Re: [PATCH v4 3/9] vsprintf: Do not check address of well-known strings

From: Andy Shevchenko
Date: Sat Apr 07 2018 - 10:19:39 EST


On Fri, 2018-04-06 at 11:15 +0200, Petr Mladek wrote:
> On Thu 2018-04-05 15:30:51, Rasmus Villemoes wrote:
> > On 2018-04-04 10:58, Petr Mladek wrote:
> > > We are going to check the address using probe_kernel_address(). It
> > > will
> > > be more expensive and it does not make sense for well known
> > > address.
> > >
> > > This patch splits the string() function. The variant without the
> > > check
> > > is then used on locations that handle string constants or strings
> > > defined
> > > as local variables.
> > >
> > > This patch does not change the existing behavior.
> >
> > Please leave string() alone, except for moving the < PAGE_SIZE check
> > to
> > a new helper checked_string (feel free to find a better name), and
> > use
> > checked_string for handling %s and possibly the few other cases
> > where
> > we're passing a user-supplied pointer. That avoids cluttering the
> > entire
> > file with double-underscore calls, and e.g. in the %pO case, it's
> > easier
> > to understand why one uses two different *string() helpers if the
> > name
> > of one somehow conveys how it is different from the other.
>
> I understand your reasoning. I thought about exactly this as well.
> My problem is that string() will then be unsafe. It might be dangerous
> when porting patches.

I agree with Rasmus, and your argument here from my point of view kinda
weak. Are we really going to backport this patches? Why? We lived w/o
them for a long time. What's changed now?

> Is _string() really that bad?

I would think so.

--
Andy Shevchenko <andriy.shevchenko@xxxxxxxxxxxxxxx>
Intel Finland Oy