rcu: Fix buffer overlow in print_cpu_stall_info()

Message ID	20240328181914.869332-1-kiryushin@ancud.ru (mailing list archive)
State	Superseded
Headers	show Received: from relay164.nicmail.ru (relay164.nicmail.ru [91.189.117.8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0709B1879; Thu, 28 Mar 2024 18:19:48 +0000 (UTC) From: Nikita Kiryushin <kiryushin@ancud.ru> To: "Paul E. McKenney" <paulmck@kernel.org> Cc: Nikita Kiryushin <kiryushin@ancud.ru>, Frederic Weisbecker <frederic@kernel.org>, Neeraj Upadhyay <quic_neeraju@quicinc.com>, Joel Fernandes <joel@joelfernandes.org>, Josh Triplett <josh@joshtriplett.org>, Boqun Feng <boqun.feng@gmail.com>, Steven Rostedt <rostedt@goodmis.org>, Mathieu Desnoyers <mathieu.desnoyers@efficios.com>, Lai Jiangshan <jiangshanlai@gmail.com>, Zqiang <qiang.zhang1211@gmail.com>, rcu@vger.kernel.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org Subject: [PATCH] rcu: Fix buffer overlow in print_cpu_stall_info() Date: Thu, 28 Mar 2024 21:19:14 +0300 Message-Id: <20240328181914.869332-1-kiryushin@ancud.ru> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	rcu: Fix buffer overlow in print_cpu_stall_info() \| expand rcu: Fix buffer overlow in print_cpu_stall_info()

Message ID

20240328181914.869332-1-kiryushin@ancud.ru (mailing list archive)

State

Superseded

Headers

From: Nikita Kiryushin <kiryushin@ancud.ru>
To: "Paul E. McKenney" <paulmck@kernel.org>
Cc: Nikita Kiryushin <kiryushin@ancud.ru>,
	Frederic Weisbecker <frederic@kernel.org>,
	Neeraj Upadhyay <quic_neeraju@quicinc.com>,
	Joel Fernandes <joel@joelfernandes.org>,
	Josh Triplett <josh@joshtriplett.org>,
	Boqun Feng <boqun.feng@gmail.com>,
	Steven Rostedt <rostedt@goodmis.org>,
	Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
	Lai Jiangshan <jiangshanlai@gmail.com>,
	Zqiang <qiang.zhang1211@gmail.com>,
	rcu@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	lvc-project@linuxtesting.org
Subject: [PATCH] rcu: Fix buffer overlow in print_cpu_stall_info()
Date: Thu, 28 Mar 2024 21:19:14 +0300
Message-Id: <20240328181914.869332-1-kiryushin@ancud.ru>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

rcu: Fix buffer overlow in print_cpu_stall_info() | expand

Commit Message

Nikita Kiryushin March 28, 2024, 6:19 p.m. UTC

rcuc info output in print_cpu_stall_info() contains
posiible buffer overflow in the case of huge jiffies
difference. The situation seems improbable, but, buffer
overflow, still. Also, unsigned jiffies difference printed
as (signed) %ld (which can be a bad format, if the values
are huge).

Change sprintf to snprintf and change %ld to %lu in format.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 245a62982502 ("rcu: Dump rcuc kthread status for CPUs not reporting quiescent state")
Signed-off-by: Nikita Kiryushin <kiryushin@ancud.ru>
---
 kernel/rcu/tree_stall.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Paul E. McKenney March 29, 2024, 5:43 p.m. UTC | #1

On Thu, Mar 28, 2024 at 09:19:14PM +0300, Nikita Kiryushin wrote:
> rcuc info output in print_cpu_stall_info() contains
> posiible buffer overflow in the case of huge jiffies
> difference. The situation seems improbable, but, buffer
> overflow, still. Also, unsigned jiffies difference printed
> as (signed) %ld (which can be a bad format, if the values
> are huge).
> 
> Change sprintf to snprintf and change %ld to %lu in format.

Good catch!!!

However, the signed output is intentional.  The idea is that if the
timekeeping code is confused enough to run the jiffies counter backwards,
we see a small negative number rather than a huge positive number.
For example, -132 is immediately obvious, while the 64-bit unsigned
equivalent of 18446744073709551484 might not be.

would you like to resend keeping the buffer-overflow fix but leaving
out the signed-to-unsigned conversion?

							Thanx, Paul

> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: 245a62982502 ("rcu: Dump rcuc kthread status for CPUs not reporting quiescent state")
> Signed-off-by: Nikita Kiryushin <kiryushin@ancud.ru>
> ---
>  kernel/rcu/tree_stall.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/kernel/rcu/tree_stall.h b/kernel/rcu/tree_stall.h
> index 5d666428546b..d4542c6e7c60 100644
> --- a/kernel/rcu/tree_stall.h
> +++ b/kernel/rcu/tree_stall.h
> @@ -504,7 +504,7 @@ static void print_cpu_stall_info(int cpu)
>  			rcu_dynticks_in_eqs(rcu_dynticks_snap(cpu));
>  	rcuc_starved = rcu_is_rcuc_kthread_starving(rdp, &j);
>  	if (rcuc_starved)
> -		sprintf(buf, " rcuc=%ld jiffies(starved)", j);
> +		snprintf(buf, sizeof(buf), " rcuc=%lu jiffies(starved)", j);
>  	pr_err("\t%d-%c%c%c%c: (%lu %s) idle=%04x/%ld/%#lx softirq=%u/%u fqs=%ld%s%s\n",
>  	       cpu,
>  	       "O."[!!cpu_online(cpu)],
> -- 
> 2.34.1
>

Nikita Kiryushin March 29, 2024, 5:56 p.m. UTC | #2

Thank you for the feedback!
> would you like to resend keeping the buffer-overflow fix but leaving
> out the signed-to-unsigned conversion?
>
I will make a second version of the patch, without
conversion as it is intentional.
> However, the signed output is intentional.  The idea is that if the
> timekeeping code is confused enough to run the jiffies counter backwards,
> we see a small negative number rather than a huge positive number.
> For example, -132 is immediately obvious, while the 64-bit unsigned
> equivalent of 18446744073709551484 might not be.
I had suspicions that was the case, however, I did not find the pointers
in the code or in the commit message, that it was intentional, so I assumed
a mistake.
Maybe, it would be a good idea for me to add a comment with intent
clarification, to reduce possibility of the same confusion in the future,
while I am at it? If so, should I do it in the same patch, or make a separate one?

Steven Rostedt March 29, 2024, 6:32 p.m. UTC | #3

On Fri, 29 Mar 2024 20:56:16 +0300
Nikita Kiryushin <kiryushin@ancud.ru> wrote:

> Maybe, it would be a good idea for me to add a comment with intent
> clarification, to reduce possibility of the same confusion in the future,

Yes please do.

> while I am at it? If so, should I do it in the same patch, or make a separate one?

I would keep it the same patch, but it really is Paul's decision.

-- Steve

Paul E. McKenney March 29, 2024, 10:21 p.m. UTC | #4

On Fri, Mar 29, 2024 at 02:32:05PM -0400, Steven Rostedt wrote:
> On Fri, 29 Mar 2024 20:56:16 +0300
> Nikita Kiryushin <kiryushin@ancud.ru> wrote:
> 
> > Maybe, it would be a good idea for me to add a comment with intent
> > clarification, to reduce possibility of the same confusion in the future,
> 
> Yes please do.
> 
> > while I am at it? If so, should I do it in the same patch, or make a separate one?
> 
> I would keep it the same patch, but it really is Paul's decision.

I am with Steve on both questions.

								Thanx, Paul

diff --git a/kernel/rcu/tree_stall.h b/kernel/rcu/tree_stall.h
index 5d666428546b..d4542c6e7c60 100644
--- a/kernel/rcu/tree_stall.h
+++ b/kernel/rcu/tree_stall.h
@@ -504,7 +504,7 @@  static void print_cpu_stall_info(int cpu)
 			rcu_dynticks_in_eqs(rcu_dynticks_snap(cpu));
 	rcuc_starved = rcu_is_rcuc_kthread_starving(rdp, &j);
 	if (rcuc_starved)
-		sprintf(buf, " rcuc=%ld jiffies(starved)", j);
+		snprintf(buf, sizeof(buf), " rcuc=%lu jiffies(starved)", j);
 	pr_err("\t%d-%c%c%c%c: (%lu %s) idle=%04x/%ld/%#lx softirq=%u/%u fqs=%ld%s%s\n",
 	       cpu,
 	       "O."[!!cpu_online(cpu)],

rcu: Fix buffer overlow in print_cpu_stall_info()

Commit Message

Comments

Patch