Re: [RESEND PATCH v2 4/4] x86/umip: Warn if UMIP-protected instructions are used

From: Ricardo Neri
Date: Tue Nov 14 2017 - 21:57:08 EST


On Tue, Nov 14, 2017 at 08:34:08AM +0100, Ingo Molnar wrote:
>
> * Ricardo Neri <ricardo.neri-calderon@xxxxxxxxxxxxxxx> wrote:
>
> > +const char * const umip_insns[5] = {
> > + [UMIP_INST_SGDT] = "sgdt",
> > + [UMIP_INST_SIDT] = "sidt",
> > + [UMIP_INST_SMSW] = "smsw",
> > + [UMIP_INST_SLDT] = "sldt",
> > + [UMIP_INST_STR] = "str",
> > +};
>
> Sigh ...

It made sense to me to capitalize code and changelogs but keep the printed warnings
in lower case. Thus, the format would look like:

umip: smsw instruction cannot be used by applications.

I do see that this could be confusing with STR. I will capitalize these as well.
>
> > +/*
> > + * If you change these strings, ensure that buffers using them are sufficiently
> > + * large.
> > + */
> > +static const char umip_warn_use[] = "cannot be used by applications.";
> > +static const char umip_warn_emu[] = "For now, expensive software emulation returns result.";
>
> Please use the string literals directly, don't add an extra obfuscation layer.
>
> Plus:
>
> > + unsigned char buf[MAX_INSN_SIZE], warn[128];
>
> > + snprintf(warn, sizeof(warn), "%s %s", umip_insns[umip_inst],
> > + umip_warn_use);
>
> This is incredibly fragile against future buffer overflows, and warning about it
> in comments does not make it less fragile!

I need to concatenate the instruction mnemonic with the a string. Does something like
this is more acceptable?

unsigned char warn[50];

...

strcpy(warn, umip_insns[umip_inst]);
strcat(warn, " instruction cannot be used by applications.");
umip_pr_warn(regs, warn, 0);

In this manner I use the string literal directly but I still have a buffer that might
overflow. Code looks more clear to me. I could #defines for the string lengths or
set a maximum length.

Thanks and BR,
Ricardo