From 9a3bfa01aa1c5b5478edaf7c76ea0b3a94f9c13e Mon Sep 17 00:00:00 2001 From: Rasmus Villemoes Date: Tue, 15 Jun 2021 23:49:51 +0800 Subject: lib/test_printf.c: split write-beyond-buffer check in two Before each invocation of vsnprintf(), do_test() memsets the entire allocated buffer to a sentinel value. That buffer includes leading and trailing padding which is never included in the buffer area handed to vsnprintf (spaces merely for clarity): pad test_buffer pad **** **************** **** Then vsnprintf() is invoked with a bufsize argument <= BUF_SIZE. Suppose bufsize=10, then we'd have e.g. |pad | test_buffer |pad | **** pizza0 **** ****** **** A B C D E where vsnprintf() was given the area from B to D. It is obviously a bug for vsnprintf to touch anything between A and B or between D and E. The former is checked for as one would expect. But for the latter, we are actually a little stricter in that we check the area between C and E. Split that check in two, providing a clearer error message in case it was a genuine buffer overrun and not merely a write within the provided buffer, but after the end of the generated string. So far, no part of the vsnprintf() implementation has had any use for using the whole buffer as scratch space, but it's not unreasonable to allow that, as long as the result is properly nul-terminated and the return value is the right one. However, it is somewhat unusual, and most % won't need this, so keep the [C,D] check, but make it easy for a later patch to make that part opt-out for certain tests. Signed-off-by: Rasmus Villemoes Tested-by: Jia He Signed-off-by: Jia He Reviewed-by: Petr Mladek Signed-off-by: Petr Mladek Link: https://lore.kernel.org/r/20210615154952.2744-4-justin.he@arm.com --- lib/test_printf.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/test_printf.c b/lib/test_printf.c index 07309c45f327..3b017566bbd2 100644 --- a/lib/test_printf.c +++ b/lib/test_printf.c @@ -78,12 +78,17 @@ do_test(int bufsize, const char *expect, int elen, return 1; } - if (memchr_inv(test_buffer + written + 1, FILL_CHAR, BUF_SIZE + PAD_SIZE - (written + 1))) { + if (memchr_inv(test_buffer + written + 1, FILL_CHAR, bufsize - (written + 1))) { pr_warn("vsnprintf(buf, %d, \"%s\", ...) wrote beyond the nul-terminator\n", bufsize, fmt); return 1; } + if (memchr_inv(test_buffer + bufsize, FILL_CHAR, BUF_SIZE + PAD_SIZE - bufsize)) { + pr_warn("vsnprintf(buf, %d, \"%s\", ...) wrote beyond buffer\n", bufsize, fmt); + return 1; + } + if (memcmp(test_buffer, expect, written)) { pr_warn("vsnprintf(buf, %d, \"%s\", ...) wrote '%s', expected '%.*s'\n", bufsize, fmt, test_buffer, written, expect); -- cgit v1.2.3 From 96dd9a2f958be4781d8d01ed881a46864bf458aa Mon Sep 17 00:00:00 2001 From: Justin Stitt Date: Mon, 18 Jul 2022 16:06:26 -0700 Subject: lib/test_printf.c: fix clang -Wformat warnings see warnings: | lib/test_printf.c:157:52: error: format specifies type 'unsigned char' | but the argument has type 'int' [-Werror,-Wformat] test("0|1|1|128|255", | "%hhu|%hhu|%hhu|%hhu|%hhu", 0, 1, 257, 128, -1); - | lib/test_printf.c:158:55: error: format specifies type 'char' but the | argument has type 'int' [-Werror,-Wformat] test("0|1|1|-128|-1", | "%hhd|%hhd|%hhd|%hhd|%hhd", 0, 1, 257, 128, -1); - | lib/test_printf.c:159:41: error: format specifies type 'unsigned short' | but the argument has type 'int' [-Werror,-Wformat] | test("2015122420151225", "%ho%ho%#ho", 1037, 5282, -11627); There's an ongoing movement to eventually enable the -Wformat flag for clang. Previous patches have targeted incorrect usage of format specifiers. In this case, however, the "incorrect" format specifiers are intrinsically part of the test cases. Hence, fixing them would be misaligned with their intended purpose. My proposed fix is to simply disable the warnings so that one day a clean build of the kernel with clang (and -Wformat enabled) would be possible. It would also keep us in the green for alot of the CI bots. Link: https://github.com/ClangBuiltLinux/linux/issues/378 Suggested-by: Nathan Chancellor Suggested-by: Nick Desaulniers Signed-off-by: Justin Stitt Reviewed-by: Petr Mladek Reviewed-by: Nick Desaulniers Signed-off-by: Petr Mladek Link: https://lore.kernel.org/r/20220718230626.1029318-1-justinstitt@google.com --- lib/test_printf.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'lib') diff --git a/lib/test_printf.c b/lib/test_printf.c index 3b017566bbd2..4bd15a593fbd 100644 --- a/lib/test_printf.c +++ b/lib/test_printf.c @@ -30,6 +30,12 @@ #define PAD_SIZE 16 #define FILL_CHAR '$' +#define NOWARN(option, comment, block) \ + __diag_push(); \ + __diag_ignore_all(#option, comment); \ + block \ + __diag_pop(); + KSTM_MODULE_GLOBALS(); static char *test_buffer __initdata; @@ -159,9 +165,11 @@ test_number(void) test("0x1234abcd ", "%#-12x", 0x1234abcd); test(" 0x1234abcd", "%#12x", 0x1234abcd); test("0|001| 12|+123| 1234|-123|-1234", "%d|%03d|%3d|%+d|% d|%+d|% d", 0, 1, 12, 123, 1234, -123, -1234); - test("0|1|1|128|255", "%hhu|%hhu|%hhu|%hhu|%hhu", 0, 1, 257, 128, -1); - test("0|1|1|-128|-1", "%hhd|%hhd|%hhd|%hhd|%hhd", 0, 1, 257, 128, -1); - test("2015122420151225", "%ho%ho%#ho", 1037, 5282, -11627); + NOWARN(-Wformat, "Intentionally test narrowing conversion specifiers.", { + test("0|1|1|128|255", "%hhu|%hhu|%hhu|%hhu|%hhu", 0, 1, 257, 128, -1); + test("0|1|1|-128|-1", "%hhd|%hhd|%hhd|%hhd|%hhd", 0, 1, 257, 128, -1); + test("2015122420151225", "%ho%ho%#ho", 1037, 5282, -11627); + }) /* * POSIX/C99: »The result of converting zero with an explicit * precision of zero shall be no characters.« Hence the output -- cgit v1.2.3