[v3,1/1] vsprintf: protect kernel from panic due to non-canonical pointer dereference
| Message ID | 20221019194159.2923873-1-jane.chu@oracle.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:4ac7:0:0:0:0:0 with SMTP id y7csp507647wrs;
Wed, 19 Oct 2022 12:54:20 -0700 (PDT)
X-Google-Smtp-Source:
AMsMyM42/NC/2KdmE0gYzOKwU/N8zRe6ynDtkWeWJ3RO6E35IFZ5rHdq+/y6ADubp6ycSJywotOQ
X-Received: by 2002:a17:90b:2691:b0:20c:d655:c67d with SMTP id
pl17-20020a17090b269100b0020cd655c67dmr47632653pjb.36.1666209260739;
Wed, 19 Oct 2022 12:54:20 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1666209260; cv=pass;
d=google.com; s=arc-20160816;
b=nWWTML1/5a0U18LLRAtcKU4pCYC2G8NL0v9jL4aRL4L0aJAM0RidcY1jsZMUTYlUgW
5bn0ZPmWES2WiLJJzzTKyN2DG+zkctupZ6MrXbicd3PsiLBirl65QGCLKGCvEMnNsw5k
UhrbLmUITYhYiPUnrYQFDY3V8SfibmntFSFkb4OF3pRXTSi+b3CO/NdYSEc5qtenyE1w
Hh2rfEf+FHUvPlr7c4WtYlqz/wcV5okktRshhLMbWmOwKqMTa8QneMUrEKp9ua/z37gX
v2bdVshP42WthzNL+Nac317bYppjh/mt7MUFCjnMQISNuI0o0SLCwLlvG7El5hT/4EK8
QwnA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from
:dkim-signature:dkim-signature;
bh=rZBMhM4k8jqNKxEdOY2rYupT1BYq2CyvoHLZNXuoy7A=;
b=afmhCctQc+HDOHU4sRDopzrGFWECCEdjz28ZHHPvo1otxK5OAX1vlsPC9YaL6xWwV+
/9931V7lzkAbd/m5hGjwQvttW/f1DA31mGqCm62dUm2LrJt35KhDv793HocbPtlBQYob
Kycn8aW2RsuOuVr5aTtIwLsCE5bMBVO8MEnrZFuJ/8QU1deWgryIqsnCTuViqUJI/RY4
qLPgaDta0emaYDBFBUj3K87bRrBTMQtQkYfWPfiS/vDn+Bo4Nd5YLVtsarXxSIbv9czB
JtMhOutLi35r9d11Q7aZtHwdNJJuLbbEgC+8tWZJnTRG9EIt7qMaj6q6Y55cs9wBNSk8
SJuw==
ARC-Authentication-Results: i=2; mx.google.com;
dkim=pass header.i=@oracle.com header.s=corp-2022-7-12
header.b="R9Apbv0/";
dkim=pass header.i=@oracle.onmicrosoft.com
header.s=selector2-oracle-onmicrosoft-com header.b=C9O6qM1o;
arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass
dkdomain=oracle.com dmarc=pass fromdomain=oracle.com);
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
184-20020a6304c1000000b0046afcf0fa93si18913440pge.522.2022.10.19.12.54.06;
Wed, 19 Oct 2022 12:54:20 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@oracle.com header.s=corp-2022-7-12
header.b="R9Apbv0/";
dkim=pass header.i=@oracle.onmicrosoft.com
header.s=selector2-oracle-onmicrosoft-com header.b=C9O6qM1o;
arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass
dkdomain=oracle.com dmarc=pass fromdomain=oracle.com);
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S231238AbiJSTnj (ORCPT <rfc822;samuel.l.nystrom@gmail.com>
+ 99 others); Wed, 19 Oct 2022 15:43:39 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47942 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S231253AbiJSTng (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Wed, 19 Oct 2022 15:43:36 -0400
Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com
[205.220.177.32])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D8F431D555F
for <linux-kernel@vger.kernel.org>;
Wed, 19 Oct 2022 12:43:33 -0700 (PDT)
Received: from pps.filterd (m0246632.ppops.net [127.0.0.1])
by mx0b-00069f02.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id
29JIOL30020641;
Wed, 19 Oct 2022 19:42:16 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com;
h=from : to : cc :
subject : date : message-id : content-type : mime-version;
s=corp-2022-7-12; bh=rZBMhM4k8jqNKxEdOY2rYupT1BYq2CyvoHLZNXuoy7A=;
b=R9Apbv0/OVSGU/k6PjweeLXOURfljTs7ITU4UWw3JzxEC31m0Cj+EV2GtvClMQvoK9+u
CjoPMByetI04VUvBEh3PvxCwFucJXwKMY5SQkNxnpaNzGJ9vJ7UrdrTD9OtIeRO0tpVV
PPen5bIeDqF1uqgI1I91BjeOuOBJ55nhfFuM9xKYDW9WxNyHv787eUULNchGjzfx1mVN
fsijnPZBt1jas7FUJljK18ngCQY39M/21Z8E4UP2t+i4GEw3YJrkmxvB/FHv/GWmNql+
WMNmwPMq8nj+B1Eb/KHhpUZghAHTDeY5uK3QtNjPnx+rzQSGEqXfbPhhZxhxx2UN5o5M +w==
Received: from iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com
(iadpaimrmta03.appoci.oracle.com [130.35.103.27])
by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3k7mu03adn-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=OK);
Wed, 19 Oct 2022 19:42:16 +0000
Received: from pps.filterd
(iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1])
by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com
(8.17.1.5/8.17.1.5) with ESMTP id 29JHo5Mh016582;
Wed, 19 Oct 2022 19:42:15 GMT
Received: from nam02-dm3-obe.outbound.protection.outlook.com
(mail-dm3nam02lp2049.outbound.protection.outlook.com [104.47.56.49])
by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with
ESMTPS id 3k8hrc4gdg-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=OK);
Wed, 19 Oct 2022 19:42:15 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=au/OvIRBQqNPi4Mmevi7LqyXgQmNxL9rftkZyLO+FEkzhyKezechs5YcdrUW1imF9UEzPpeq5xSxcmQH1ItjajSImAaR4+7gBFc5YpCh4KWAu8vnj35gU1q+KRbDk4n7NXhD7y7MBza13284pMJMn1s1joH9zOp8+mFlaOkgqkbTF7YvIqxishjcchzmivohW7bBfBpmFwSN73KnQJRilGMnpotyPsAHd8ackL2pytoUlecdM13M1pWfcXl6dKwF9cf98+kWyZkGP1ev6eZQYikjF3xgnKx/+Y/x7Gfp1y9iwCPFZgLLsbf1fm+j6KscG99WDofxZRzrxsNik5re3Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=rZBMhM4k8jqNKxEdOY2rYupT1BYq2CyvoHLZNXuoy7A=;
b=nn9ivQtI9tGj6nZT4yWPo0i/d8YeQqaJTby0rGrldy8LmjgFe/7jwkNgskp0u9ooV/pAmVn8by2ja27Cg6QK+wbqxiZqynlUwhb40IwrG4hEmsp1hdt0CRynYNVUsI3ayUPNgcWkDS9EJnx8AX2YDeuJBSBr2PJ1L06AYxQ17wKLzABWTZISpiOLQVdzlJoB6HYwInOG4fJRQdj6vtO+/qfLI2iR0y97Y0nXmBGHEGDJH+UxGURLnMEd9XkWuPPJajkKAFsjWSQio60wYVjgCJpWzao0+uuV7Twd1nrOwqsNcoveXZlJXSANQ8oWyW4jzmEm5BS0Nze5uwcxOTP0mw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com;
dkim=pass header.d=oracle.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=rZBMhM4k8jqNKxEdOY2rYupT1BYq2CyvoHLZNXuoy7A=;
b=C9O6qM1oNIR+coLOgsaq7ArRX4I2cbe1b3KDWo6JnaxYqHK62SoNh6oK6gzE8KZDEABHY0XIGejzHY+++o+5QtpmELKcaKRf4dt8aSCAAr/Caiz/NJZ2ysz16waCdRze5j7R1Q+ebo3NyhjmsHefP2to/ZA91POWnWSCbqXFq8I=
Received: from SJ0PR10MB4429.namprd10.prod.outlook.com (2603:10b6:a03:2d1::14)
by CO1PR10MB4403.namprd10.prod.outlook.com (2603:10b6:303:9a::17) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5723.34; Wed, 19 Oct
2022 19:42:13 +0000
Received: from SJ0PR10MB4429.namprd10.prod.outlook.com
([fe80::b281:7552:94f5:4606]) by SJ0PR10MB4429.namprd10.prod.outlook.com
([fe80::b281:7552:94f5:4606%7]) with mapi id 15.20.5723.033; Wed, 19 Oct 2022
19:42:13 +0000
From: Jane Chu <jane.chu@oracle.com>
To: pmladek@suse.com, rostedt@goodmis.org, senozhatsky@chromium.org,
andriy.shevchenko@linux.intel.com, linux@rasmusvillemoes.dk,
linux-mm@kvack.org, linux-kernel@vger.kernel.org
Cc: wangkefeng.wang@huawei.com, konrad.wilk@oracle.com,
haakon.bugge@oracle.com, john.haxby@oracle.com, jane.chu@oracle.com
Subject: [PATCH v3 1/1] vsprintf: protect kernel from panic due to
non-canonical pointer dereference
Date: Wed, 19 Oct 2022 13:41:59 -0600
Message-Id: <20221019194159.2923873-1-jane.chu@oracle.com>
X-Mailer: git-send-email 2.18.4
Content-Type: text/plain
X-ClientProxiedBy: SA0PR11CA0167.namprd11.prod.outlook.com
(2603:10b6:806:1bb::22) To SJ0PR10MB4429.namprd10.prod.outlook.com
(2603:10b6:a03:2d1::14)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: SJ0PR10MB4429:EE_|CO1PR10MB4403:EE_
X-MS-Office365-Filtering-Correlation-Id: 2a19cf17-9d4a-47f0-970d-08dab20a0551
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:
QWb4RpmzWTS7giyf7ZC1MFyn6sYr9rJbBwHvgbQdfV8B2vezF2PXmj09l0h7Mygy1gFC1rsYT/GUvHZP1NFuObvUURgftt8FFpxkM9V6+TMWujj+CkUjXYzTdO2w4XXUxyBltBRVgsHKn7p6e+Wo16NFwDxh+BgtqG8DVJdDgT4qFQWoboqsGAubXFAHT0CDSOwSlshe+BL31IFp9A2y6M7awDho9QPiuVQkUhzEzxGxmVSkeWITnpKlsNkwlLlymBz0ePzWyWljoYrzHf6YsG51OOsKd+gzGZBi4N1H+MYKZLqqP2MNkmhc15yEjh4Av6GCsZr+J7c8/Hh3ogjEyjqIlTG2whf5QBSlGdE4IS9OTZh3Iqg9MRDf7nm0n53/uQse/zx/01eGOekCUlnkNFetIARinphTuhv/5rQYkPljTcp8VzJuWpdgwttptkWvT5UW9tDbHOYMD/kIOmjBZjk7RPRKW2gqvhfyDeAYeHL7W95P3cKe/4qbgxpE2s9FuMdXhMfCjJ07NuXXUShrEC+A8hR0kpzwM20wylQ795/Z1QWpLLzvz+IoYkOa3tAgWQOAbtTpd+qjK+NOcv5u4TxZsta/KdFJu8XtdrbDulySvldsEWrvkszu4DtKLjgSKnv5gbo1vbqGV3lbGgb4EvvtX0RQXPSWwGX9aNF/rsOvyqMCH1/vGZxrFJVHBHZ/iLcyjdGuwKPn+kzIBXHOIQ==
X-Forefront-Antispam-Report:
CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SJ0PR10MB4429.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(136003)(376002)(396003)(39860400002)(346002)(366004)(451199015)(1076003)(186003)(38100700002)(2906002)(2616005)(6486002)(478600001)(66476007)(86362001)(66946007)(4326008)(8676002)(66556008)(44832011)(8936002)(6666004)(107886003)(36756003)(6512007)(52116002)(83380400001)(41300700001)(6506007)(316002)(5660300002);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0:
cLT/ujUNidxBeuWSewIrTDAnDIEL7Cd7R6hs7kFchKamfwVPDuzQLN1mamTcfce0Ln346Ikr2v0+Jv5YdDFo5+rUuL9JRZe1lL1h8/GPtUcmyMgluLB2dBQYVqYBpdOujwh8geLytXZ1SvzjXLV34o/iUGhqC28YVqHNZmaxLnb21xoTsnvfHEVTLlqtp/xeI8P135kpsHDxfs4SKjVt9frNH9+8UiEDW6TeM8A3hTVqpa9Ks/nMb9tGUTDDgAGf3K3/HLH9L0uk7cfuHUdWuQ2vn3b7kWsbqkH9oppth79Jk2toKQvr64zOX+DK52Ke+59HJjF6sJ0AlP5fj458FzVE90iyPWuahiDDZcetdaOGqCVBFheNoLLDJ0gEIL+urp20jCXSdzxTC4Hun0Ti7yIe+xEWfw+pk4jWbhBlIGmxyejmUrnwEqrxz9roDP5cik8k8h4Cr1DC7uFiA/KOmx4Wahy/gZKCATHtpdx6eRqbKWxRDO9PPIVeECJ+ia5fXkQkpW9lQZygZ1c6NnAEhhux1BkA4RekZKKKR1RPPcfIGYs8EJx5IHcie+2n3LYxONHalmGOGTxHT6ERPNbLaL86ce2MsNvsXcBGuvFAAAEBno0EBXdRbEUbofquXGVwZHfaXbozKCRzIfQUjsRFdtAr70QWY8gwDAXR6m3YxZH512BQsSUDhnGvMm9exo8HmClD1x5vOYCJ/LMLw9DIdWlrnYwSnU4FmOnEa1+mJnyl50RAOrgwJiC21RBkJJUBd5TUeGFceAumQfQ6bsTH1yjKh99xSSCCdjnvcTUx+MiF1h12pNhvptiKkzQTPYRLzHCaGU8qaYzUmQ5+eSmZn4xdpSAsgu9rj4zWkEKO3NwhXhkPHE/l0GixpVuqTvHl9XziD4y1Lko/fFC050bFKrDYZFn2DN4bko1P0/UsLKKSbfQJCYuBjd4bqGXFAxN84FjNGRe5Hj1lRKIUfKmg0sBtcYX4JttuAsJjv5sdBBwZnV/qekU1lwMJ9/uMqee61NOuKRm9iP8lZ1o3tM9roS+b7ms+RAU75fJG9LQvlj9c6p2YpxIj/0+dOPay7yr4IeaXaLxDHQPU6wKSNOF8JbqYUr/9cO6MadwHLgS1kHijKhAG0XQOFfWQuNKIr+D78W4PXjAz+XFlgRSyOzfJRMaFU2zrlk6ZsVNiJZnmS1oED1unI5WRU80363mj7sMLGUJJtzjOVOIMrCpxtU+Jy28pA713d26tPq1INw0YlIXjdrfKF377cPG9pPQe7ebmkOsGpqEKkS5X11bG8WAX/ZruBR9Vm4lmGOubRfxr5hQIME8aTYpchAcbGwAxeBg8CqREepEGWZ4w1u2izDOoXtm8Zx5OEWZXjA69Py9raYNGZWlshO/59MHbUu4EAKgWhBrbddWJCrgEC8pO6SqahRpYZqAm5X8Zdbt8DDq+SeiHFQhBUxTlCrZWP/glPrN/qeZb8rW7umxpIaPHkzegr/6uAIrseM11ccWCqdM+lOcmw/rCzSslsXO3nMeizc/r3tB6hlz2561iBlQpYDSPxQuARy7J2Jrn92/lS+knSg1g85H6OOsBympUUyVV0YCaHkGjPkSpJm0K9n8iCYW4vg==
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-Network-Message-Id:
2a19cf17-9d4a-47f0-970d-08dab20a0551
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR10MB4429.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Oct 2022 19:42:13.6246
(UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName:
x9ZOzQ7AfrxTXddZEbcYzM7KR/hkI6CpUtXBBFsTaPShR1IoHm9W8ZNX/hajzm9Tz0sPayZhj/pBQdf42a5pag==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR10MB4403
X-Proofpoint-Virus-Version: vendor=baseguard
engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.545,FMLib:17.11.122.1
definitions=2022-10-19_11,2022-10-19_04,2022-06-22_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0
spamscore=0 bulkscore=0
mlxscore=0 phishscore=0 suspectscore=0 adultscore=0 mlxlogscore=999
classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2209130000
definitions=main-2210190110
X-Proofpoint-ORIG-GUID: if2cWKkDDXyUVOhr6OkWjVab0-zckgL6
X-Proofpoint-GUID: if2cWKkDDXyUVOhr6OkWjVab0-zckgL6
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,
RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1747146003764828980?=
X-GMAIL-MSGID: =?utf-8?q?1747147042063396399?=
|
| Series |
[v3,1/1] vsprintf: protect kernel from panic due to non-canonical pointer dereference
|
|
Commit Message
Jane Chu
Oct. 19, 2022, 7:41 p.m. UTC
Having stepped on a local kernel bug where reading sysfs has led to
out-of-bound pointer dereference by vsprintf() which led to GPF panic.
And the reason for GPF is that the OOB pointer was turned to a
non-canonical address such as 0x7665645f63616465.
vsprintf() already has this line of defense
if ((unsigned long)ptr < PAGE_SIZE || IS_ERR_VALUE(ptr))
return "(efault)";
Since a non-canonical pointer can be detected by kern_addr_valid()
on architectures that present VM holes as well as meaningful
implementation of kern_addr_valid() that detects the non-canonical
addresses, this patch adds a check on non-canonical string pointer by
kern_addr_valid() and "(efault)" to alert user that something
is wrong instead of unecessarily panic the server.
On the other hand, if the non-canonical string pointer is dereferenced
else where in the kernel, by virtue of being non-canonical, a crash
is expected to be immediate.
Signed-off-by: Jane Chu <jane.chu@oracle.com>
---
lib/vsprintf.c | 3 +++
1 file changed, 3 insertions(+)
Comments
On Wed, Oct 19, 2022 at 01:41:59PM -0600, Jane Chu wrote: > Having stepped on a local kernel bug where reading sysfs has led to > out-of-bound pointer dereference by vsprintf() which led to GPF panic. > And the reason for GPF is that the OOB pointer was turned to a > non-canonical address such as 0x7665645f63616465. > > vsprintf() already has this line of defense > if ((unsigned long)ptr < PAGE_SIZE || IS_ERR_VALUE(ptr)) > return "(efault)"; > Since a non-canonical pointer can be detected by kern_addr_valid() > on architectures that present VM holes as well as meaningful > implementation of kern_addr_valid() that detects the non-canonical > addresses, this patch adds a check on non-canonical string pointer by > kern_addr_valid() and "(efault)" to alert user that something > is wrong instead of unecessarily panic the server. > > On the other hand, if the non-canonical string pointer is dereferenced > else where in the kernel, by virtue of being non-canonical, a crash > is expected to be immediate. What if there is no other dereference except the one happened in printf()? Just to point out here, that I formally NAKed this on the basis that NULL and error pointers are special, for the bogus pointers we need crash ASAP, no matter what the code issues it. I.o.w. printf() is not special for that kind of pointers (i.e. bogus pointers, but not special).
On 19/10/2022 21.41, Jane Chu wrote: > Having stepped on a local kernel bug where reading sysfs has led to > out-of-bound pointer dereference by vsprintf() which led to GPF panic. Just to be completely clear, the out-of-bounds dereference did not happen in vsprintf if I understand your description right. Essentially you have an array of char* pointers, and you accessed beyond that array, where of course some random memory contents then turned out not to be a real pointer, and that bogus pointer value was passed into vsprintf() as a %s argument. > And the reason for GPF is that the OOB pointer was turned to a > non-canonical address such as 0x7665645f63616465. That's ved_cade , or more properly edac_dev ... > > vsprintf() already has this line of defense > if ((unsigned long)ptr < PAGE_SIZE || IS_ERR_VALUE(ptr)) > return "(efault)"; > Since a non-canonical pointer can be detected by kern_addr_valid() > on architectures that present VM holes as well as meaningful > implementation of kern_addr_valid() that detects the non-canonical > addresses, this patch adds a check on non-canonical string pointer by > kern_addr_valid() and "(efault)" to alert user that something > is wrong instead of unecessarily panic the server. > > On the other hand, if the non-canonical string pointer is dereferenced > else where in the kernel, by virtue of being non-canonical, a crash > is expected to be immediate. I'm with Andy on this one, we don't add random checks like this in the kernel, not in vsprintf or elsewhere. check_pointer_msg is/was actually more about checking the various %p<foo> extensions, where it is (more) expected that somebody does struct foo *f = get_a_foo(); pr_debug("got %pfoo\n", f); if (IS_ERR(f)) { ... } [possibly in a not so obvious path], and the PAGE_SIZE check is similarly for cases where the "base" pointer is actually NULL but what is passed is &f->member. Rasmus
On Wed 2022-10-19 13:41:59, Jane Chu wrote: > Having stepped on a local kernel bug where reading sysfs has led to > out-of-bound pointer dereference by vsprintf() which led to GPF panic. > And the reason for GPF is that the OOB pointer was turned to a > non-canonical address such as 0x7665645f63616465. > > vsprintf() already has this line of defense > if ((unsigned long)ptr < PAGE_SIZE || IS_ERR_VALUE(ptr)) > return "(efault)"; > Since a non-canonical pointer can be detected by kern_addr_valid() > on architectures that present VM holes as well as meaningful > implementation of kern_addr_valid() that detects the non-canonical > addresses, this patch adds a check on non-canonical string pointer by > kern_addr_valid() and "(efault)" to alert user that something > is wrong instead of unecessarily panic the server. > > On the other hand, if the non-canonical string pointer is dereferenced > else where in the kernel, by virtue of being non-canonical, a crash > is expected to be immediate. Just for record, this patch is going to be abandoned. Some reasons are mentioned in this thread. Others are in the threads for previous versions, see https://lore.kernel.org/r/20221017194447.2579441-1-jane.chu@oracle.com https://lore.kernel.org/r/20221017191611.2577466-1-jane.chu@oracle.com Best Regards, Petr
On Wed, Oct 19, 2022 at 11:33:47PM +0300, Andy Shevchenko wrote: > On Wed, Oct 19, 2022 at 01:41:59PM -0600, Jane Chu wrote: > > Having stepped on a local kernel bug where reading sysfs has led to > > out-of-bound pointer dereference by vsprintf() which led to GPF panic. > > And the reason for GPF is that the OOB pointer was turned to a > > non-canonical address such as 0x7665645f63616465. > > > > vsprintf() already has this line of defense > > if ((unsigned long)ptr < PAGE_SIZE || IS_ERR_VALUE(ptr)) > > return "(efault)"; > > Since a non-canonical pointer can be detected by kern_addr_valid() > > on architectures that present VM holes as well as meaningful > > implementation of kern_addr_valid() that detects the non-canonical > > addresses, this patch adds a check on non-canonical string pointer by > > kern_addr_valid() and "(efault)" to alert user that something > > is wrong instead of unecessarily panic the server. > > > > On the other hand, if the non-canonical string pointer is dereferenced > > else where in the kernel, by virtue of being non-canonical, a crash > > is expected to be immediate. > > What if there is no other dereference except the one happened in printf()? > > Just to point out here, that I formally NAKed this on the basis that NULL > and error pointers are special, for the bogus pointers we need crash ASAP, > no matter what the code issues it. I.o.w. printf() is not special for that > kind of pointers (i.e. bogus pointers, but not special). Hey Andy, Do we want to have user space programs crash the kernel? This patch leads to making the kernel more harden so that we do not crash when there are bugs but continue on. Would we not want that experience for users ? > > -- > With Best Regards, > Andy Shevchenko > >
On Thu, Oct 20, 2022 at 10:52:03AM -0400, Konrad Rzeszutek Wilk wrote: > On Wed, Oct 19, 2022 at 11:33:47PM +0300, Andy Shevchenko wrote: > > On Wed, Oct 19, 2022 at 01:41:59PM -0600, Jane Chu wrote: > > > Having stepped on a local kernel bug where reading sysfs has led to > > > out-of-bound pointer dereference by vsprintf() which led to GPF panic. > > > And the reason for GPF is that the OOB pointer was turned to a > > > non-canonical address such as 0x7665645f63616465. > > > > > > vsprintf() already has this line of defense > > > if ((unsigned long)ptr < PAGE_SIZE || IS_ERR_VALUE(ptr)) > > > return "(efault)"; > > > Since a non-canonical pointer can be detected by kern_addr_valid() > > > on architectures that present VM holes as well as meaningful > > > implementation of kern_addr_valid() that detects the non-canonical > > > addresses, this patch adds a check on non-canonical string pointer by > > > kern_addr_valid() and "(efault)" to alert user that something > > > is wrong instead of unecessarily panic the server. > > > > > > On the other hand, if the non-canonical string pointer is dereferenced > > > else where in the kernel, by virtue of being non-canonical, a crash > > > is expected to be immediate. > > > > What if there is no other dereference except the one happened in printf()? > > > > Just to point out here, that I formally NAKed this on the basis that NULL > > and error pointers are special, for the bogus pointers we need crash ASAP, > > no matter what the code issues it. I.o.w. printf() is not special for that > > kind of pointers (i.e. bogus pointers, but not special). > > Hey Andy, > > Do we want to have user space programs crash the kernel? > > This patch leads to making the kernel more harden so that we do > not crash when there are bugs but continue on. Fine, how to push a user to report a bug in the kernel if for them there is no bug? OK, let's assume user recognizes this as a bug, what should they do in order to provide a better description of the bug, so developer can easily debug and fix it? > Would we not want that experience for users ? Yes, if it is a bug in the kernel we want to know it with all possible details. Hiding bugs is a way to nowhere.
On Thu 2022-10-20 19:03:23, Andy Shevchenko wrote: > On Thu, Oct 20, 2022 at 10:52:03AM -0400, Konrad Rzeszutek Wilk wrote: > > On Wed, Oct 19, 2022 at 11:33:47PM +0300, Andy Shevchenko wrote: > > > On Wed, Oct 19, 2022 at 01:41:59PM -0600, Jane Chu wrote: > > > > Having stepped on a local kernel bug where reading sysfs has led to > > > > out-of-bound pointer dereference by vsprintf() which led to GPF panic. > > > > And the reason for GPF is that the OOB pointer was turned to a > > > > non-canonical address such as 0x7665645f63616465. > > > > > > > > vsprintf() already has this line of defense > > > > if ((unsigned long)ptr < PAGE_SIZE || IS_ERR_VALUE(ptr)) > > > > return "(efault)"; > > > > Since a non-canonical pointer can be detected by kern_addr_valid() > > > > on architectures that present VM holes as well as meaningful > > > > implementation of kern_addr_valid() that detects the non-canonical > > > > addresses, this patch adds a check on non-canonical string pointer by > > > > kern_addr_valid() and "(efault)" to alert user that something > > > > is wrong instead of unecessarily panic the server. > > > > > > > > On the other hand, if the non-canonical string pointer is dereferenced > > > > else where in the kernel, by virtue of being non-canonical, a crash > > > > is expected to be immediate. > > > > > > What if there is no other dereference except the one happened in printf()? > > > > > > Just to point out here, that I formally NAKed this on the basis that NULL > > > and error pointers are special, for the bogus pointers we need crash ASAP, > > > no matter what the code issues it. I.o.w. printf() is not special for that > > > kind of pointers (i.e. bogus pointers, but not special). > > > > Hey Andy, > > > > Do we want to have user space programs crash the kernel? > > > > This patch leads to making the kernel more harden so that we do > > not crash when there are bugs but continue on. > > Fine, how to push a user to report a bug in the kernel if for them > there is no bug? > > OK, let's assume user recognizes this as a bug, what should they do in order > to provide a better description of the bug, so developer can easily debug > and fix it? WARN() would provide similar information as panic() without actually crashing the kernel. > > Would we not want that experience for users ? > > Yes, if it is a bug in the kernel we want to know it with all possible details. > Hiding bugs is a way to nowhere. I agree but we should always distinguish between fatal problems where the system could hardly continue working and unexpected behavior that is not critical. Many error code paths handle unexpected situations. Some problems are caused by users and some by bugs in the code. The kernel could always refuse doing some operation rather than crash. People will report it because it does not work. And there are non-destructive ways how to show useful debugging information. Best Regards, Petr
On Tue, Oct 25, 2022 at 10:40:37AM +0200, Petr Mladek wrote: > On Thu 2022-10-20 19:03:23, Andy Shevchenko wrote: > > On Thu, Oct 20, 2022 at 10:52:03AM -0400, Konrad Rzeszutek Wilk wrote: ... > > OK, let's assume user recognizes this as a bug, what should they do in order > > to provide a better description of the bug, so developer can easily debug > > and fix it? > > WARN() would provide similar information as panic() without actually > crashing the kernel. Unless one provides panic_on_warn (or how is it called?). > > > Would we not want that experience for users ? > > > > Yes, if it is a bug in the kernel we want to know it with all possible details. > > Hiding bugs is a way to nowhere. > > I agree but we should always distinguish between fatal problems where > the system could hardly continue working and unexpected behavior that > is not critical. > > Many error code paths handle unexpected situations. Some problems are > caused by users and some by bugs in the code. The kernel could always > refuse doing some operation rather than crash. People will report > it because it does not work. And there are non-destructive ways how > to show useful debugging information. Initially, if I understand correctly, the idea of that check was exactly to guard against special pointers (NULL and error). Now this is getting wider and I'm not sure hiding a crash is good thing to go. Hypothetical situation: the "invalid" pointer is just one that gets LSB shuffled a bit (some of the frameworks use lower bits to keep some information there). That said, kernel is not going to crash elsewhere. How user will know that unmasked pointer went to the printf()? I honestly think that this or similar change will bring more harm than help.
diff --git a/lib/vsprintf.c b/lib/vsprintf.c index c414a8d9f1ea..b38c12ef1e45 100644 --- a/lib/vsprintf.c +++ b/lib/vsprintf.c @@ -698,6 +698,9 @@ static const char *check_pointer_msg(const void *ptr) if ((unsigned long)ptr < PAGE_SIZE || IS_ERR_VALUE(ptr)) return "(efault)"; + if (!kern_addr_valid((unsigned long)ptr)) + return "(efault)"; + return NULL; }