From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
To: Justin He <Justin.He@arm.com>,
Rasmus Villemoes <linux@rasmusvillemoes.dk>,
Petr Mladek <pmladek@suse.com>,
Steven Rostedt <rostedt@goodmis.org>,
Sergey Senozhatsky <senozhatsky@chromium.org>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Jonathan Corbet <corbet@lwn.net>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Linus Torvalds <torvalds@linux-foundation.org>
Cc: "Peter Zijlstra (Intel)" <peterz@infradead.org>,
Eric Biggers <ebiggers@google.com>,
"Ahmed S. Darwish" <a.darwish@linutronix.de>,
"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>
Subject: Re: [PATCH RFCv3 2/3] lib/vsprintf.c: make %pD print full path for file
Date: Tue, 15 Jun 2021 09:04:13 +0200 [thread overview]
Message-ID: <9c18bf38-b04b-b4b6-d5f4-ae95cd3c33ce@rasmusvillemoes.dk> (raw)
In-Reply-To: <AM6PR08MB4376F90B594C5134302A830AF7309@AM6PR08MB4376.eurprd08.prod.outlook.com>
On 15/06/2021 08.43, Justin He wrote:
> Hi Rasmus
>
>> -----Original Message-----
>> From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
>> Why the !buf check? The only way we can have that is the snprintf(NULL,
>> 0, ...) case of asking how much space we'd need to malloc, right? In
>> which case end would be NULL+0 == NULL, so buf >= end automatically,
>> regardless of how much have been "printed" before %pD.
>
> My original purpose is to avoid any memory copy/move for kvasprintf->
> vsnprintf(NULL, 0,...). But as you said, this can be folded into the case
> buf >= end.
> Do you think whether following case should be forbidden?:
> vsnprintf(NULL, 8,...).
That is an obvious caller bug. The caller tells vsnprintf "here's a
buffer of size 8 at address 0x0". And checking buf for NULL in the guts
of %pD would anyway be completely pointless as it would crash for a fmt of
"x%pD"
or basically anything at all before %pD because those specifiers (or
literal parts) would cause a write to buf - and if that somehow
survived, the buf %pD would be given would now be (void*)1L.
>> Now you're passing p to string_truncate or string_nocheck, while p
>> points somewhere into buf itself. I can't convince myself that would be
>> safe. At the very least, it deserves a couple of comments.
>
> When code goes here, the buffer space must be as follows:
> |.........|.........|
> buf p end
>
> So string_nocheck is safe because essential it would byte-to-byte copy p to buf.
>
> But I agree comments are needed here.
Yes, because no matter how string_nocheck happens to be implemented
today, some day somebody might throw in a memcpy() or do something else
that means overlapping "buf" and "s" arguments are suddenly broken in
some configurations or arches.
Rasmus
next prev parent reply other threads:[~2021-06-15 7:04 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-11 15:59 [PATCH RFCv3 0/3] make '%pD' print full path for file Jia He
2021-06-11 15:59 ` [PATCH RFCv3 1/3] fs: introduce helper d_path_unsafe() Jia He
2021-06-11 15:59 ` [PATCH RFCv3 2/3] lib/vsprintf.c: make %pD print full path for file Jia He
2021-06-11 21:28 ` Rasmus Villemoes
2021-06-15 6:43 ` Justin He
2021-06-15 7:04 ` Rasmus Villemoes [this message]
2021-06-15 8:32 ` Justin He
2021-06-14 15:40 ` Petr Mladek
2021-06-15 6:48 ` Justin He
2021-06-15 7:14 ` Rasmus Villemoes
2021-06-15 7:18 ` Justin He
2021-06-15 14:48 ` Justin He
2021-06-11 15:59 ` [PATCH RFCv3 3/3] lib/test_printf: add test cases for '%pD' Jia He
2021-06-11 21:40 ` Rasmus Villemoes
2021-06-15 7:06 ` Justin He
2021-06-15 7:15 ` Justin He
2021-06-15 7:40 ` Rasmus Villemoes
2021-06-14 15:44 ` Petr Mladek
2021-06-15 7:07 ` Justin He
2021-06-15 7:47 ` Rasmus Villemoes
2021-06-15 7:56 ` Justin He
2021-06-15 8:19 ` Andy Shevchenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9c18bf38-b04b-b4b6-d5f4-ae95cd3c33ce@rasmusvillemoes.dk \
--to=linux@rasmusvillemoes.dk \
--cc=Justin.He@arm.com \
--cc=a.darwish@linutronix.de \
--cc=andriy.shevchenko@linux.intel.com \
--cc=corbet@lwn.net \
--cc=ebiggers@google.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=pmladek@suse.com \
--cc=rostedt@goodmis.org \
--cc=senozhatsky@chromium.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).