Re: [PATCH] printk: fix buffer overflow potential for print_text()

[John Ogness]

On 2021-02-26, Alexander Gordeev  wrote:
> I am seeing KASAN reporting incorrect 1-byte access in exactly
> same location Sven has identified before. In case there no
> fix for it yet, please see below what happens in case of pretty
> large buffer - WARN_ONCE() invocation in my case.

It looks like you have not applied the fix yet:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=08d60e5999540110576e7c1346d486220751b7f9

John Ogness

Re: [PATCH] printk: fix buffer overflow potential for print_text()

[Alexander Gordeev]

On Thu, Jan 14, 2021 at 06:10:12PM +0106, John Ogness wrote:
> Before commit b6cf8b3f3312 ("printk: add lockless ringbuffer"),
> msg_print_text() would only write up to size-1 bytes into the
> provided buffer. Some callers expect this behavior and append
> a terminator to returned string. In particular:
> 
> arch/powerpc/xmon/xmon.c:dump_log_buf()
> arch/um/kernel/kmsg_dump.c:kmsg_dumper_stdout()
> 
> msg_print_text() has been replaced by record_print_text(), which
> currently fills the full size of the buffer. This causes a
> buffer overflow for the above callers.
> 
> Change record_print_text() so that it will only use size-1 bytes
> for text data. Also, for paranoia sakes, add a terminator after
> the text data.
> 
> And finally, document this behavior so that it is clear that only
> size-1 bytes are used and a terminator is added.

Hi John,

I am seeing KASAN reporting incorrect 1-byte access in exactly
same location Sven has identified before. In case there no
fix for it yet, please see below what happens in case of pretty
large buffer - WARN_ONCE() invocation in my case.

> 
> Fixes: b6cf8b3f3312 ("printk: add lockless ringbuffer")
> Signed-off-by: John Ogness 
> ---
>  kernel/printk/printk.c | 35 +++
>  1 file changed, 27 insertions(+), 8 deletions(-)
> 
> diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
> index ffdd0dc7ec6d..73f9eae19f05 100644
> --- a/kernel/printk/printk.c
> +++ b/kernel/printk/printk.c
> @@ -1293,9 +1293,15 @@ static size_t info_print_prefix(const struct 
> printk_info  *info, bool syslog,
>   *   - Add prefix for each line.
>   *   - Add the trailing newline that has been removed in vprintk_store().
>   *   - Drop truncated lines that do not longer fit into the buffer.
> + *   - Add a trailing newline.
> + *   - Add a string terminator.
> + *
> + * Since the produced string is always terminated, the maximum possible
> + * return value is @r->text_buf_size - 1;
>   *
>   * Return: The length of the updated/prepared text, including the added
> - * prefixes and the newline. The dropped line(s) are not counted.
> + * prefixes and the newline. The terminator is not counted. The dropped
> + * line(s) are not counted.
>   */
>  static size_t record_print_text(struct printk_record *r, bool syslog,
>   bool time)
> @@ -1338,26 +1344,31 @@ static size_t record_print_text(struct printk_record 
> *r, bool syslog,
>  
>   /*
>* Truncate the text if there is not enough space to add the
> -  * prefix and a trailing newline.
> +  * prefix and a trailing newline and a terminator.
>*/
> - if (len + prefix_len + text_len + 1 > buf_size) {
> + if (len + prefix_len + text_len + 1 + 1 > buf_size) {
>   /* Drop even the current line if no space. */
> - if (len + prefix_len + line_len + 1 > buf_size)
> + if (len + prefix_len + line_len + 1 + 1 > buf_size)
>   break;
>  
> - text_len = buf_size - len - prefix_len - 1;
> + text_len = buf_size - len - prefix_len - 1 - 1;
>   truncated = true;
>   }
>  
>   memmove(text + prefix_len, text, text_len);
>   memcpy(text, prefix, prefix_len);
>  
> + /*
> +  * Increment the prepared length to include the text and
> +  * prefix that were just moved+copied. Also increment for the
> +  * newline at the end of this line. If this is the last line,
> +  * there is no newline, but it will be added immediately below.
> +  */
>   len += prefix_len + line_len + 1;

(1) the next iteration of would-be-length stored in len

> -
>   if (text_len == line_len) {

(2) but the buffer is processed, so we get here

>   /*
> -  * Add the trailing newline removed in
> -  * vprintk_store().
> +  * This is the last line. Add the trailing newline
> +  * removed in vprintk_store().
>*/
>   text[prefix_len + line_len] = '\n';
>   break;

(3) and bail out from the loop

> @@ -1382,6 +1393,14 @@ static size_t record_print_text(struct printk_record 
> *r, bool syslog,
>   text_len -= line_len + 1;
>   }
>  
> + /*
> +  * If a buffer was provided, it will be terminated. Space for the
> +  * string terminator is guaranteed to be available. The terminator is
> +  * not counted in the return value.
> +  */
> + if (buf_size > 0)
> + text[len] = 0;

(4) trying to terminate, but len is beyond the buffer

BUG: KASAN: global-out-of-bounds in record_print_text+0x1d4/0x248
Write of size 1 at addr bf9e6992 by task swapper/0/1

Reverting the 

Re: [PATCH] printk: fix buffer overflow potential for print_text()

[Sven Schnelle]

John Ogness  writes:

> Hi Sven,
>
> Thanks for the outstanding analysis!
>
> On 2021-01-23, Sven Schnelle  wrote:
>>> 1401if (buf_size > 0)
>>> 1402text[len] = 0;
>>
>> I don't think i have really understood how all the printk magic works,
>> but using r->text_buf[len] seems to be the correct place to put the
>> zero byte in that case?
>
> Yes, you are correct! @text is pointing to the beginning of the
> currently processed line, not the beginning of the buffer.
>
> I will submit a patch to fix our recent fix (unless you would like to do
> that).

Please go ahead, thank you!

Re: [PATCH] printk: fix buffer overflow potential for print_text()

[John Ogness]

Hi Sven,

Thanks for the outstanding analysis!

On 2021-01-23, Sven Schnelle  wrote:
>> 1401 if (buf_size > 0)
>> 1402 text[len] = 0;
>
> I don't think i have really understood how all the printk magic works,
> but using r->text_buf[len] seems to be the correct place to put the
> zero byte in that case?

Yes, you are correct! @text is pointing to the beginning of the
currently processed line, not the beginning of the buffer.

I will submit a patch to fix our recent fix (unless you would like to do
that).

Thank you for all your help with this!

John Ogness

Re: [PATCH] printk: fix buffer overflow potential for print_text()

[Sven Schnelle]

Sven Schnelle  writes:

> John Ogness  writes:
>
>> On 2021-01-22, Sven Schnelle  wrote:

> I was able to reproduce it in a virtual machine where i have a few more
> ways to debug. What i got was:
>
> 01:  -> 001B8814"  MVI 92001000 >> 0163F1CD CC 2
>
> That's a watchpoint telling me that the code at 0x1b8814 wants to store
> one byte to 0x163f1cd, which is the second byte of console_drivers.
>
> gdb tells me about 0x1b8814:
>
> (gdb) list *(0x1b8814)
> 0x1b8814 is in record_print_text 
> (/home/svens/ibmgit/linux/kernel/printk/printk.c:1402).
> 1397   * If a buffer was provided, it will be terminated. Space for 
> the
> 1398   * string terminator is guaranteed to be available. The 
> terminator is
> 1399   * not counted in the return value.
> 1400   */
> 1401  if (buf_size > 0)
> 1402  text[len] = 0;

I don't think i have really understood how all the printk magic works,
but using r->text_buf[len] seems to be the correct place to put the zero byte
in that case?

> 1403  
> 1404  return len;
> 1405  }
> 1406
>

Re: [PATCH] printk: fix buffer overflow potential for print_text()

[Sven Schnelle]

John Ogness  writes:

> On 2021-01-22, Sven Schnelle  wrote:
>>
>> So somehow the pointer for console_drivers changes.
>>
>> I can't provide the normal kernel crash output as printk is no longer
>> working,
>
> I don't understand what you mean here. The crash tool can dump the
> printk buffer.
>
> I would be curious to see what the messages look like. It would also be
> helpful to know the last message you saw on the console.
>

The last message is:

[ 1845.640466] User process fault: interruption code 0007 ilc:2 in 
libm.so[7d78c000+a3000]
[ 1845.640474] CPU: 9 PID: 859915 Comm: ld.so.1 Not tainted 
5.11.0-20210122.rc4.git0.9f29bd8b2e71.300.fc33.s390x+git #1
[ 1845.640476] Hardware name: IBM 8561 T01 703 (LPAR)
[ 1845.640478] User PSW : 070530008000 7d7983b2
[ 1845.640480]R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:1 AS:0 CC:3 PM:0 
RI:0 EA:1
[ 1845.640483] User GPRS:  7d798360 0010 
03ff0004
[ 1845.640485]7f854dd0 7d7e9788 03ff00401b30 
7f854ff8
[ 1845.640487]03ff 03ff7d5b4da0 03ff 
03ff0010
[ 1845.640489]03ff004022c6 03ff004024b0 80401796 
7f854de8

That's also what's written to the console. Please note the the output
above is expected. It's only reporting that a user space program
performed an invalid FPU operation. The kernel crash is neither written
to the console nor the dmesg buffer.

>> kmsg_dump_rewind+290 is:
>>
>>   if (!(con->flags & CON_ENABLED))
>> continue;
>>
>> in kernel/printk/printk.c:1845
>>
>> I haven't dived into whether our show_code() is doing something wrong
>> which was covered in the past or whether that's because of the patch
>> above but wanted to make you aware of that in case you have an idea.
>> Otherwise i have to dig into the code.
>
> Unless we are dealing with very long printk messages that normally get
> truncated (800+ characters) this patch simply adds a string
> terminator. I do not see how that could possibly cause this kind of
> damage.
>
> When this triggers, there is nothing happening with consoles registering
> or deregistering, right?

That's correct. No registering/unregistering taking place.

> The string terminator (kernel/printk/printk.c:1402) is only added for
> paranoia. If you comment that out, this patch will have no effect (for
> "normal" length lines). I would be curious if that somehow makes a
> difference for you.

I was able to reproduce it in a virtual machine where i have a few more
ways to debug. What i got was:

01:  -> 001B8814"  MVI 92001000 >> 0163F1CD CC 2

That's a watchpoint telling me that the code at 0x1b8814 wants to store
one byte to 0x163f1cd, which is the second byte of console_drivers.

gdb tells me about 0x1b8814:

(gdb) list *(0x1b8814)
0x1b8814 is in record_print_text 
(/home/svens/ibmgit/linux/kernel/printk/printk.c:1402).
1397 * If a buffer was provided, it will be terminated. Space for 
the
1398 * string terminator is guaranteed to be available. The 
terminator is
1399 * not counted in the return value.
1400 */
1401if (buf_size > 0)
1402text[len] = 0;
1403
1404return len;
1405}
1406

In s390 assembly, this is the store:

   0x001b8810 <+0x130>: la  %r1,0(%r7,%r9)
   0x001b8814 <+0x134>: mvi 0(%r1),0

The cpu registers at the time of write:

01: GRG  0 =  0020  0163F1CD
01: GRG  2 =  0042  03E000623A98
01: GRG  4 =  000E  0087BB70
01: GRG  6 =  0400  *0224*
01: GRG  8 =  000F  *0163EFA9*
01: GRG 10 =  0033  
01: GRG 12 =  809AE000  03E000623A98
01: GRG 14 =  001B884C  03E0006239E8

So r9 is 0163EFA9 - seems to be the start of the current message:

0163EFA9:  *[   24.069514]7d7af3c2: 
b30d0002..debr.%f0,%f2.debr.%f0,%f2

while r7 is the offset, and that one is way to big:

0224

If you add that to 0163EFA9, you'll see that we're outside of the buffer
and overwriting space after, which is console_drivers.

The message it's trying to print is rather long, so the 0x224 could be
the size of the whole line:

This is not from the same crash, but this is how the message looks like
it's trying to print:

[   23.960773] User Code: 7d7af3ba: 78005000le  
%f0,0(%r5) 
[   23.960773]7d7af3be: 78205004le  
%f2,4(%r5) 
[   23.960773]   #7d7af3c2: b30d0002debr%f0,%f2 
[   23.960773]   >7d7af3c6: a728lhi %r2,0 
[   23.960773]7d7af3ca: 07febcr 15,%r14 
[   23.960773]7d7af3cc: 0707bcr 0,%r7 
[ 

Re: [PATCH] printk: fix buffer overflow potential for print_text()

[John Ogness]

On 2021-01-22, Sven Schnelle  wrote:
> I'm seeing crashes on s390x with this patch while running the glibc
> testsuite. The glibc test suite triggers a few FPU exceptions which
> are printed to the kernel log by default. Looking at the crash dump,
> i see that the console_drivers pointer seems to be overwritten while
> printing that (user space) warning:
>
> crash> print *console_drivers
> $1 = {
>   name = "\247\071\377\373\354!\004\214\000\331\300\345\000\033\353_", 
>   write = 0xa7190001eb119078, 
>   read = 0xe6e320b0050090, 
>   device = 0xa51e0010a7210001, 
>   unblank = 0xa7291000b9e28012, 
>   setup = 0xe320f0a4e320, 
>   exit = 0x208e0094eb112000, 
>   match = 0xcec1c006e017f, 
>   flags = -4984, 
>   index = 133, 
>   cflag = 8143136, 
>   data = 0x800458108004ec12, 
>   next = 0x5007eaf00
> }
>
> crash> x/16i console_drivers
>0x79009700:  lghi%r3,-5
>0x79009704:  aghik   %r2,%r1,1164
>0x7900970a:  brasl   %r14,0x79386dc8
>0x79009710:  lghi%r1,1
>0x79009714:  laog%r1,%r1,120(%r9)
>0x7900971a:  llgc%r2,5(%r11)
>0x79009720:  llilh   %r1,16
>0x79009724:  tmll%r2,1
>0x79009728:  lghi%r2,4096
>0x7900972c:  locgre  %r1,%r2
>0x79009730:  lg  %r2,160(%r15)
>0x79009736:  llc %r2,142(%r2)
>0x7900973c:  srlg%r1,%r1,0(%r2)
>0x79009742:  clij%r1,1,12,0x7900981e
>0x79009748:  cgij%r8,0,8,0x79009852
>0x7900974e:  la  %r2,4(%r8)
>
> crash> sym 0x79009700
> 79009700 (t) iomap_finish_ioend+192
> /usr/src/debug/kernel-5.10.fc33/linux-5.11.0-20210122.rc4.git0.9f29bd8b2e71.300.fc33.s390x/./include/linux/pagemap.h:
> 59
>
> So somehow the pointer for console_drivers changes.
>
> I can't provide the normal kernel crash output as printk is no longer
> working,

I don't understand what you mean here. The crash tool can dump the
printk buffer.

I would be curious to see what the messages look like. It would also be
helpful to know the last message you saw on the console.

> but in crash the backtrace looks like this:
> crash> bt
> PID: 859915  TASK: dad24000  CPU: 9   COMMAND: "ld.so.1"
>  LOWCORE INFO:
>   -psw  : 0x000200018000 0x78c8400e
>   -function : stop_run at 78c8400e
>   -prefix   : 0x0041e000
>   -cpu timer: 0x7953a957e166
>   -clock cmp: 0xd92876863ac66b00
>   -general registers:
>  0xf0f0f0f0 0x78c8400e
>  0x79984830 0x79984830
>  0x79ac62c0 0x0002
>  0x0038 00
>  0x7a19157e 00
>  0xfffa 00
>  0xdad24000 00
>  0x78c8416e 0x0380033136f0
>   -access registers:
>  0x7d5b4da0 0xa2a795c0 00 00
>  00 00 00 00
>  00 00 00 00
>  00 00 00 00
>   -control registers:
>  0x00a014966a10 0x7a15c007
>  0x0001d0a0 00
>  0x 0x0001d080
>  0x3b00 0x0001f29b81c7
>  0x8000 00
>  00 00
>  00 0x7a15c007
>  0xdb00 0x0001d0c0
>   -floating point registers:
>  0x5fabeb67f92f 0x0007fff8
>  0x4040eb67f000 00
>  0x0007 0x0064
>  0x02aa2a63f028 0x0963cf85
>  0x2a642c60 00
>  0x7f85516ceb67f222 0x03ffeb67f528
>  0x03ffeb67f230 0x0001
>  0x03ffeb67f21d 0x02aa28d2d970
>
>  #0 [38003313710] stop_run at 78c8400e
>  #1 [38003313728] atomic_notifier_call_chain at 78ced536
>  #2 [38003313778] panic at 7974aeca
>  #3 [38003313818] die at 78c897ea
>  #4 [38003313880] do_no_context at 78c9b230
>  #5 [380033138b8] pgm_check_handler at 7976438c
>  PSW:  0404c0018000 78d304ba (kmsg_dump_rewind+290)
>  GPRS: 0020   ec88 
>000e 793f4800 0224  
>  0224 0005007eaf00 
>dad24000  038003313a68 038003313a18 
>  #0 [38003313a68] console_unlock at 78d3158e
>  #1 [38003313b48] vprintk_emit at 78d32f50
>  #2 [38003313ba8] vprintk_default at 78d32f9e
>  #3 [38003313c00] printk at 7974bfae
>  #4 [38003313c90] show_code at 78c8588e
>  #5 [38003313de0] show_registers at 7974a26e
>  #6 [38003313e70] show_regs at 78c8961e
>  #7 [38003313ea0] pgm_check_handler at 7976438c
>  PSW:  070530008000 7d7983b2 (user space)
>  GPRS:  7d798360 0010 03ff0004 
>7f854dd0 7d7e9788 03ff00401b30 7f854ff8 
>03ff 03ff7d5b4da0 

Re: [PATCH] printk: fix buffer overflow potential for print_text()

[Sven Schnelle]

John Ogness  writes:

> Before commit b6cf8b3f3312 ("printk: add lockless ringbuffer"),
> msg_print_text() would only write up to size-1 bytes into the
> provided buffer. Some callers expect this behavior and append
> a terminator to returned string. In particular:
>
> arch/powerpc/xmon/xmon.c:dump_log_buf()
> arch/um/kernel/kmsg_dump.c:kmsg_dumper_stdout()
>
> msg_print_text() has been replaced by record_print_text(), which
> currently fills the full size of the buffer. This causes a
> buffer overflow for the above callers.
>
> Change record_print_text() so that it will only use size-1 bytes
> for text data. Also, for paranoia sakes, add a terminator after
> the text data.
>
> And finally, document this behavior so that it is clear that only
> size-1 bytes are used and a terminator is added.
>
> Fixes: b6cf8b3f3312 ("printk: add lockless ringbuffer")
> Signed-off-by: John Ogness 
> ---
> [..]

I'm seeing crashes on s390x with this patch while running the glibc
testsuite. The glibc test suite triggers a few FPU exceptions which
are printed to the kernel log by default. Looking at the crash dump,
i see that the console_drivers pointer seems to be overwritten while
printing that (user space) warning:

crash> print *console_drivers
$1 = {
  name = "\247\071\377\373\354!\004\214\000\331\300\345\000\033\353_", 
  write = 0xa7190001eb119078, 
  read = 0xe6e320b0050090, 
  device = 0xa51e0010a7210001, 
  unblank = 0xa7291000b9e28012, 
  setup = 0xe320f0a4e320, 
  exit = 0x208e0094eb112000, 
  match = 0xcec1c006e017f, 
  flags = -4984, 
  index = 133, 
  cflag = 8143136, 
  data = 0x800458108004ec12, 
  next = 0x5007eaf00
}

crash> x/16i console_drivers
   0x79009700:  lghi%r3,-5
   0x79009704:  aghik   %r2,%r1,1164
   0x7900970a:  brasl   %r14,0x79386dc8
   0x79009710:  lghi%r1,1
   0x79009714:  laog%r1,%r1,120(%r9)
   0x7900971a:  llgc%r2,5(%r11)
   0x79009720:  llilh   %r1,16
   0x79009724:  tmll%r2,1
   0x79009728:  lghi%r2,4096
   0x7900972c:  locgre  %r1,%r2
   0x79009730:  lg  %r2,160(%r15)
   0x79009736:  llc %r2,142(%r2)
   0x7900973c:  srlg%r1,%r1,0(%r2)
   0x79009742:  clij%r1,1,12,0x7900981e
   0x79009748:  cgij%r8,0,8,0x79009852
   0x7900974e:  la  %r2,4(%r8)

crash> sym 0x79009700
79009700 (t) iomap_finish_ioend+192
/usr/src/debug/kernel-5.10.fc33/linux-5.11.0-20210122.rc4.git0.9f29bd8b2e71.300.fc33.s390x/./include/linux/pagemap.h:
59

So somehow the pointer for console_drivers changes.

I can't provide the normal kernel crash output as printk is no longer
working, but in crash the backtrace looks like this:
crash> bt
PID: 859915  TASK: dad24000  CPU: 9   COMMAND: "ld.so.1"
 LOWCORE INFO:
  -psw  : 0x000200018000 0x78c8400e
  -function : stop_run at 78c8400e
  -prefix   : 0x0041e000
  -cpu timer: 0x7953a957e166
  -clock cmp: 0xd92876863ac66b00
  -general registers:
 0xf0f0f0f0 0x78c8400e
 0x79984830 0x79984830
 0x79ac62c0 0x0002
 0x0038 00
 0x7a19157e 00
 0xfffa 00
 0xdad24000 00
 0x78c8416e 0x0380033136f0
  -access registers:
 0x7d5b4da0 0xa2a795c0 00 00
 00 00 00 00
 00 00 00 00
 00 00 00 00
  -control registers:
 0x00a014966a10 0x7a15c007
 0x0001d0a0 00
 0x 0x0001d080
 0x3b00 0x0001f29b81c7
 0x8000 00
 00 00
 00 0x7a15c007
 0xdb00 0x0001d0c0
  -floating point registers:
 0x5fabeb67f92f 0x0007fff8
 0x4040eb67f000 00
 0x0007 0x0064
 0x02aa2a63f028 0x0963cf85
 0x2a642c60 00
 0x7f85516ceb67f222 0x03ffeb67f528
 0x03ffeb67f230 0x0001
 0x03ffeb67f21d 0x02aa28d2d970

 #0 [38003313710] stop_run at 78c8400e
 #1 [38003313728] atomic_notifier_call_chain at 78ced536
 #2 [38003313778] panic at 7974aeca
 #3 [38003313818] die at 78c897ea
 #4 [38003313880] do_no_context at 78c9b230
 #5 [380033138b8] pgm_check_handler at 7976438c
 PSW:  0404c0018000 78d304ba (kmsg_dump_rewind+290)
 GPRS: 0020   ec88 
   000e 793f4800 0224  
     0224 0005007eaf00 
   dad24000  038003313a68 038003313a18 
 #0 [38003313a68] console_unlock at 78d3158e
 #1 [38003313b48] vprintk_emit at 78d32f50
 #2 [38003313ba8] vprintk_default at 78d32f9e
 #3 [38003313c00] printk at 

Re: [PATCH] printk: fix buffer overflow potential for print_text()

[Petr Mladek]

On Tue 2021-01-19 12:50:47, John Ogness wrote:
> On 2021-01-19, Sergey Senozhatsky  wrote:
> >>> John, how did you spot these problems?
> >> 
> >> I am preparing my series to remove the logbuf_lock, which also
> >> refactors and consolidates code from syslog_print_all() and
> >> kmsg_dump_get_buffer(). While testing/verifying my series, I noticed
> >> the these oddities in the semantics and decided I should research
> >> where they came from and if they were actually necessary.
> >
> > Any chance you can put those tests somewhere public so that we can
> > run them regularly?

Great idea.

> I have a collection of hacked-together tools that I use to test most of
> the various interfaces of printk. I would need to clean them up if they
> should be used for any kind of automated regression testing.

Sounds good. We could even help with the clean up. This kind of code
always need it when it was not written for public use from scratch.

> And where should I make such things available? I could put them in a
> repo in the Linutronix github account (like I did for the ringbuffer
> stress testing tool). (??)

Sounds good as well.

Best Regards,
Petr

Re: [PATCH] printk: fix buffer overflow potential for print_text()

[John Ogness]

On 2021-01-19, Sergey Senozhatsky  wrote:
>>> John, how did you spot these problems?
>> 
>> I am preparing my series to remove the logbuf_lock, which also
>> refactors and consolidates code from syslog_print_all() and
>> kmsg_dump_get_buffer(). While testing/verifying my series, I noticed
>> the these oddities in the semantics and decided I should research
>> where they came from and if they were actually necessary.
>
> Any chance you can put those tests somewhere public so that we can
> run them regularly?

I have a collection of hacked-together tools that I use to test most of
the various interfaces of printk. I would need to clean them up if they
should be used for any kind of automated regression testing.

And where should I make such things available? I could put them in a
repo in the Linutronix github account (like I did for the ringbuffer
stress testing tool). (??)

John

Re: [PATCH] printk: fix buffer overflow potential for print_text()

[Petr Mladek]

On Tue 2021-01-19 09:44:56, Sergey Senozhatsky wrote:
> On (21/01/15 13:07), Petr Mladek wrote:
> > On Fri 2021-01-15 13:04:37, Petr Mladek wrote:
> > > On Thu 2021-01-14 18:10:12, John Ogness wrote:
> > > > Before commit b6cf8b3f3312 ("printk: add lockless ringbuffer"),
> > > > msg_print_text() would only write up to size-1 bytes into the
> > > > provided buffer. Some callers expect this behavior and append
> > > > a terminator to returned string. In particular:
> > > > 
> > > > arch/powerpc/xmon/xmon.c:dump_log_buf()
> > > > arch/um/kernel/kmsg_dump.c:kmsg_dumper_stdout()
> > > > 
> > > > msg_print_text() has been replaced by record_print_text(), which
> > > > currently fills the full size of the buffer. This causes a
> > > > buffer overflow for the above callers.
> > > > 
> > > > Change record_print_text() so that it will only use size-1 bytes
> > > > for text data. Also, for paranoia sakes, add a terminator after
> > > > the text data.
> > > > 
> > > > And finally, document this behavior so that it is clear that only
> > > > size-1 bytes are used and a terminator is added.
> > > > 
> > > > Fixes: b6cf8b3f3312 ("printk: add lockless ringbuffer")
> > > > Signed-off-by: John Ogness 
> 
> John, how did you spot these problems?
> 
> FWIW, Acked-by: Sergey Senozhatsky 

The patch has been committed into printk/linux.git, branch
printk-rework.

Best Regards,
Petr

Re: [PATCH] printk: fix buffer overflow potential for print_text()

[Sergey Senozhatsky]

On (21/01/19 10:00), John Ogness wrote:
> On 2021-01-19, Sergey Senozhatsky  wrote:
> > John, how did you spot these problems?
> 
> I am preparing my series to remove the logbuf_lock, which also refactors
> and consolidates code from syslog_print_all() and
> kmsg_dump_get_buffer(). While testing/verifying my series, I noticed the
> these oddities in the semantics and decided I should research where they
> came from and if they were actually necessary.

Any chance you can put those tests somewhere public so that we can
run them regularly? (say, before Petr sends out a pull request to
Linus.)

> I wouldn't say the oddities are necessary (in fact, they are quite
> annoying), but we have decided to keep them in out of fear of breaking
> out-of-tree modules and/or interesting userspace code.

Sure.

> One positive effect of the rework is that we are finding these oddities
> and documenting them.

Absolutely agree.

-ss

Re: [PATCH] printk: fix buffer overflow potential for print_text()

[John Ogness]

On 2021-01-19, Sergey Senozhatsky  wrote:
> John, how did you spot these problems?

I am preparing my series to remove the logbuf_lock, which also refactors
and consolidates code from syslog_print_all() and
kmsg_dump_get_buffer(). While testing/verifying my series, I noticed the
these oddities in the semantics and decided I should research where they
came from and if they were actually necessary.

I wouldn't say the oddities are necessary (in fact, they are quite
annoying), but we have decided to keep them in out of fear of breaking
out-of-tree modules and/or interesting userspace code.

One positive effect of the rework is that we are finding these oddities
and documenting them. I think you and Petr are going down a similar path
with the console registration stuff now.

John

Re: [PATCH] printk: fix buffer overflow potential for print_text()

[Sergey Senozhatsky]

On (21/01/15 13:07), Petr Mladek wrote:
> On Fri 2021-01-15 13:04:37, Petr Mladek wrote:
> > On Thu 2021-01-14 18:10:12, John Ogness wrote:
> > > Before commit b6cf8b3f3312 ("printk: add lockless ringbuffer"),
> > > msg_print_text() would only write up to size-1 bytes into the
> > > provided buffer. Some callers expect this behavior and append
> > > a terminator to returned string. In particular:
> > > 
> > > arch/powerpc/xmon/xmon.c:dump_log_buf()
> > > arch/um/kernel/kmsg_dump.c:kmsg_dumper_stdout()
> > > 
> > > msg_print_text() has been replaced by record_print_text(), which
> > > currently fills the full size of the buffer. This causes a
> > > buffer overflow for the above callers.
> > > 
> > > Change record_print_text() so that it will only use size-1 bytes
> > > for text data. Also, for paranoia sakes, add a terminator after
> > > the text data.
> > > 
> > > And finally, document this behavior so that it is clear that only
> > > size-1 bytes are used and a terminator is added.
> > > 
> > > Fixes: b6cf8b3f3312 ("printk: add lockless ringbuffer")
> > > Signed-off-by: John Ogness 

John, how did you spot these problems?

FWIW, Acked-by: Sergey Senozhatsky 

> I forgot one thing. We should add stable here:
> 
> Cc: sta...@vger.kernel.org # 5.10+

Good point.

-ss

Re: [PATCH] printk: fix buffer overflow potential for print_text()

[Petr Mladek]

On Fri 2021-01-15 15:22:03, John Ogness wrote:
> Hi Petr,
> 
> I noticed some minor errors in the commit log and comments...
> 
> On 2021-01-14, John Ogness  wrote:
> > Before commit b6cf8b3f3312 ("printk: add lockless ringbuffer"),
> > msg_print_text()
> 
> Can you fixup the patch for the commit or do you need a v2?

I could fix these when pushing ;-)

Best Regards,
Petr

Re: [PATCH] printk: fix buffer overflow potential for print_text()

[John Ogness]

Hi Petr,

I noticed some minor errors in the commit log and comments...

On 2021-01-14, John Ogness  wrote:
> Before commit b6cf8b3f3312 ("printk: add lockless ringbuffer"),
> msg_print_text()

The correct commit where the change was made is: 896fbe20b4e2333fb55
("printk: use the lockless ringbuffer")

> would only write up to size-1 bytes into the
> provided buffer. Some callers expect this behavior and append
> a terminator to returned string. In particular:
>
> arch/powerpc/xmon/xmon.c:dump_log_buf()
> arch/um/kernel/kmsg_dump.c:kmsg_dumper_stdout()
>
> msg_print_text() has been replaced by record_print_text(), which
> currently fills the full size of the buffer. This causes a
> buffer overflow for the above callers.
>
> Change record_print_text() so that it will only use size-1 bytes
> for text data. Also, for paranoia sakes, add a terminator after
> the text data.
>
> And finally, document this behavior so that it is clear that only
> size-1 bytes are used and a terminator is added.
>
> Fixes: b6cf8b3f3312 ("printk: add lockless ringbuffer")

Ditto for Fixes tag:

896fbe20b4e2333fb55 ("printk: use the lockless ringbuffer")

> Signed-off-by: John Ogness 
> ---
>  kernel/printk/printk.c | 35 +++
>  1 file changed, 27 insertions(+), 8 deletions(-)
>
> diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
> index ffdd0dc7ec6d..73f9eae19f05 100644
> --- a/kernel/printk/printk.c
> +++ b/kernel/printk/printk.c
> @@ -1293,9 +1293,15 @@ static size_t info_print_prefix(const struct 
> printk_info  *info, bool syslog,
>   *   - Add prefix for each line.
>   *   - Add the trailing newline that has been removed in vprintk_store().
>   *   - Drop truncated lines that do not longer fit into the buffer.
> + *   - Add a trailing newline.
> + *   - Add a string terminator.

I didn't realize that the newline was already listed (since it was out
of order). I recommend these comments changing to:

- Add prefix for each line.
- Drop truncated lines that no longer fit into the buffer.
- Add the trailing newline that has been removed in vprintk_store().
- Add a string terminator.

Can you fixup the patch for the commit or do you need a v2?

John Ogness

Re: [PATCH] printk: fix buffer overflow potential for print_text()

[Petr Mladek]

On Fri 2021-01-15 13:04:37, Petr Mladek wrote:
> On Thu 2021-01-14 18:10:12, John Ogness wrote:
> > Before commit b6cf8b3f3312 ("printk: add lockless ringbuffer"),
> > msg_print_text() would only write up to size-1 bytes into the
> > provided buffer. Some callers expect this behavior and append
> > a terminator to returned string. In particular:
> > 
> > arch/powerpc/xmon/xmon.c:dump_log_buf()
> > arch/um/kernel/kmsg_dump.c:kmsg_dumper_stdout()
> > 
> > msg_print_text() has been replaced by record_print_text(), which
> > currently fills the full size of the buffer. This causes a
> > buffer overflow for the above callers.
> > 
> > Change record_print_text() so that it will only use size-1 bytes
> > for text data. Also, for paranoia sakes, add a terminator after
> > the text data.
> > 
> > And finally, document this behavior so that it is clear that only
> > size-1 bytes are used and a terminator is added.
> > 
> > Fixes: b6cf8b3f3312 ("printk: add lockless ringbuffer")
> > Signed-off-by: John Ogness 

I forgot one thing. We should add stable here:

Cc: sta...@vger.kernel.org # 5.10+

No need to resend the patch. I'll add it when pushing the patch.

Best Regards,
Petr

Re: [PATCH] printk: fix buffer overflow potential for print_text()

[Petr Mladek]

On Thu 2021-01-14 18:10:12, John Ogness wrote:
> Before commit b6cf8b3f3312 ("printk: add lockless ringbuffer"),
> msg_print_text() would only write up to size-1 bytes into the
> provided buffer. Some callers expect this behavior and append
> a terminator to returned string. In particular:
> 
> arch/powerpc/xmon/xmon.c:dump_log_buf()
> arch/um/kernel/kmsg_dump.c:kmsg_dumper_stdout()
> 
> msg_print_text() has been replaced by record_print_text(), which
> currently fills the full size of the buffer. This causes a
> buffer overflow for the above callers.
> 
> Change record_print_text() so that it will only use size-1 bytes
> for text data. Also, for paranoia sakes, add a terminator after
> the text data.
> 
> And finally, document this behavior so that it is clear that only
> size-1 bytes are used and a terminator is added.
> 
> Fixes: b6cf8b3f3312 ("printk: add lockless ringbuffer")
> Signed-off-by: John Ogness 

Reviewed-by: Petr Mladek 

Best Regards,
Petr

[PATCH] printk: fix buffer overflow potential for print_text()

[John Ogness]

Before commit b6cf8b3f3312 ("printk: add lockless ringbuffer"),
msg_print_text() would only write up to size-1 bytes into the
provided buffer. Some callers expect this behavior and append
a terminator to returned string. In particular:

arch/powerpc/xmon/xmon.c:dump_log_buf()
arch/um/kernel/kmsg_dump.c:kmsg_dumper_stdout()

msg_print_text() has been replaced by record_print_text(), which
currently fills the full size of the buffer. This causes a
buffer overflow for the above callers.

Change record_print_text() so that it will only use size-1 bytes
for text data. Also, for paranoia sakes, add a terminator after
the text data.

And finally, document this behavior so that it is clear that only
size-1 bytes are used and a terminator is added.

Fixes: b6cf8b3f3312 ("printk: add lockless ringbuffer")
Signed-off-by: John Ogness 
---
 kernel/printk/printk.c | 35 +++
 1 file changed, 27 insertions(+), 8 deletions(-)

diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
index ffdd0dc7ec6d..73f9eae19f05 100644
--- a/kernel/printk/printk.c
+++ b/kernel/printk/printk.c
@@ -1293,9 +1293,15 @@ static size_t info_print_prefix(const struct printk_info 
 *info, bool syslog,
  *   - Add prefix for each line.
  *   - Add the trailing newline that has been removed in vprintk_store().
  *   - Drop truncated lines that do not longer fit into the buffer.
+ *   - Add a trailing newline.
+ *   - Add a string terminator.
+ *
+ * Since the produced string is always terminated, the maximum possible
+ * return value is @r->text_buf_size - 1;
  *
  * Return: The length of the updated/prepared text, including the added
- * prefixes and the newline. The dropped line(s) are not counted.
+ * prefixes and the newline. The terminator is not counted. The dropped
+ * line(s) are not counted.
  */
 static size_t record_print_text(struct printk_record *r, bool syslog,
bool time)
@@ -1338,26 +1344,31 @@ static size_t record_print_text(struct printk_record 
*r, bool syslog,
 
/*
 * Truncate the text if there is not enough space to add the
-* prefix and a trailing newline.
+* prefix and a trailing newline and a terminator.
 */
-   if (len + prefix_len + text_len + 1 > buf_size) {
+   if (len + prefix_len + text_len + 1 + 1 > buf_size) {
/* Drop even the current line if no space. */
-   if (len + prefix_len + line_len + 1 > buf_size)
+   if (len + prefix_len + line_len + 1 + 1 > buf_size)
break;
 
-   text_len = buf_size - len - prefix_len - 1;
+   text_len = buf_size - len - prefix_len - 1 - 1;
truncated = true;
}
 
memmove(text + prefix_len, text, text_len);
memcpy(text, prefix, prefix_len);
 
+   /*
+* Increment the prepared length to include the text and
+* prefix that were just moved+copied. Also increment for the
+* newline at the end of this line. If this is the last line,
+* there is no newline, but it will be added immediately below.
+*/
len += prefix_len + line_len + 1;
-
if (text_len == line_len) {
/*
-* Add the trailing newline removed in
-* vprintk_store().
+* This is the last line. Add the trailing newline
+* removed in vprintk_store().
 */
text[prefix_len + line_len] = '\n';
break;
@@ -1382,6 +1393,14 @@ static size_t record_print_text(struct printk_record *r, 
bool syslog,
text_len -= line_len + 1;
}
 
+   /*
+* If a buffer was provided, it will be terminated. Space for the
+* string terminator is guaranteed to be available. The terminator is
+* not counted in the return value.
+*/
+   if (buf_size > 0)
+   text[len] = 0;
+
return len;
 }
 
-- 
2.20.1