| Message ID | 1507517945-27155-1-git-send-email-me@tobin.cc (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Mon, Oct 09, 2017 at 01:59:05PM +1100, Tobin C. Harding wrote: > %pi leaks kernel addresses if incorrectly specified. > > Currently the printk specifier %pi (%pI) contains a switch statement > without a default clause. The %pi specifier requires a subsequent > character (4, 6, or S) controlling the output. If the specifier is > incomplete the switch statement will fall through and print the variable > argument address in hex instead of the value of the argument (as an IP > address). > > If uncaught this leaks kernel addresses into dmesg. We can return an > error string to make the bug visible and stop addresses leaking. > > Add a default clause returning an error string, stops leaking addresses > and makes the buggy code ...? :) > Signed-off-by: Tobin C. Harding <me@tobin.cc> > --- > lib/vsprintf.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/lib/vsprintf.c b/lib/vsprintf.c > index 86c3385b9eb3..155702f05b14 100644 > --- a/lib/vsprintf.c > +++ b/lib/vsprintf.c > @@ -1775,6 +1775,8 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, > default: > return string(buf, end, "(invalid address)", spec); > }} > + default: Maybe a WARN(1, "invalid pointer format")? That way it'll be easy for people to figure out where to fix. Cheers, Tycho > + return string(buf, end, "(invalid specifier, form: %pi4)", spec); > } > break; > case 'E': > -- > 2.7.4 >
On Mon, Oct 09, 2017 at 09:16:09AM -0600, Tycho Andersen wrote: > On Mon, Oct 09, 2017 at 01:59:05PM +1100, Tobin C. Harding wrote: > > %pi leaks kernel addresses if incorrectly specified. > > > > Currently the printk specifier %pi (%pI) contains a switch statement > > without a default clause. The %pi specifier requires a subsequent > > character (4, 6, or S) controlling the output. If the specifier is > > incomplete the switch statement will fall through and print the variable > > argument address in hex instead of the value of the argument (as an IP > > address). > > > > If uncaught this leaks kernel addresses into dmesg. We can return an > > error string to make the bug visible and stop addresses leaking. > > > > Add a default clause returning an error string, stops leaking addresses > > and makes the buggy code > > ...? :) > > > Signed-off-by: Tobin C. Harding <me@tobin.cc> > > --- > > lib/vsprintf.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/lib/vsprintf.c b/lib/vsprintf.c > > index 86c3385b9eb3..155702f05b14 100644 > > --- a/lib/vsprintf.c > > +++ b/lib/vsprintf.c > > @@ -1775,6 +1775,8 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, > > default: > > return string(buf, end, "(invalid address)", spec); > > }} > > + default: > > Maybe a WARN(1, "invalid pointer format")? That way it'll be easy for > people to figure out where to fix. Thanks for the review. vsprintf.c uses custom error return logic so as not to create a function call cycle, I assume the printf versions of WARN call into vsprintf to do their formatting also. Hence (and without studying the WARN code) I avoided the printf versions of WARN. Open to correction if I am wrong. thanks, Tobin.
On Mon, 2017-10-09 at 13:59 +1100, Tobin C. Harding wrote: > %pi leaks kernel addresses if incorrectly specified. Are there any uses that are incorrectly specified? grep doesn't show any. > Currently the printk specifier %pi (%pI) contains a switch statement > without a default clause. The %pi specifier requires a subsequent > character (4, 6, or S) controlling the output. If the specifier is > incomplete the switch statement will fall through and print the variable > argument address in hex instead of the value of the argument (as an IP > address). > > If uncaught this leaks kernel addresses into dmesg. We can return an > error string to make the bug visible and stop addresses leaking. > > Add a default clause returning an error string, stops leaking addresses > and makes the buggy code [] > diff --git a/lib/vsprintf.c b/lib/vsprintf.c [] > @@ -1775,6 +1775,8 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, > default: > return string(buf, end, "(invalid address)", spec); > }} > + default: > + return string(buf, end, "(invalid specifier, form: %pi4)", spec); > } > break; > case 'E': I'm not sure this is a big deal and maybe a better way to handle it is to move the %pK, case 'K': block and add a fallthrough or keep the case 'K': block where it is and add a goto.
On Tue, Oct 10, 2017 at 12:09:35AM -0700, Joe Perches wrote: > On Mon, 2017-10-09 at 13:59 +1100, Tobin C. Harding wrote: > > %pi leaks kernel addresses if incorrectly specified. > > Are there any uses that are incorrectly specified? > grep doesn't show any. You are correct I don't see any. > > Currently the printk specifier %pi (%pI) contains a switch statement > > without a default clause. The %pi specifier requires a subsequent > > character (4, 6, or S) controlling the output. If the specifier is > > incomplete the switch statement will fall through and print the variable > > argument address in hex instead of the value of the argument (as an IP > > address). > > > > If uncaught this leaks kernel addresses into dmesg. We can return an > > error string to make the bug visible and stop addresses leaking. > > > > Add a default clause returning an error string, stops leaking addresses > > and makes the buggy code > [] > > diff --git a/lib/vsprintf.c b/lib/vsprintf.c > [] > > @@ -1775,6 +1775,8 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, > > default: > > return string(buf, end, "(invalid address)", spec); > > }} > > + default: > > + return string(buf, end, "(invalid specifier, form: %pi4)", spec); > > } > > break; > > case 'E': > > I'm not sure this is a big deal and > maybe a better way to handle it is to > move the %pK, case 'K': block and add > a fallthrough or keep the case 'K': > block where it is and add a goto. Thanks for suggestions. Tobin.
diff --git a/lib/vsprintf.c b/lib/vsprintf.c index 86c3385b9eb3..155702f05b14 100644 --- a/lib/vsprintf.c +++ b/lib/vsprintf.c @@ -1775,6 +1775,8 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, default: return string(buf, end, "(invalid address)", spec); }} + default: + return string(buf, end, "(invalid specifier, form: %pi4)", spec); } break; case 'E':
%pi leaks kernel addresses if incorrectly specified. Currently the printk specifier %pi (%pI) contains a switch statement without a default clause. The %pi specifier requires a subsequent character (4, 6, or S) controlling the output. If the specifier is incomplete the switch statement will fall through and print the variable argument address in hex instead of the value of the argument (as an IP address). If uncaught this leaks kernel addresses into dmesg. We can return an error string to make the bug visible and stop addresses leaking. Add a default clause returning an error string, stops leaking addresses and makes the buggy code Signed-off-by: Tobin C. Harding <me@tobin.cc> --- lib/vsprintf.c | 2 ++ 1 file changed, 2 insertions(+)