From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id A9B7AC43217 for ; Wed, 19 Oct 2022 21:00:16 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D20936B0072; Wed, 19 Oct 2022 17:00:15 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id CD0ED6B0073; Wed, 19 Oct 2022 17:00:15 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B989B6B0074; Wed, 19 Oct 2022 17:00:15 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id A77CD6B0072 for ; Wed, 19 Oct 2022 17:00:15 -0400 (EDT) Received: from smtpin23.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 05FB01C6783 for ; Wed, 19 Oct 2022 21:00:13 +0000 (UTC) X-FDA: 80038916748.23.F5501F7 Received: from mail-ej1-f50.google.com (mail-ej1-f50.google.com [209.85.218.50]) by imf27.hostedemail.com (Postfix) with ESMTP id 7EE9340028 for ; Wed, 19 Oct 2022 21:00:12 +0000 (UTC) Received: by mail-ej1-f50.google.com with SMTP id r17so42807959eja.7 for ; Wed, 19 Oct 2022 14:00:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rasmusvillemoes.dk; s=google; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=7B3HRHjNpnBpaI5qlpPSiOMumjOcoFKJt56DP4KqPMM=; b=SxUE8X9QkZ7Zt+v4Dx0Ua8t+BN4j3eNoHXuWMSi3TqQLAfk13oyom7hzkYIqYf8d2D I6meVt2PG9LN4tHmlZDCcwn38wd4rRg6/fzhz57Bsg4vlzLpZBKqrZVQLl0pCEFZDJgZ WalsGmHT+9X7UhJdUpyM9o0SfCGgfyRsxKusc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=7B3HRHjNpnBpaI5qlpPSiOMumjOcoFKJt56DP4KqPMM=; b=ClvY5jOXYimvmRVOG5yT+/aM6W1khRaOr8Ki1LHOCgvNILUb1m60N3hq7A5tGSnxl7 K2WNgoCcejAUlK/SZw9XUxK71c+cJBFuKYXLPRl2/Fw6MXuoPQJ57/nAshVninOe7Amm HzsWN4DEIgvmcGmu/8qO54dR1Qm4gUTOQJnq07L2b3El/rWha++qXfk3G2zZsIzub7OR J6zxPXmAuxqFPYN0er0UDQrGsb/oJgzf9Xg+TwgLAhu5QTnKpt7Kj6YTivOrlT0Lhf8R NHOa2PhkNOAm7R1IWvlwVB8orBc08YLSTuMQKxlXh86RtpjPRjwmkwt8BoBZVwbcKfWz ERMw== X-Gm-Message-State: ACrzQf3KcG/4+Ar9bc8cA6w4qZq4y9GX5lUucy8Q/0bRM+fxRfMiuCh4 q+MnW3/LzX5mlgxYD2eKmoxbJw== X-Google-Smtp-Source: AMsMyM7j83A8j2fgwHRwYEHy6dycWlOPv4NGP8/RSv4ZJ682CTNJ+GtTySsLCbknc8ARf6bOFr0SNg== X-Received: by 2002:a17:907:162a:b0:78e:2859:76be with SMTP id hb42-20020a170907162a00b0078e285976bemr8268481ejc.768.1666213210993; Wed, 19 Oct 2022 14:00:10 -0700 (PDT) Received: from [192.168.1.149] ([80.208.71.65]) by smtp.gmail.com with ESMTPSA id k13-20020a17090627cd00b0077826b92d99sm9448022ejc.12.2022.10.19.14.00.09 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 19 Oct 2022 14:00:10 -0700 (PDT) Message-ID: Date: Wed, 19 Oct 2022 23:00:09 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Subject: Re: [PATCH v3 1/1] vsprintf: protect kernel from panic due to non-canonical pointer dereference Content-Language: en-US To: Jane Chu , pmladek@suse.com, rostedt@goodmis.org, senozhatsky@chromium.org, andriy.shevchenko@linux.intel.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org Cc: wangkefeng.wang@huawei.com, konrad.wilk@oracle.com, haakon.bugge@oracle.com, john.haxby@oracle.com References: <20221019194159.2923873-1-jane.chu@oracle.com> From: Rasmus Villemoes In-Reply-To: <20221019194159.2923873-1-jane.chu@oracle.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1666213212; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=7B3HRHjNpnBpaI5qlpPSiOMumjOcoFKJt56DP4KqPMM=; b=QmnhgG4ky8KAItxTNLNNQKv78R7Waq/hZBaLOwSvHvi4BAQHmWhjmmX6VIMyuOGHwfefcj fya2/VT0BwgsPQ3NfSWotgFMBqA9uOWHXRYQ2KPfH5GzeM8qJWbQb+YJ2B3M9VjRSTpLL2 PVpdWEbtt0s5R2mahfbE8kaRvHH2GHI= ARC-Authentication-Results: i=1; imf27.hostedemail.com; dkim=pass header.d=rasmusvillemoes.dk header.s=google header.b=SxUE8X9Q; spf=pass (imf27.hostedemail.com: domain of linux@rasmusvillemoes.dk designates 209.85.218.50 as permitted sender) smtp.mailfrom=linux@rasmusvillemoes.dk; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1666213212; a=rsa-sha256; cv=none; b=a97ZYhP/biZ6UNTK182YyWrCd/rkhg+CujIoUp5t1Vg+3j9jZ7Mjx0AwLvOetHo4y4GfvS aRUb/hIYuUwp/scQf/WXPaj63Gj8vSqJy2bJ9K4JSFxRdQvijih68NwBSCexnnye4UIdgb GdC7FXtUOUdqOx3z62iufnZNaR2UZGs= X-Rspamd-Server: rspam12 X-Rspam-User: Authentication-Results: imf27.hostedemail.com; dkim=pass header.d=rasmusvillemoes.dk header.s=google header.b=SxUE8X9Q; spf=pass (imf27.hostedemail.com: domain of linux@rasmusvillemoes.dk designates 209.85.218.50 as permitted sender) smtp.mailfrom=linux@rasmusvillemoes.dk; dmarc=none X-Stat-Signature: oew1bp9fqhtahoi9f6p7by3q5i5yoruq X-Rspamd-Queue-Id: 7EE9340028 X-HE-Tag: 1666213212-615650 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 19/10/2022 21.41, Jane Chu wrote: > Having stepped on a local kernel bug where reading sysfs has led to > out-of-bound pointer dereference by vsprintf() which led to GPF panic. Just to be completely clear, the out-of-bounds dereference did not happen in vsprintf if I understand your description right. Essentially you have an array of char* pointers, and you accessed beyond that array, where of course some random memory contents then turned out not to be a real pointer, and that bogus pointer value was passed into vsprintf() as a %s argument. > And the reason for GPF is that the OOB pointer was turned to a > non-canonical address such as 0x7665645f63616465. That's ved_cade , or more properly edac_dev ... > > vsprintf() already has this line of defense > if ((unsigned long)ptr < PAGE_SIZE || IS_ERR_VALUE(ptr)) > return "(efault)"; > Since a non-canonical pointer can be detected by kern_addr_valid() > on architectures that present VM holes as well as meaningful > implementation of kern_addr_valid() that detects the non-canonical > addresses, this patch adds a check on non-canonical string pointer by > kern_addr_valid() and "(efault)" to alert user that something > is wrong instead of unecessarily panic the server. > > On the other hand, if the non-canonical string pointer is dereferenced > else where in the kernel, by virtue of being non-canonical, a crash > is expected to be immediate. I'm with Andy on this one, we don't add random checks like this in the kernel, not in vsprintf or elsewhere. check_pointer_msg is/was actually more about checking the various %p extensions, where it is (more) expected that somebody does struct foo *f = get_a_foo(); pr_debug("got %pfoo\n", f); if (IS_ERR(f)) { ... } [possibly in a not so obvious path], and the PAGE_SIZE check is similarly for cases where the "base" pointer is actually NULL but what is passed is &f->member. Rasmus