From: Jia He <justin.he@arm.com>
To: Petr Mladek <pmladek@suse.com>,
Steven Rostedt <rostedt@goodmis.org>,
Sergey Senozhatsky <senozhatsky@chromium.org>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Rasmus Villemoes <linux@rasmusvillemoes.dk>,
Jonathan Corbet <corbet@lwn.net>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Linus Torvalds <torvalds@linux-foundation.org>
Cc: "Peter Zijlstra (Intel)" <peterz@infradead.org>,
Eric Biggers <ebiggers@google.com>,
"Ahmed S. Darwish" <a.darwish@linutronix.de>,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org,
Matthew Wilcox <willy@infradead.org>, Jia He <justin.he@arm.com>
Subject: [PATCH RFCv4 3/4] lib/test_printf.c: split write-beyond-buffer check in two
Date: Tue, 15 Jun 2021 23:49:51 +0800 [thread overview]
Message-ID: <20210615154952.2744-4-justin.he@arm.com> (raw)
In-Reply-To: <20210615154952.2744-1-justin.he@arm.com>
From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Before each invocation of vsnprintf(), do_test() memsets the entire
allocated buffer to a sentinel value. That buffer includes leading and
trailing padding which is never included in the buffer area handed to
vsnprintf (spaces merely for clarity):
pad test_buffer pad
**** **************** ****
Then vsnprintf() is invoked with a bufsize argument <=
BUF_SIZE. Suppose bufsize=10, then we'd have e.g.
|pad | test_buffer |pad |
**** pizza0 **** ****** ****
A B C D E
where vsnprintf() was given the area from B to D.
It is obviously a bug for vsnprintf to touch anything between A and B
or between D and E. The former is checked for as one would expect. But
for the latter, we are actually a little stricter in that we check the
area between C and E.
Split that check in two, providing a clearer error message in case it
was a genuine buffer overrun and not merely a write within the
provided buffer, but after the end of the generated string.
So far, no part of the vsnprintf() implementation has had any use for
using the whole buffer as scratch space, but it's not unreasonable to
allow that, as long as the result is properly nul-terminated and the
return value is the right one. However, it is somewhat unusual, and
most %<something> won't need this, so keep the [C,D] check, but make
it easy for a later patch to make that part opt-out for certain tests.
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Tested-by: Jia He <justin.he@arm.com>
Signed-off-by: Jia He <justin.he@arm.com>
---
lib/test_printf.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/lib/test_printf.c b/lib/test_printf.c
index ec0d5976bb69..d1d2f898ebae 100644
--- a/lib/test_printf.c
+++ b/lib/test_printf.c
@@ -78,12 +78,17 @@ do_test(int bufsize, const char *expect, int elen,
return 1;
}
- if (memchr_inv(test_buffer + written + 1, FILL_CHAR, BUF_SIZE + PAD_SIZE - (written + 1))) {
+ if (memchr_inv(test_buffer + written + 1, FILL_CHAR, bufsize - (written + 1))) {
pr_warn("vsnprintf(buf, %d, \"%s\", ...) wrote beyond the nul-terminator\n",
bufsize, fmt);
return 1;
}
+ if (memchr_inv(test_buffer + bufsize, FILL_CHAR, BUF_SIZE + PAD_SIZE - bufsize)) {
+ pr_warn("vsnprintf(buf, %d, \"%s\", ...) wrote beyond buffer\n", bufsize, fmt);
+ return 1;
+ }
+
if (memcmp(test_buffer, expect, written)) {
pr_warn("vsnprintf(buf, %d, \"%s\", ...) wrote '%s', expected '%.*s'\n",
bufsize, fmt, test_buffer, written, expect);
--
2.17.1
next prev parent reply other threads:[~2021-06-15 15:53 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-15 15:49 [PATCH RFCv4 0/4] make '%pD' print full path for file Jia He
2021-06-15 15:49 ` [PATCH RFCv4 1/4] fs: introduce helper d_path_unsafe() Jia He
2021-06-15 20:40 ` Andy Shevchenko
2021-06-16 0:54 ` Justin He
2021-06-15 15:49 ` [PATCH RFCv4 2/4] lib/vsprintf.c: make '%pD' print full path for file Jia He
2021-06-15 20:44 ` Andy Shevchenko
2021-06-17 14:09 ` Petr Mladek
2021-06-22 2:20 ` Justin He
2021-06-15 15:49 ` Jia He [this message]
2021-06-17 14:17 ` [PATCH RFCv4 3/4] lib/test_printf.c: split write-beyond-buffer check in two Petr Mladek
2022-06-17 7:15 ` Rasmus Villemoes
2022-06-17 16:41 ` Kent Overstreet
2022-07-11 13:08 ` Petr Mladek
2021-06-15 15:49 ` [PATCH RFCv4 4/4] lib/test_printf.c: add test cases for '%pD' Jia He
2021-06-15 20:47 ` Andy Shevchenko
2021-06-17 14:52 ` Petr Mladek
2021-06-22 2:21 ` Justin He
2021-06-15 20:42 ` [PATCH RFCv4 0/4] make '%pD' print full path for file Andy Shevchenko
2021-06-16 5:09 ` Christoph Hellwig
2021-06-16 5:16 ` Justin He
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210615154952.2744-4-justin.he@arm.com \
--to=justin.he@arm.com \
--cc=a.darwish@linutronix.de \
--cc=andriy.shevchenko@linux.intel.com \
--cc=corbet@lwn.net \
--cc=ebiggers@google.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@rasmusvillemoes.dk \
--cc=peterz@infradead.org \
--cc=pmladek@suse.com \
--cc=rostedt@goodmis.org \
--cc=senozhatsky@chromium.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.