RE: [PATCH 1/2] vsprintf: Prevent crash when dereferencing invalid pointers for %pD
From: Justin He (Arm Technology China)
Date: Fri Aug 09 2019 - 06:56:33 EST
> -----Original Message-----
> From: Andy Shevchenko <andy.shevchenko@xxxxxxxxx>
> Sent: 2019å8æ9æ 18:52
> To: Justin He (Arm Technology China) <Justin.He@xxxxxxx>
> Cc: Petr Mladek <pmladek@xxxxxxxx>; Andy Shevchenko
> <andriy.shevchenko@xxxxxxxxxxxxxxx>; Sergey Senozhatsky
> <sergey.senozhatsky@xxxxxxxxx>; Geert Uytterhoeven
> <geert+renesas@xxxxxxxxx>; Linux Kernel Mailing List <linux-
> kernel@xxxxxxxxxxxxxxx>; Thomas Gleixner <tglx@xxxxxxxxxxxxx>; Steven
> Rostedt (VMware) <rostedt@xxxxxxxxxxx>; Kees Cook
> <keescook@xxxxxxxxxxxx>; Shuah Khan <shuah@xxxxxxxxxx>; Tobin C.
> Harding <tobin@xxxxxxxxxx>
> Subject: Re: [PATCH 1/2] vsprintf: Prevent crash when dereferencing invalid
> pointers for %pD
>
> On Fri, Aug 9, 2019 at 4:28 AM Jia He <justin.he@xxxxxxx> wrote:
> >
> > Commit 3e5903eb9cff ("vsprintf: Prevent crash when dereferencing
> invalid
> > pointers") prevents most crash except for %pD.
> > There is an additional pointer dereferencing before dentry_name.
> >
> > At least, vma->file can be NULL and be passed to printk %pD in
> > print_bad_pte, which can cause crash.
> >
> > This patch fixes it with introducing a new file_dentry_name.
> >
>
> Reviewed-by: Andy Shevchenko <andy.shevchenko@xxxxxxxxx>
>
> Perhaps you need to add a Fixes tag
Thanks, Andy
Fixes: 3e5903eb9cff ("vsprintf: Prevent crash when dereferencing invalid pointers")
Need I reposted v2?
--
Cheers,
Justin (Jia He)
>
> > Signed-off-by: Jia He <justin.he@xxxxxxx>
> > ---
> > lib/vsprintf.c | 13 ++++++++++---
> > 1 file changed, 10 insertions(+), 3 deletions(-)
> >
> > diff --git a/lib/vsprintf.c b/lib/vsprintf.c
> > index 63937044c57d..b4a119176fdb 100644
> > --- a/lib/vsprintf.c
> > +++ b/lib/vsprintf.c
> > @@ -869,6 +869,15 @@ char *dentry_name(char *buf, char *end, const
> struct dentry *d, struct printf_sp
> > return widen_string(buf, n, end, spec);
> > }
> >
> > +static noinline_for_stack
> > +char *file_dentry_name(char *buf, char *end, const struct file *f,
> > + struct printf_spec spec, const char *fmt)
> > +{
> > + if (check_pointer(&buf, end, f, spec))
> > + return buf;
> > +
> > + return dentry_name(buf, end, f->f_path.dentry, spec, fmt);
> > +}
> > #ifdef CONFIG_BLOCK
> > static noinline_for_stack
> > char *bdev_name(char *buf, char *end, struct block_device *bdev,
> > @@ -2166,9 +2175,7 @@ char *pointer(const char *fmt, char *buf, char
> *end, void *ptr,
> > case 'C':
> > return clock(buf, end, ptr, spec, fmt);
> > case 'D':
> > - return dentry_name(buf, end,
> > - ((const struct file *)ptr)->f_path.dentry,
> > - spec, fmt);
> > + return file_dentry_name(buf, end, ptr, spec, fmt);
> > #ifdef CONFIG_BLOCK
> > case 'g':
> > return bdev_name(buf, end, ptr, spec, fmt);
> > --
> > 2.17.1
> >
>
>
> --
> With Best Regards,
> Andy Shevchenko
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.