On Thu, Mar 28, 2024 at 09:19:14PM +0300, Nikita Kiryushin wrote:
> rcuc info output in print_cpu_stall_info() contains
> posiible buffer overflow in the case of huge jiffies
> difference. The situation seems improbable, but, buffer
> overflow, still. Also, unsigned jiffies difference printed
> as (signed) %ld (which can be a bad format, if the values
> are huge).
>
> Change sprintf to snprintf and change %ld to %lu in format.
Good catch!!!
However, the signed output is intentional. The idea is that if the
timekeeping code is confused enough to run the jiffies counter backwards,
we see a small negative number rather than a huge positive number.
For example, -132 is immediately obvious, while the 64-bit unsigned
equivalent of 18446744073709551484 might not be.
would you like to resend keeping the buffer-overflow fix but leaving
out the signed-to-unsigned conversion?
Thanx, Paul
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 245a62982502 ("rcu: Dump rcuc kthread status for CPUs not reporting
> quiescent state")
> Signed-off-by: Nikita Kiryushin <[email protected]>
> ---
> kernel/rcu/tree_stall.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/rcu/tree_stall.h b/kernel/rcu/tree_stall.h
> index 5d666428546b..d4542c6e7c60 100644
> --- a/kernel/rcu/tree_stall.h
> +++ b/kernel/rcu/tree_stall.h
> @@ -504,7 +504,7 @@ static void print_cpu_stall_info(int cpu)
> rcu_dynticks_in_eqs(rcu_dynticks_snap(cpu));
> rcuc_starved = rcu_is_rcuc_kthread_starving(rdp, &j);
> if (rcuc_starved)
> - sprintf(buf, " rcuc=%ld jiffies(starved)", j);
> + snprintf(buf, sizeof(buf), " rcuc=%lu jiffies(starved)", j);
> pr_err("\t%d-%c%c%c%c: (%lu %s) idle=%04x/%ld/%#lx softirq=%u/%u
> fqs=%ld%s%s\n",
> cpu,
> "O."[!!cpu_online(cpu)],
> --
> 2.34.1
>
