contents. It should be "If not add 1 byte, it will memory overflow" I will send patch v2. > Signed-off-by: Chen Gang <gang.chen@asianux.com> > --- > arch/arm64/kernel/traps.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c > index 61d7dd2..c2f68d2 100644 > --- a/arch/arm64/kernel/traps.c > +++ b/arch/arm64/kernel/traps.c > @@ -100,7 +100,7 @@ static void dump_instr(const char *lvl, struct pt_regs *regs) > { > unsigned long addr = instruction_pointer(regs); > mm_segment_t fs; > - char str[sizeof("00000000 ") * 5 + 2 + 1], *p = str; > + char str[sizeof("00000000 ") * 5 + 2 + 1 + 1], *p = str; > int i; > > /* > -- Chen Gang Asianux Corporation ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH v2] arch: arm64: kernel: sprintf(), 'str' needs additional 1 byte for failure processing 2013-05-26 10:28 [PATCH] arch: arm64: kernel: sprintf(), 'str' needs additional 1 byte for failure processing Chen Gang 2013-05-27 1:42 ` Chen Gang @ 2013-05-27 2:00 ` Chen Gang 2013-05-28 10:42 ` Will Deacon 1 sibling, 1 reply; 5+ messages in thread From: Chen Gang @ 2013-05-27 2:00 UTC (permalink / raw) To: linux-arm-kernel When failure occurs at the last looping cycle (when 'i == 0'), it will print "bad PC value" instead of "(%08x) ", which needs additional 1 byte. If not add 1 byte, the 'str' may be memory overflow. Signed-off-by: Chen Gang <gang.chen@asianux.com> --- arch/arm64/kernel/traps.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c index 61d7dd2..c2f68d2 100644 --- a/arch/arm64/kernel/traps.c +++ b/arch/arm64/kernel/traps.c @@ -100,7 +100,7 @@ static void dump_instr(const char *lvl, struct pt_regs *regs) { unsigned long addr = instruction_pointer(regs); mm_segment_t fs; - char str[sizeof("00000000 ") * 5 + 2 + 1], *p = str; + char str[sizeof("00000000 ") * 5 + 2 + 1 + 1], *p = str; int i; /* -- 1.7.7.6 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH v2] arch: arm64: kernel: sprintf(), 'str' needs additional 1 byte for failure processing 2013-05-27 2:00 ` [PATCH v2] " Chen Gang @ 2013-05-28 10:42 ` Will Deacon 2013-05-28 11:21 ` Chen Gang 0 siblings, 1 reply; 5+ messages in thread From: Will Deacon @ 2013-05-28 10:42 UTC (permalink / raw) To: linux-arm-kernel Hello, On Mon, May 27, 2013 at 03:00:12AM +0100, Chen Gang wrote: > > When failure occurs at the last looping cycle (when 'i == 0'), it will > print "bad PC value" instead of "(%08x) ", which needs additional 1 > byte. > > If not add 1 byte, the 'str' may be memory overflow. > > > Signed-off-by: Chen Gang <gang.chen@asianux.com> > --- > arch/arm64/kernel/traps.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c > index 61d7dd2..c2f68d2 100644 > --- a/arch/arm64/kernel/traps.c > +++ b/arch/arm64/kernel/traps.c > @@ -100,7 +100,7 @@ static void dump_instr(const char *lvl, struct pt_regs *regs) > { > unsigned long addr = instruction_pointer(regs); > mm_segment_t fs; > - char str[sizeof("00000000 ") * 5 + 2 + 1], *p = str; > + char str[sizeof("00000000 ") * 5 + 2 + 1 + 1], *p = str; > int i; Whilst this code is difficult to follow, I don't think it's incorrect. The size of the str array is: sizeof("00000000 ") = 8 ('0's) + 1 (space) + 1 (NUL) = 10 bytes *5 = 50 bytes +2 (for the two brackets when i == 0) = 52 bytes +1 (this is for the "bad PC value") = 53 bytes In the worst case (when the PC is bad) we print: "%08x " x4 = (8 + 1 + 1) *4 = 40 bytes "bad PC value" = 12 + 1 = 13 bytes so again, 53 bytes. ... or have I missed a character somewhere? Will ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH v2] arch: arm64: kernel: sprintf(), 'str' needs additional 1 byte for failure processing 2013-05-28 10:42 ` Will Deacon @ 2013-05-28 11:21 ` Chen Gang 0 siblings, 0 replies; 5+ messages in thread From: Chen Gang @ 2013-05-28 11:21 UTC (permalink / raw) To: linux-arm-kernel On 05/28/2013 06:42 PM, Will Deacon wrote: > Hello, > > On Mon, May 27, 2013 at 03:00:12AM +0100, Chen Gang wrote: >> > >> > When failure occurs at the last looping cycle (when 'i == 0'), it will >> > print "bad PC value" instead of "(%08x) ", which needs additional 1 >> > byte. >> > >> > If not add 1 byte, the 'str' may be memory overflow. >> > >> > >> > Signed-off-by: Chen Gang <gang.chen@asianux.com> >> > --- >> > arch/arm64/kernel/traps.c | 2 +- >> > 1 files changed, 1 insertions(+), 1 deletions(-) >> > >> > diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c >> > index 61d7dd2..c2f68d2 100644 >> > --- a/arch/arm64/kernel/traps.c >> > +++ b/arch/arm64/kernel/traps.c >> > @@ -100,7 +100,7 @@ static void dump_instr(const char *lvl, struct pt_regs *regs) >> > { >> > unsigned long addr = instruction_pointer(regs); >> > mm_segment_t fs; >> > - char str[sizeof("00000000 ") * 5 + 2 + 1], *p = str; >> > + char str[sizeof("00000000 ") * 5 + 2 + 1 + 1], *p = str; >> > int i; > Whilst this code is difficult to follow, I don't think it's incorrect. > The size of the str array is: > > sizeof("00000000 ") = 8 ('0's) + 1 (space) + 1 (NUL) = 10 bytes Oh, it is my fault, I miss the "1 (NUL)". > *5 = 50 bytes > +2 (for the two brackets when i == 0) = 52 bytes > +1 (this is for the "bad PC value") = 53 bytes > > In the worst case (when the PC is bad) we print: > > "%08x " x4 = (8 + 1 + 1) *4 = 40 bytes Actually, it is 36 bytes, for sprintf() return the length excluding NUL. (although, we still need notice the last NUL) > "bad PC value" = 12 + 1 = 13 bytes > > so again, 53 bytes. > So again, 49 bytes. ;-) > .. or have I missed a character somewhere? > NO, I missed characters, but you 'find' more characters. :-) All together, this patch is incorrect, original implementation will not cause issue. Thanks -- Chen Gang Asianux Corporation ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2013-05-28 11:21 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2013-05-26 10:28 [PATCH] arch: arm64: kernel: sprintf(), 'str' needs additional 1 byte for failure processing Chen Gang 2013-05-27 1:42 ` Chen Gang 2013-05-27 2:00 ` [PATCH v2] " Chen Gang 2013-05-28 10:42 ` Will Deacon 2013-05-28 11:21 ` Chen Gang
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).