From 9a3bfa01aa1c5b5478edaf7c76ea0b3a94f9c13e Mon Sep 17 00:00:00 2001 From: Rasmus Villemoes Date: Tue, 15 Jun 2021 23:49:51 +0800 Subject: lib/test_printf.c: split write-beyond-buffer check in two Before each invocation of vsnprintf(), do_test() memsets the entire allocated buffer to a sentinel value. That buffer includes leading and trailing padding which is never included in the buffer area handed to vsnprintf (spaces merely for clarity): pad test_buffer pad **** **************** **** Then vsnprintf() is invoked with a bufsize argument <= BUF_SIZE. Suppose bufsize=10, then we'd have e.g. |pad | test_buffer |pad | **** pizza0 **** ****** **** A B C D E where vsnprintf() was given the area from B to D. It is obviously a bug for vsnprintf to touch anything between A and B or between D and E. The former is checked for as one would expect. But for the latter, we are actually a little stricter in that we check the area between C and E. Split that check in two, providing a clearer error message in case it was a genuine buffer overrun and not merely a write within the provided buffer, but after the end of the generated string. So far, no part of the vsnprintf() implementation has had any use for using the whole buffer as scratch space, but it's not unreasonable to allow that, as long as the result is properly nul-terminated and the return value is the right one. However, it is somewhat unusual, and most % won't need this, so keep the [C,D] check, but make it easy for a later patch to make that part opt-out for certain tests. Signed-off-by: Rasmus Villemoes Tested-by: Jia He Signed-off-by: Jia He Reviewed-by: Petr Mladek Signed-off-by: Petr Mladek Link: https://lore.kernel.org/r/20210615154952.2744-4-justin.he@arm.com --- lib/test_printf.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/test_printf.c b/lib/test_printf.c index 07309c45f327..3b017566bbd2 100644 --- a/lib/test_printf.c +++ b/lib/test_printf.c @@ -78,12 +78,17 @@ do_test(int bufsize, const char *expect, int elen, return 1; } - if (memchr_inv(test_buffer + written + 1, FILL_CHAR, BUF_SIZE + PAD_SIZE - (written + 1))) { + if (memchr_inv(test_buffer + written + 1, FILL_CHAR, bufsize - (written + 1))) { pr_warn("vsnprintf(buf, %d, \"%s\", ...) wrote beyond the nul-terminator\n", bufsize, fmt); return 1; } + if (memchr_inv(test_buffer + bufsize, FILL_CHAR, BUF_SIZE + PAD_SIZE - bufsize)) { + pr_warn("vsnprintf(buf, %d, \"%s\", ...) wrote beyond buffer\n", bufsize, fmt); + return 1; + } + if (memcmp(test_buffer, expect, written)) { pr_warn("vsnprintf(buf, %d, \"%s\", ...) wrote '%s', expected '%.*s'\n", bufsize, fmt, test_buffer, written, expect); -- cgit v1.2.3 From e3c8d33e0d62175c31ca7ab7ab01b18f0b6318d3 Mon Sep 17 00:00:00 2001 From: Antonio Borneo Date: Tue, 19 Jul 2022 14:28:31 +0200 Subject: scripts/gdb: fix 'lx-dmesg' on 32 bits arch The type atomic_long_t can have size 4 or 8 bytes, depending on CONFIG_64BIT; it's only content, the field 'counter', is either an int or a s64 value. Current code incorrectly uses the fixed size utils.read_u64() to read the field 'counter' inside atomic_long_t. On 32 bits architectures reading the last element 'tail_id' of the struct prb_desc_ring: struct prb_desc_ring { ... atomic_long_t tail_id; }; causes the utils.read_u64() to access outside the boundary of the struct and the gdb command 'lx-dmesg' exits with error: Python Exception : index out of range Error occurred in Python: index out of range Query the really used atomic_long_t counter type size. Link: https://lore.kernel.org/r/20220617143758.137307-1-antonio.borneo@foss.st.com Fixes: e60768311af8 ("scripts/gdb: update for lockless printk ringbuffer") Signed-off-by: Antonio Borneo [pmladek@suse.com: Query the really used atomic_long_t counter type size] Tested-by: Antonio Borneo Reviewed-by: John Ogness Signed-off-by: Petr Mladek Link: https://lore.kernel.org/r/20220719122831.19890-1-pmladek@suse.com --- scripts/gdb/linux/dmesg.py | 9 +++------ scripts/gdb/linux/utils.py | 14 ++++++++++++-- 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/scripts/gdb/linux/dmesg.py b/scripts/gdb/linux/dmesg.py index d5983cf3db7d..c771831eb077 100644 --- a/scripts/gdb/linux/dmesg.py +++ b/scripts/gdb/linux/dmesg.py @@ -22,7 +22,6 @@ prb_desc_type = utils.CachedType("struct prb_desc") prb_desc_ring_type = utils.CachedType("struct prb_desc_ring") prb_data_ring_type = utils.CachedType("struct prb_data_ring") printk_ringbuffer_type = utils.CachedType("struct printk_ringbuffer") -atomic_long_type = utils.CachedType("atomic_long_t") class LxDmesg(gdb.Command): """Print Linux kernel log buffer.""" @@ -68,8 +67,6 @@ class LxDmesg(gdb.Command): off = prb_data_ring_type.get_type()['data'].bitpos // 8 text_data_addr = utils.read_ulong(text_data_ring, off) - counter_off = atomic_long_type.get_type()['counter'].bitpos // 8 - sv_off = prb_desc_type.get_type()['state_var'].bitpos // 8 off = prb_desc_type.get_type()['text_blk_lpos'].bitpos // 8 @@ -89,9 +86,9 @@ class LxDmesg(gdb.Command): # read in tail and head descriptor ids off = prb_desc_ring_type.get_type()['tail_id'].bitpos // 8 - tail_id = utils.read_u64(desc_ring, off + counter_off) + tail_id = utils.read_atomic_long(desc_ring, off) off = prb_desc_ring_type.get_type()['head_id'].bitpos // 8 - head_id = utils.read_u64(desc_ring, off + counter_off) + head_id = utils.read_atomic_long(desc_ring, off) did = tail_id while True: @@ -102,7 +99,7 @@ class LxDmesg(gdb.Command): desc = utils.read_memoryview(inf, desc_addr + desc_off, desc_sz).tobytes() # skip non-committed record - state = 3 & (utils.read_u64(desc, sv_off + counter_off) >> desc_flags_shift) + state = 3 & (utils.read_atomic_long(desc, sv_off) >> desc_flags_shift) if state != desc_committed and state != desc_finalized: if did == head_id: break diff --git a/scripts/gdb/linux/utils.py b/scripts/gdb/linux/utils.py index ff7c1799d588..1553f68716cc 100644 --- a/scripts/gdb/linux/utils.py +++ b/scripts/gdb/linux/utils.py @@ -35,13 +35,12 @@ class CachedType: long_type = CachedType("long") - +atomic_long_type = CachedType("atomic_long_t") def get_long_type(): global long_type return long_type.get_type() - def offset_of(typeobj, field): element = gdb.Value(0).cast(typeobj) return int(str(element[field].address).split()[0], 16) @@ -129,6 +128,17 @@ def read_ulong(buffer, offset): else: return read_u32(buffer, offset) +atomic_long_counter_offset = atomic_long_type.get_type()['counter'].bitpos +atomic_long_counter_sizeof = atomic_long_type.get_type()['counter'].type.sizeof + +def read_atomic_long(buffer, offset): + global atomic_long_counter_offset + global atomic_long_counter_sizeof + + if atomic_long_counter_sizeof == 8: + return read_u64(buffer, offset + atomic_long_counter_offset) + else: + return read_u32(buffer, offset + atomic_long_counter_offset) target_arch = None -- cgit v1.2.3 From 96dd9a2f958be4781d8d01ed881a46864bf458aa Mon Sep 17 00:00:00 2001 From: Justin Stitt Date: Mon, 18 Jul 2022 16:06:26 -0700 Subject: lib/test_printf.c: fix clang -Wformat warnings see warnings: | lib/test_printf.c:157:52: error: format specifies type 'unsigned char' | but the argument has type 'int' [-Werror,-Wformat] test("0|1|1|128|255", | "%hhu|%hhu|%hhu|%hhu|%hhu", 0, 1, 257, 128, -1); - | lib/test_printf.c:158:55: error: format specifies type 'char' but the | argument has type 'int' [-Werror,-Wformat] test("0|1|1|-128|-1", | "%hhd|%hhd|%hhd|%hhd|%hhd", 0, 1, 257, 128, -1); - | lib/test_printf.c:159:41: error: format specifies type 'unsigned short' | but the argument has type 'int' [-Werror,-Wformat] | test("2015122420151225", "%ho%ho%#ho", 1037, 5282, -11627); There's an ongoing movement to eventually enable the -Wformat flag for clang. Previous patches have targeted incorrect usage of format specifiers. In this case, however, the "incorrect" format specifiers are intrinsically part of the test cases. Hence, fixing them would be misaligned with their intended purpose. My proposed fix is to simply disable the warnings so that one day a clean build of the kernel with clang (and -Wformat enabled) would be possible. It would also keep us in the green for alot of the CI bots. Link: https://github.com/ClangBuiltLinux/linux/issues/378 Suggested-by: Nathan Chancellor Suggested-by: Nick Desaulniers Signed-off-by: Justin Stitt Reviewed-by: Petr Mladek Reviewed-by: Nick Desaulniers Signed-off-by: Petr Mladek Link: https://lore.kernel.org/r/20220718230626.1029318-1-justinstitt@google.com --- lib/test_printf.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/lib/test_printf.c b/lib/test_printf.c index 3b017566bbd2..4bd15a593fbd 100644 --- a/lib/test_printf.c +++ b/lib/test_printf.c @@ -30,6 +30,12 @@ #define PAD_SIZE 16 #define FILL_CHAR '$' +#define NOWARN(option, comment, block) \ + __diag_push(); \ + __diag_ignore_all(#option, comment); \ + block \ + __diag_pop(); + KSTM_MODULE_GLOBALS(); static char *test_buffer __initdata; @@ -159,9 +165,11 @@ test_number(void) test("0x1234abcd ", "%#-12x", 0x1234abcd); test(" 0x1234abcd", "%#12x", 0x1234abcd); test("0|001| 12|+123| 1234|-123|-1234", "%d|%03d|%3d|%+d|% d|%+d|% d", 0, 1, 12, 123, 1234, -123, -1234); - test("0|1|1|128|255", "%hhu|%hhu|%hhu|%hhu|%hhu", 0, 1, 257, 128, -1); - test("0|1|1|-128|-1", "%hhd|%hhd|%hhd|%hhd|%hhd", 0, 1, 257, 128, -1); - test("2015122420151225", "%ho%ho%#ho", 1037, 5282, -11627); + NOWARN(-Wformat, "Intentionally test narrowing conversion specifiers.", { + test("0|1|1|128|255", "%hhu|%hhu|%hhu|%hhu|%hhu", 0, 1, 257, 128, -1); + test("0|1|1|-128|-1", "%hhd|%hhd|%hhd|%hhd|%hhd", 0, 1, 257, 128, -1); + test("2015122420151225", "%ho%ho%#ho", 1037, 5282, -11627); + }) /* * POSIX/C99: »The result of converting zero with an explicit * precision of zero shall be no characters.« Hence the output -- cgit v1.2.3