Re: Issue with 'lib/vsprintf.c: don't try to fix pointer wrap-around'

From: Rasmus Villemoes
Date: Fri Jan 16 2015 - 15:42:40 EST


On Fri, Jan 16 2015, Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> wrote:

> On Fri, 16 Jan 2015 11:23:57 -0500 Johannes Weiner <hannes@xxxxxxxxxxx> wrote:
>
>> Hi Rasmus,
>>
>> I have trouble booting my test machine with this patch in -mm:
>>
>> commit bb2e066c6943e62e9650bb129f416dacf138f8b1
>> Author: Rasmus Villemoes <linux@xxxxxxxxxxxxxxxxxx>
>> Date: Wed Jan 14 01:00:44 2015 +0000
>>
>> lib/vsprintf.c: don't try to fix pointer wrap-around
>>
>> Actual kernel buffers can't wrap into the user address space. If someone
>> manages to pass a buf/size combination that wraps, it is most likely due
>> to a bug in the caller. Instead of trying to fix it by using a smaller
>> part of the buffer, bail out.
>>
>> Signed-off-by: Rasmus Villemoes <linux@xxxxxxxxxxxxxxxxxx>
>> Cc: Jiri Kosina <jkosina@xxxxxxx>
>> Cc: Randy Dunlap <rdunlap@xxxxxxxxxxxxx>
>> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
>>
>> After I get "Loading bzImage-new... ok" from the bootloader, the
>> serial console remains quiet.
>>
>> A WARN_ON_ONCE() inside vsnprintf() looks like it would deadlock
>> instantly when triggering this overflow from printk(), no?
>
> Dammit, I was starting at that printk, ended up deciding it was OK,
> didn't think about deadlocks. logbuf_lock and recursion_bug, for a
> start...
>
> I'll drop the patch.

Good, because the bug is in my brain. I think the cause may be a sprintf
or vsprintf call that doesn't actually print what it is supposed to,
since they pass INT_MAX for size, and that can of course easily cause
buf+size to wrap-around (it is basically guaranteed on 32 bit).

Sorry about this. Thanks for reporting, Johannes.

Rasmus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/