Re: [PATCH v4 8/9] vsprintf: Prevent crash when dereferencing invalid pointers

From: Petr Mladek
Date: Fri Apr 06 2018 - 08:26:43 EST

Next message: Al Viro: "Re: [PATCH 3/6] aio: refactor read/write iocb setup"
Previous message: Christian KÃnig: "Re: [PATCH v2] Add udmabuf misc device"
In reply to: Rasmus Villemoes: "Re: [PATCH v4 8/9] vsprintf: Prevent crash when dereferencing invalid pointers"
Next in thread: Rasmus Villemoes: "Re: [PATCH v4 8/9] vsprintf: Prevent crash when dereferencing invalid pointers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu 2018-04-05 16:46:23, Rasmus Villemoes wrote:
> On 2018-04-04 10:58, Petr Mladek wrote:
>
> > diff --git a/lib/vsprintf.c b/lib/vsprintf.c
> > index 3551b7957d9e..1a080a75a825 100644
> > --- a/lib/vsprintf.c
> > +++ b/lib/vsprintf.c
> > @@ -599,12 +599,46 @@ char *__string(char *buf, char *end, const char *s, struct printf_spec spec)
> > return widen_string(buf, len, end, spec);
> > }
> >
> > + /*
> > + * This is not a fool-proof test. 99% of the time that this will fault is
> > + * due to a bad pointer, not one that crosses into bad memory. Just test
> > + * the address to make sure it doesn't fault due to a poorly added printk
> > + * during debugging.
> > + */
> > +static const char *check_pointer_access(const void *ptr)
> > +{
> > + char byte;
> > +
> > + if (!ptr)
> > + return "(null)";
> > +
> > + if (probe_kernel_address(ptr, byte))
> > + return "(efault)";
> > +
> > + return NULL;
> > +}
>
> So while I think the WARNings are mostly pointless for the bad format
> specifiers, I'm wondering why an averted crash is not worth a
> WARN_ONCE?

It is used to match the error with the code. It was more explained in
the other mail.

> This means there's an actual bug somewhere, probably even exploitable,
> but we're just silently producing some innocent string...

Good point! It would make sense in many situations, especially when
we "silently" crashed so far.

I just wonder if some code already relies on the fact that passing
NULL is rather innocent, for example, in some timer- or networking-
related debug output. This change might make it hard to read.

Anyway, I still thing that it makes sense. But I would do it as
a separate patch so that it can be reverted easily. In each case,
it should spend some time in linux-next.

> Also, I'd still prefer to insist on ptr being a kernel pointer. Sure,
> for %ph userspace gets to print their own memory, but for a lot of the
> others, we're chasing pointers another level, so if an attacker can feed
> a user pointer to one of those, there's a trivial arbitrary read gadget.
> We have lots of printks in untested error paths, and I find it quite
> likely that one of those uses a garbage pointer.
>
> I know you're mostly phrasing this in terms of preventing a crash, but
> it seems silly not to close that when it only costs a pointer comparison.

I thought that it was good idea but Steven was against, see
https://lkml.kernel.org/r/20180315130612.4b4cd091@xxxxxxxxxxxxxxxxx

> You're also missing the %pD (struct file*) case, which is one of those
> double-pointer chasing cases.

I wanted to keep the initial code simple. Well, %pD is pretty
straightforward, I could move the check to the cycle in v5.

I just want to avoid a monster patchset that would add the check
for every read byte. I am not persuaded that it is worth it.

Best Regards,
Petr

Next message: Al Viro: "Re: [PATCH 3/6] aio: refactor read/write iocb setup"
Previous message: Christian KÃnig: "Re: [PATCH v2] Add udmabuf misc device"
In reply to: Rasmus Villemoes: "Re: [PATCH v4 8/9] vsprintf: Prevent crash when dereferencing invalid pointers"
Next in thread: Rasmus Villemoes: "Re: [PATCH v4 8/9] vsprintf: Prevent crash when dereferencing invalid pointers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]