Re: [PATCH] vsprintf: Make "null" pointer dereference more robust
From: Andy Shevchenko
Date: Wed Mar 07 2018 - 13:18:19 EST
On Wed, 2018-03-07 at 16:52 +0100, Petr Mladek wrote:
> On Tue 2018-03-06 11:56:25, Andy Shevchenko wrote:
> Anyway, I have discussed this with my colleagues. Different people had
> different opinions. But I liked the following.
I discussed as well, and...
> We already prevent crash when derefencing some obviously broken
> pointers. The handling is not consistent. Sometimes we print "(null)"
> only for pure NULL pointer, sometimes for pointers in the first
> page and sometimes also for pointers in the last page (error codes).
> In general, we should do our best to get useful message from printk().
> This patch tries to find a wide range of invalid strings using
> probe_kernel_read(). Also it makes the handling unified. We print:
...they are considering not crashing is a bad idea from debugging point
of view.
So, what is can be done is to:
- print "(null)" only for null pointers
- print error codes for IS_ERR() part
- crash on everything else
which partially what does my patch 1.
> Note that we could not print the exact pointer value from security
> reasons.
If it's invalid we need to fix the code, not to hide a problem, right?
> Developers need print the pointer using %px to get the real value.
But how developer will know (w/o traceback) where to look for?
> + if (probe_kernel_read(&byte, ptr, 1))
> + return "(efault)";
There is couple of flaws here:
- If we asked to print 0 bytes of the value of pointer or something
from extension (%*ph, %*pE, etc), we don't know if pointer valid or not,
because we are going to print nothing. So, for now there is a
ZERO_OR_NULL_PTR() check for them, but in reality I wouldn't know what
the best to do in such case. So, the question is what we would like to
know more: the pointer is invalid, or the spec.width is 0 and caller
doesn't care in this case?
- For IS_ERR() case it might be better to print an actual value of err,
(4 chars + parens + 2 chars left, like (e:dddd) or similar.
Unfortunately it doesn't scale good (ffff is a last error value we may
print). So, perhaps printing as %p in this case is a good enough and
scalable.
--
Andy Shevchenko <andriy.shevchenko@xxxxxxxxxxxxxxx>
Intel Finland Oy