Re: [PATCH v3] vsprintf: Prevent crash when dereferencing invalid pointers

From: Sergey Senozhatsky
Date: Thu Mar 15 2018 - 21:19:04 EST


On (03/15/18 13:01), Steven Rostedt wrote:
> > > > +static const char *check_pointer_access(const void *ptr)
> > > > +{
> > > > + unsigned char byte;
> > > > +
> > > > + if (!ptr)
> > > > + return "(null)";
> > > > +
> > > > + if (probe_kernel_read(&byte, ptr, 1))
> > > ^^^^^
> > > Why one byte? sizeof(ptr)?
> >
> > I think there is a shorter version - probe_kernel_address(),
> > which, seems, was designed for this particular kind of stuff.
> >
> > void *p;
> >
> > if (probe_kernel_address(ptr, p))
> > ....
> >
>
> Agreed.

Hm, may be sizeof(ptr) still won't suffice. It would be great if we
could always look at spec.field_width, which can be up to 2 * sizeof(void *),
and then just probe_kernel_read(spec.field_width). E.g., %b/%bl prints out a
bitmap, accessing max_t(int, spec.field_width, 0) bits, which is good. But,
for instance, %U (uuid printout) doesn't look at spec.field_width, and reads
in 16 bytes from the given memory address. Then we have ipv4/ipv6, mac, etc.
So I think that checking just 1 byte or sizeof(ptr) is not really enough if
we want to fix vsprintf. What do you think?

-ss