Re: [PATCH] vsprintf: protect kernel from panic due to non-canonical pointer dereference
From: Jane Chu
Date: Mon Oct 17 2022 - 15:32:39 EST
On 10/17/2022 12:25 PM, Andy Shevchenko wrote:
> On Mon, Oct 17, 2022 at 01:16:11PM -0600, Jane Chu wrote:
>> While debugging a separate issue, it was found that an invalid string
>> pointer could very well contain a non-canical address, such as
>> 0x7665645f63616465. In that case, this line of defense isn't enough
>> to protect the kernel from crashing due to general protection fault
>>
>> if ((unsigned long)ptr < PAGE_SIZE || IS_ERR_VALUE(ptr))
>> return "(efault)";
>>
>> So instead, use kern_addr_valid() to validate the string pointer.
>
> How did you check that value of the (invalid string) pointer?
>
In the bug scenario, the invalid string pointer was an out-of-bound
string pointer. While the OOB referencing is fixed, the lingering issue
is that the kernel ought to be able to protect itself, as the pointer
contains a non-canonical address. That said, I realized that not all
architecture implement meaningful kern_addr_valid(), so this line
if ((unsigned long)ptr < PAGE_SIZE || IS_ERR_VALUE(ptr))
is still need. I'll send v2.
thanks,
-jane
>