Re: [PATCH] vsprintf: Make "null" pointer dereference more robust

From: Andy Shevchenko
Date: Wed Mar 07 2018 - 13:18:19 EST

Next message: Andy Shevchenko: "Re: [PATCH] usb: isp1760: Use kasprintf"
Previous message: Helmut Grohne: "Re: RFC: remove the "tile" architecture from glibc"
In reply to: Petr Mladek: "Re: [PATCH] vsprintf: Make "null" pointer dereference more robust"
Next in thread: Linus Torvalds: "Re: [PATCH] vsprintf: Make "null" pointer dereference more robust"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2018-03-07 at 16:52 +0100, Petr Mladek wrote:
> On Tue 2018-03-06 11:56:25, Andy Shevchenko wrote:

> Anyway, I have discussed this with my colleagues. Different people had
> different opinions. But I liked the following.

I discussed as well, and...

> We already prevent crash when derefencing some obviously broken
> pointers. The handling is not consistent. Sometimes we print "(null)"
> only for pure NULL pointer, sometimes for pointers in the first
> page and sometimes also for pointers in the last page (error codes).

> In general, we should do our best to get useful message from printk().
> This patch tries to find a wide range of invalid strings using
> probe_kernel_read(). Also it makes the handling unified. We print:

...they are considering not crashing is a bad idea from debugging point
of view.

So, what is can be done is to:
- print "(null)" only for null pointers
- print error codes for IS_ERR() part
- crash on everything else

which partially what does my patch 1.

> Note that we could not print the exact pointer value from security
> reasons.

If it's invalid we need to fix the code, not to hide a problem, right?

> Developers need print the pointer using %px to get the real value.

But how developer will know (w/o traceback) where to look for?

> + if (probe_kernel_read(&byte, ptr, 1))
> + return "(efault)";

There is couple of flaws here:

- If we asked to print 0 bytes of the value of pointer or something
from extension (%*ph, %*pE, etc), we don't know if pointer valid or not,
because we are going to print nothing. So, for now there is a
ZERO_OR_NULL_PTR() check for them, but in reality I wouldn't know what
the best to do in such case. So, the question is what we would like to
know more: the pointer is invalid, or the spec.width is 0 and caller
doesn't care in this case?

- For IS_ERR() case it might be better to print an actual value of err,
(4 chars + parens + 2 chars left, like (e:dddd) or similar.
Unfortunately it doesn't scale good (ffff is a last error value we may
print). So, perhaps printing as %p in this case is a good enough and
scalable.

--
Andy Shevchenko <andriy.shevchenko@xxxxxxxxxxxxxxx>
Intel Finland Oy

Next message: Andy Shevchenko: "Re: [PATCH] usb: isp1760: Use kasprintf"
Previous message: Helmut Grohne: "Re: RFC: remove the "tile" architecture from glibc"
In reply to: Petr Mladek: "Re: [PATCH] vsprintf: Make "null" pointer dereference more robust"
Next in thread: Linus Torvalds: "Re: [PATCH] vsprintf: Make "null" pointer dereference more robust"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]