From: Petr Mladek <pmladek@suse.com>
To: Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
"Tobin C . Harding" <me@tobin.cc>, Joe Perches <joe@perches.com>,
Andrew Morton <akpm@linux-foundation.org>,
Michal Hocko <mhocko@suse.cz>,
Sergey Senozhatsky <sergey.senozhatsky@gmail.com>,
Steven Rostedt <rostedt@goodmis.org>,
Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>,
linux-kernel@vger.kernel.org, Petr Mladek <pmladek@suse.com>
Subject: [PATCH v7 10/10] vsprintf: Limit the length of inlined error messages
Date: Wed, 17 Apr 2019 13:53:50 +0200 [thread overview]
Message-ID: <20190417115350.20479-11-pmladek@suse.com> (raw)
In-Reply-To: <20190417115350.20479-1-pmladek@suse.com>
The inlined error messages must be used carefully because
they need to fit into the given buffer.
Handle them using a custom wrapper that makes people aware
of the problem. Also define a reasonable hard limit to
avoid a completely insane usage.
Suggested-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Signed-off-by: Petr Mladek <pmladek@suse.com>
---
lib/vsprintf.c | 39 +++++++++++++++++++++++++++------------
1 file changed, 27 insertions(+), 12 deletions(-)
diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index 4e5666035b74..1f367f3a7e2b 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -612,6 +612,21 @@ static char *string_nocheck(char *buf, char *end, const char *s,
return widen_string(buf, len, end, spec);
}
+/* Be careful: error messages must fit into the given buffer. */
+static char *error_string(char *buf, char *end, const char *s,
+ struct printf_spec spec)
+{
+ /*
+ * Hard limit to avoid a completely insane messages. It actually
+ * works pretty well because most error messages are in
+ * the many pointer format modifiers.
+ */
+ if (spec.precision == -1)
+ spec.precision = 2 * sizeof(void *);
+
+ return string_nocheck(buf, end, s, spec);
+}
+
/*
* This is not a fool-proof test. 99% of the time that this will fault is
* due to a bad pointer, not one that crosses into bad memory. Just test
@@ -638,7 +653,7 @@ static int check_pointer(char **buf, char *end, const void *ptr,
err_msg = check_pointer_msg(ptr);
if (err_msg) {
- *buf = string_nocheck(*buf, end, err_msg, spec);
+ *buf = error_string(*buf, end, err_msg, spec);
return -EFAULT;
}
@@ -741,7 +756,7 @@ static char *ptr_to_id(char *buf, char *end, const void *ptr,
if (static_branch_unlikely(¬_filled_random_ptr_key)) {
spec.field_width = 2 * sizeof(ptr);
/* string length must be less than default_width */
- return string_nocheck(buf, end, str, spec);
+ return error_string(buf, end, str, spec);
}
#ifdef CONFIG_64BIT
@@ -777,7 +792,7 @@ char *restricted_pointer(char *buf, char *end, const void *ptr,
if (in_irq() || in_serving_softirq() || in_nmi()) {
if (spec.field_width == -1)
spec.field_width = 2 * sizeof(ptr);
- return string_nocheck(buf, end, "pK-error", spec);
+ return error_string(buf, end, "pK-error", spec);
}
/*
@@ -1511,12 +1526,12 @@ char *ip_addr_string(char *buf, char *end, const void *ptr,
case AF_INET6:
return ip6_addr_string_sa(buf, end, &sa->v6, spec, fmt);
default:
- return string_nocheck(buf, end, "(einval)", spec);
+ return error_string(buf, end, "(einval)", spec);
}}
}
err_fmt_msg = fmt[0] == 'i' ? "(%pi?)" : "(%pI?)";
- return string_nocheck(buf, end, err_fmt_msg, spec);
+ return error_string(buf, end, err_fmt_msg, spec);
}
static noinline_for_stack
@@ -1653,7 +1668,7 @@ char *netdev_bits(char *buf, char *end, const void *addr,
size = sizeof(netdev_features_t);
break;
default:
- return string_nocheck(buf, end, "(%pN?)", spec);
+ return error_string(buf, end, "(%pN?)", spec);
}
return special_hex_number(buf, end, num, size);
@@ -1765,7 +1780,7 @@ char *time_and_date(char *buf, char *end, void *ptr, struct printf_spec spec,
case 'R':
return rtc_str(buf, end, (const struct rtc_time *)ptr, spec, fmt);
default:
- return string_nocheck(buf, end, "(%ptR?)", spec);
+ return error_string(buf, end, "(%ptR?)", spec);
}
}
@@ -1774,7 +1789,7 @@ char *clock(char *buf, char *end, struct clk *clk, struct printf_spec spec,
const char *fmt)
{
if (!IS_ENABLED(CONFIG_HAVE_CLK))
- return string_nocheck(buf, end, "(%pC?)", spec);
+ return error_string(buf, end, "(%pC?)", spec);
if (check_pointer(&buf, end, clk, spec))
return buf;
@@ -1785,7 +1800,7 @@ char *clock(char *buf, char *end, struct clk *clk, struct printf_spec spec,
#ifdef CONFIG_COMMON_CLK
return string(buf, end, __clk_get_name(clk), spec);
#else
- return string_nocheck(buf, end, "(%pC?)", spec);
+ return error_string(buf, end, "(%pC?)", spec);
#endif
}
}
@@ -1843,7 +1858,7 @@ char *flags_string(char *buf, char *end, void *flags_ptr,
names = gfpflag_names;
break;
default:
- return string_nocheck(buf, end, "(%pG?)", spec);
+ return error_string(buf, end, "(%pG?)", spec);
}
return format_flags(buf, end, flags, names);
@@ -1899,7 +1914,7 @@ char *device_node_string(char *buf, char *end, struct device_node *dn,
str_spec.field_width = -1;
if (!IS_ENABLED(CONFIG_OF))
- return string_nocheck(buf, end, "(%pOF?)", spec);
+ return error_string(buf, end, "(%pOF?)", spec);
if (check_pointer(&buf, end, dn, spec))
return buf;
@@ -1978,7 +1993,7 @@ static char *kobject_string(char *buf, char *end, void *ptr,
return device_node_string(buf, end, ptr, spec, fmt + 1);
}
- return string_nocheck(buf, end, "(%pO?)", spec);
+ return error_string(buf, end, "(%pO?)", spec);
}
/*
--
2.16.4
next prev parent reply other threads:[~2019-04-17 11:54 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-17 11:53 [PATCH v7 00/10] vsprintf: Prevent silent crashes and consolidate error handling Petr Mladek
2019-04-17 11:53 ` [PATCH v7 01/10] vsprintf: Shuffle restricted_pointer() Petr Mladek
2019-04-17 11:53 ` [PATCH v7 02/10] vsprintf: Consistent %pK handling for kptr_restrict == 0 Petr Mladek
2019-04-17 13:44 ` Steven Rostedt
2019-04-17 11:53 ` [PATCH v7 03/10] vsprintf: Do not check address of well-known strings Petr Mladek
2019-04-17 11:53 ` [PATCH v7 04/10] vsprintf: Factor out %p[iI] handler as ip_addr_string() Petr Mladek
2019-04-17 11:53 ` [PATCH v7 05/10] vsprintf: Factor out %pV handler as va_format() Petr Mladek
2019-04-17 11:53 ` [PATCH v7 06/10] vsprintf: Factor out %pO handler as kobject_string() Petr Mladek
2019-04-17 11:53 ` [PATCH v7 07/10] vsprintf: Consolidate handling of unknown pointer specifiers Petr Mladek
2019-04-18 14:34 ` Sergey Senozhatsky
2019-04-18 14:43 ` Sergey Senozhatsky
2019-04-18 14:50 ` Sergey Senozhatsky
2019-06-25 10:59 ` Geert Uytterhoeven
2019-06-26 10:46 ` Petr Mladek
2019-06-26 11:16 ` Geert Uytterhoeven
2019-04-17 11:53 ` [PATCH v7 08/10] vsprintf: Prevent crash when dereferencing invalid pointers Petr Mladek
2019-04-17 11:53 ` [PATCH v7 09/10] vsprintf: Avoid confusion between invalid address and value Petr Mladek
2019-04-17 11:53 ` Petr Mladek [this message]
2019-04-19 1:51 ` [PATCH v7 00/10] vsprintf: Prevent silent crashes and consolidate error handling Sergey Senozhatsky
2019-04-24 13:53 ` Petr Mladek
2019-04-26 13:02 ` Andy Shevchenko
2019-04-26 14:27 ` Petr Mladek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190417115350.20479-11-pmladek@suse.com \
--to=pmladek@suse.com \
--cc=akpm@linux-foundation.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=joe@perches.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@rasmusvillemoes.dk \
--cc=me@tobin.cc \
--cc=mhocko@suse.cz \
--cc=rostedt@goodmis.org \
--cc=sergey.senozhatsky.work@gmail.com \
--cc=sergey.senozhatsky@gmail.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox