linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
To: Petr Mladek <pmladek@suse.com>,
	Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
	Miguel Ojeda <ojeda@kernel.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	rust-for-linux <rust-for-linux@vger.kernel.org>,
	linux-kernel <linux-kernel@vger.kernel.org>,
	Gary Guo <gary@garyguo.net>, Alex Gaynor <alex.gaynor@gmail.com>,
	Wedson Almeida Filho <wedsonaf@google.com>,
	Steven Rostedt <rostedt@goodmis.org>,
	Sergey Senozhatsky <senozhatsky@chromium.org>
Subject: Re: [PATCH v4 12/20] vsprintf: add new `%pA` format specifier
Date: Tue, 22 Feb 2022 11:35:39 +0100	[thread overview]
Message-ID: <10bbffc2-f144-8555-d41b-fede69a13c16@rasmusvillemoes.dk> (raw)
In-Reply-To: <YhSs5ZTL9ixdCCU9@alley>

On 22/02/2022 10.29, Petr Mladek wrote:
> On Mon 2022-02-14 13:12:24, Miguel Ojeda wrote:
>> On Mon, Feb 14, 2022 at 11:52 AM Rasmus Villemoes
>> <linux@rasmusvillemoes.dk> wrote:
>>>
>>> I think the point is for vsnprintf() to call (back) into Rust code.
>>
>> Indeed, this is the case.
>>
>>> That said, I don't like the !CONFIG_RUST version to return NULL, that
>>> will surely crash moments later.
>>>
>>> So I prefer something like
>>>
>>> [rust.h]
>>> // no CONFIG_RUST conditional
>>> +char *rust_fmt_argument(char* buf, char* end, void *ptr);
>>>
>>> [vsprintf.c]
>>> +       case 'A':
>>> +               if (IS_ENABLED(CONFIG_RUST))
>>> +                   return rust_fmt_argument(buf, end, ptr);
>>> +               else
>>> +                   return string_nocheck(buf, end, "[%pA in non-Rust
>>> code?!]", default_str_spec);
> 
> Any long message might cause buffer overflow when the caller expects
> fixed short string.

If the caller (1) uses a %p extension from C code which should only be
used from Rust and (2) uses sprintf() or another variant where he
doesn't provide the real buffer bounds, well, then he certainly gets to
keep the pieces.

It is a much worse problem that if CONFIG_RUST is enabled, we can't know
that we were actually called from Rust (but when !CONFIG_RUST, we
certainly know that we weren't), so we could call into rust_fmt_argument
with a pointer which certainly doesn't point to the/a data structure
which that Rust code expects. But we can't do anything about it, we will
just have to rely on static analysis to flag any use of %pA in C code.

> The most safe solution would be to use WARN_ONCE(). 

Preferably no, we shouldn't call into the printk machinery from within
vsnprintf(). I know I've added a few myself (AFAIR for use of %n or
other unsupported specifiers, and for overflow of precision/field
width), and I've often thought about a way to get rid of them while
still making sure some message eventually gets logged (once).


Rasmus

  reply	other threads:[~2022-02-22 10:35 UTC|newest]

Thread overview: 52+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-02-12 13:03 [PATCH v4 00/20] Rust support Miguel Ojeda
2022-02-12 13:03 ` [PATCH v4 01/20] kallsyms: support "big" kernel symbols Miguel Ojeda
2022-02-12 13:03 ` [PATCH v4 02/20] kallsyms: increase maximum kernel symbol length to 512 Miguel Ojeda
2022-02-22  8:19   ` Petr Mladek
2022-02-22 12:45     ` Miguel Ojeda
2022-02-12 13:03 ` [PATCH v4 03/20] kallsyms: use the correct buffer size for symbols Miguel Ojeda
2022-02-12 13:03 ` [PATCH v4 04/20] rust: add C helpers Miguel Ojeda
2022-02-12 13:03 ` [PATCH v4 05/20] rust: add `compiler_builtins` crate Miguel Ojeda
2022-02-12 13:03 ` [PATCH v4 06/20] rust: add `alloc` crate Miguel Ojeda
2022-02-12 13:03 ` [PATCH v4 07/20] rust: add `build_error` crate Miguel Ojeda
2022-02-12 13:03 ` [PATCH v4 08/20] rust: add `macros` crate Miguel Ojeda
2022-02-12 13:03 ` [PATCH v4 09/20] rust: add `kernel` crate's `sync` module Miguel Ojeda
2022-02-12 13:03 ` [PATCH v4 10/20] rust: add `kernel` crate Miguel Ojeda
2022-02-14  5:27   ` Sergey Senozhatsky
2022-02-14 13:36     ` Miguel Ojeda
2022-02-22  9:06   ` Petr Mladek
2022-02-22 12:48     ` Miguel Ojeda
2022-02-24 12:39       ` Petr Mladek
2022-02-12 13:03 ` [PATCH v4 11/20] rust: export generated symbols Miguel Ojeda
2022-02-12 13:03 ` [PATCH v4 12/20] vsprintf: add new `%pA` format specifier Miguel Ojeda
2022-02-14 10:18   ` Andy Shevchenko
2022-02-14 10:52     ` Rasmus Villemoes
2022-02-14 11:36       ` David Laight
2022-02-14 14:04         ` Miguel Ojeda
2022-02-14 12:12       ` Miguel Ojeda
2022-02-22  9:29         ` Petr Mladek
2022-02-22 10:35           ` Rasmus Villemoes [this message]
2022-02-24  9:55             ` Petr Mladek
2022-02-14 12:27     ` Miguel Ojeda
2022-02-14 13:54       ` Andy Shevchenko
2022-02-14 14:56         ` Miguel Ojeda
2022-02-12 13:03 ` [PATCH v4 13/20] scripts: add `generate_rust_analyzer.py` Miguel Ojeda
2022-02-12 13:03 ` [PATCH v4 14/20] scripts: decode_stacktrace: demangle Rust symbols Miguel Ojeda
2022-02-12 13:03 ` [PATCH v4 15/20] docs: add Rust documentation Miguel Ojeda
2022-02-14 10:47   ` Akira Yokosawa
2022-02-14 12:44     ` Miguel Ojeda
2022-02-16 13:37     ` Akira Yokosawa
2022-02-16 14:02       ` Miguel Ojeda
2022-03-17  8:19     ` Miguel Ojeda
2022-03-17 14:50       ` Akira Yokosawa
2022-03-18 13:12         ` Miguel Ojeda
2022-02-12 13:03 ` [PATCH v4 16/20] Kbuild: add Rust support Miguel Ojeda
2022-02-12 14:16   ` Russell King (Oracle)
2022-02-12 15:47     ` Miguel Ojeda
2022-02-12 16:18       ` Russell King (Oracle)
2022-02-12 18:32         ` Miguel Ojeda
2022-02-12 18:27   ` John Paul Adrian Glaubitz
2022-02-12 18:57     ` Miguel Ojeda
2022-02-12 13:03 ` [PATCH v4 17/20] samples: add Rust examples Miguel Ojeda
2022-02-12 13:03 ` [PATCH v4 18/20] MAINTAINERS: Rust Miguel Ojeda
2022-02-12 13:03 ` [PATCH v4 19/20] [RFC] drivers: gpio: PrimeCell PL061 in Rust Miguel Ojeda
2022-02-12 13:03 ` [PATCH v4 20/20] [RFC] drivers: android: Binder IPC " Miguel Ojeda

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=10bbffc2-f144-8555-d41b-fede69a13c16@rasmusvillemoes.dk \
    --to=linux@rasmusvillemoes.dk \
    --cc=alex.gaynor@gmail.com \
    --cc=andriy.shevchenko@linux.intel.com \
    --cc=gary@garyguo.net \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=miguel.ojeda.sandonis@gmail.com \
    --cc=ojeda@kernel.org \
    --cc=pmladek@suse.com \
    --cc=rostedt@goodmis.org \
    --cc=rust-for-linux@vger.kernel.org \
    --cc=senozhatsky@chromium.org \
    --cc=torvalds@linux-foundation.org \
    --cc=wedsonaf@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).