Re: [PATCH] vsprintf: protect kernel from panic due to non-canonical pointer dereference

[Jane Chu]

On 10/17/2022 12:25 PM, Andy Shevchenko wrote:
> On Mon, Oct 17, 2022 at 01:16:11PM -0600, Jane Chu wrote:
>> While debugging a separate issue, it was found that an invalid string
>> pointer could very well contain a non-canical address, such as
>> 0x7665645f63616465. In that case, this line of defense isn't enough
>> to protect the kernel from crashing due to general protection fault
>>
>> 	if ((unsigned long)ptr < PAGE_SIZE || IS_ERR_VALUE(ptr))
>>                  return "(efault)";
>>
>> So instead, use kern_addr_valid() to validate the string pointer.
> 
> How did you check that value of the (invalid string) pointer?
> 

In the bug scenario, the invalid string pointer was an out-of-bound 
string pointer. While the OOB referencing is fixed, the lingering issue 
is that the kernel ought to be able to protect itself, as the pointer 
contains a non-canonical address.  That said, I realized that not all 
architecture implement meaningful kern_addr_valid(), so this line
    if ((unsigned long)ptr < PAGE_SIZE || IS_ERR_VALUE(ptr))
is still need.  I'll send v2.

thanks,
-jane

>