1. 24 1月, 2014 1 次提交
  2. 15 11月, 2013 1 次提交
    • K
      vsprintf: ignore %n again · 9196436a
      Kees Cook 提交于
      This ignores %n in printf again, as was originally documented.
      Implementing %n poses a greater security risk than utility, so it should
      stay ignored.  To help anyone attempting to use %n, a warning will be
      emitted if it is encountered.
      
      Based on an earlier patch by Joe Perches.
      
      Because %n was designed to write to pointers on the stack, it has been
      frequently used as an attack vector when bugs are found that leak
      user-controlled strings into functions that ultimately process format
      strings.  While this class of bug can still be turned into an
      information leak, removing %n eliminates the common method of elevating
      such a bug into an arbitrary kernel memory writing primitive,
      significantly reducing the danger of this class of bug.
      
      For seq_file users that need to know the length of a written string for
      padding, please see seq_setwidth() and seq_pad() instead.
      Signed-off-by: NKees Cook <keescook@chromium.org>
      Cc: Joe Perches <joe@perches.com>
      Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Cc: David Miller <davem@davemloft.net>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      9196436a
  3. 13 11月, 2013 2 次提交
    • O
      lib/vsprintf.c: document formats for dentry and struct file · c0d92a57
      Olof Johansson 提交于
      Looks like these were added to Documentation/printk-formats.txt but
      not the in-file table.
      Signed-off-by: NOlof Johansson <olof@lixom.net>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      c0d92a57
    • R
      vsprintf: check real user/group id for %pK · 312b4e22
      Ryan Mallon 提交于
      Some setuid binaries will allow reading of files which have read
      permission by the real user id.  This is problematic with files which
      use %pK because the file access permission is checked at open() time,
      but the kptr_restrict setting is checked at read() time.  If a setuid
      binary opens a %pK file as an unprivileged user, and then elevates
      permissions before reading the file, then kernel pointer values may be
      leaked.
      
      This happens for example with the setuid pppd application on Ubuntu 12.04:
      
        $ head -1 /proc/kallsyms
        00000000 T startup_32
      
        $ pppd file /proc/kallsyms
        pppd: In file /proc/kallsyms: unrecognized option 'c1000000'
      
      This will only leak the pointer value from the first line, but other
      setuid binaries may leak more information.
      
      Fix this by adding a check that in addition to the current process having
      CAP_SYSLOG, that effective user and group ids are equal to the real ids.
      If a setuid binary reads the contents of a file which uses %pK then the
      pointer values will be printed as NULL if the real user is unprivileged.
      
      Update the sysctl documentation to reflect the changes, and also correct
      the documentation to state the kptr_restrict=0 is the default.
      
      This is a only temporary solution to the issue.  The correct solution is
      to do the permission check at open() time on files, and to replace %pK
      with a function which checks the open() time permission.  %pK uses in
      printk should be removed since no sane permission check can be done, and
      instead protected by using dmesg_restrict.
      Signed-off-by: NRyan Mallon <rmallon@gmail.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: Joe Perches <joe@perches.com>
      Cc: "Eric W. Biederman" <ebiederm@xmission.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      312b4e22
  4. 04 9月, 2013 1 次提交
    • A
      add formats for dentry/file pathnames · 4b6ccca7
      Al Viro 提交于
      New formats: %p[dD][234]?.  The next pointer is interpreted as struct dentry *
      or struct file * resp. ('d' => dentry, 'D' => file) and the last component(s)
      of pathname are printed (%pd => just the last one, %pd2 => the last two, etc.)
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      4b6ccca7
  5. 02 7月, 2013 1 次提交
    • D
      lib: vsprintf: add IPv4/v6 generic %p[Ii]S[pfs] format specifier · 10679643
      Daniel Borkmann 提交于
      In order to avoid making code that deals with printing both, IPv4 and
      IPv6 addresses, unnecessary complicated as for example ...
      
        if (sa.sa_family == AF_INET6)
          printk("... %pI6 ...", ..sin6_addr);
        else
          printk("... %pI4 ...", ..sin_addr.s_addr);
      
      ... it would be better to introduce a format specifier that can deal
      with those kind of situations internally; just as we have a "struct
      sockaddr" for generic mapping into "struct sockaddr_in" or "struct
      sockaddr_in6" as e.g. done in "union sctp_addr". Then, we could
      reduce the above statement into something like:
      
        printk("... %pIS ..", &sockaddr);
      
      In case our pointer is NULL, pointer() then deals with that already at
      an earlier point in time internally. While we're at it, support for both
      %piS/%pIS, where 'S' stands for sockaddr, comes (almost) for free.
      
      Additionally to that, postfix specifiers 'p', 'f' and 's' are supported
      as suggested and initially implemented in 2009 by Joe Perches [1].
      Handling of those additional specifiers orientate on the initial RFC that
      was proposed. Also we support IPv6 compressed format specified by 'c' and
      various other IPv4 extensions as stated in the documentation part.
      
      Likely, there are many other areas than just SCTP in the kernel to make
      use of this extension as well.
      
       [1] http://patchwork.ozlabs.org/patch/31480/Signed-off-by: NDaniel Borkmann <dborkman@redhat.com>
      CC: Joe Perches <joe@perches.com>
      CC: linux-kernel@vger.kernel.org
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      10679643
  6. 29 5月, 2013 1 次提交
  7. 01 5月, 2013 1 次提交
    • J
      vsprintf: Add extension %pSR - print_symbol replacement · b0d33c2b
      Joe Perches 提交于
      print_symbol takes a long and converts it to a function
      name and offset.  %pS does something similar, but doesn't
      translate the address via __builtin_extract_return_addr.
      %pSR does the translation.
      
      This will enable replacing multiple calls like
      	printk(...);
      	printk_symbol(addr);
      	printk("\n");
      with a single non-interleavable in dmesg
      	printk("... %pSR\n", (void *)addr);
      
      Update documentation too.
      Signed-off-by: NJoe Perches <joe@perches.com>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      b0d33c2b
  8. 22 2月, 2013 1 次提交
  9. 18 12月, 2012 3 次提交
  10. 06 10月, 2012 6 次提交
  11. 31 7月, 2012 4 次提交
  12. 01 6月, 2012 2 次提交
    • D
      vsprintf: further optimize decimal conversion · 133fd9f5
      Denys Vlasenko 提交于
      Previous code was using optimizations which were developed to work well
      even on narrow-word CPUs (by today's standards).  But Linux runs only on
      32-bit and wider CPUs.  We can use that.
      
      First: using 32x32->64 multiply and trivial 32-bit shift, we can correctly
      divide by 10 much larger numbers, and thus we can print groups of 9 digits
      instead of groups of 5 digits.
      
      Next: there are two algorithms to print larger numbers.  One is generic:
      divide by 1000000000 and repeatedly print groups of (up to) 9 digits.
      It's conceptually simple, but requires an (unsigned long long) /
      1000000000 division.
      
      Second algorithm splits 64-bit unsigned long long into 16-bit chunks,
      manipulates them cleverly and generates groups of 4 decimal digits.  It so
      happens that it does NOT require long long division.
      
      If long is > 32 bits, division of 64-bit values is relatively easy, and we
      will use the first algorithm.  If long long is > 64 bits (strange
      architecture with VERY large long long), second algorithm can't be used,
      and we again use the first one.
      
      Else (if long is 32 bits and long long is 64 bits) we use second one.
      
      And third: there is a simple optimization which takes fast path not only
      for zero as was done before, but for all one-digit numbers.
      
      In all tested cases new code is faster than old one, in many cases by 30%,
      in few cases by more than 50% (for example, on x86-32, conversion of
      12345678).  Code growth is ~0 in 32-bit case and ~130 bytes in 64-bit
      case.
      
      This patch is based upon an original from Michal Nazarewicz.
      
      [akpm@linux-foundation.org: checkpatch fixes]
      Signed-off-by: NMichal Nazarewicz <mina86@mina86.com>
      Signed-off-by: NDenys Vlasenko <vda.linux@googlemail.com>
      Cc: Douglas W Jones <jones@cs.uiowa.edu>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      133fd9f5
    • G
      vsprintf: correctly handle width when '#' flag used in %#p format · 725fe002
      Grant Likely 提交于
      The '%p' output of the kernel's vsprintf() uses spec.field_width to
      determine how many digits to output based on 2 * sizeof(void*) so that all
      digits of a pointer are shown.  ie.  a pointer will be output as
      "001A2B3C" instead of "1A2B3C".  However, if the '#' flag is used in the
      format (%#p), then the code doesn't take into account the width of the
      '0x' prefix and will end up outputing "0x1A2B3C" instead of "0x001A2B3C".
      
      This patch reworks the "pointer()" format hook to include 2 characters for
      the '0x' prefix if the '#' flag is included.
      
      [akpm@linux-foundation.org: checkpatch fixes]
      Signed-off-by: NGrant Likely <grant.likely@secretlab.ca>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      725fe002
  13. 30 5月, 2012 2 次提交
  14. 24 3月, 2012 1 次提交
    • K
      procfs: add num_to_str() to speed up /proc/stat · 1ac101a5
      KAMEZAWA Hiroyuki 提交于
      == stat_check.py
      num = 0
      with open("/proc/stat") as f:
              while num < 1000 :
                      data = f.read()
                      f.seek(0, 0)
                      num = num + 1
      ==
      
      perf shows
      
          20.39%  stat_check.py  [kernel.kallsyms]    [k] format_decode
          13.41%  stat_check.py  [kernel.kallsyms]    [k] number
          12.61%  stat_check.py  [kernel.kallsyms]    [k] vsnprintf
          10.85%  stat_check.py  [kernel.kallsyms]    [k] memcpy
           4.85%  stat_check.py  [kernel.kallsyms]    [k] radix_tree_lookup
           4.43%  stat_check.py  [kernel.kallsyms]    [k] seq_printf
      
      This patch removes most of calls to vsnprintf() by adding num_to_str()
      and seq_print_decimal_ull(), which prints decimal numbers without rich
      functions provided by printf().
      
      On my 8cpu box.
      == Before patch ==
      [root@bluextal test]# time ./stat_check.py
      
      real    0m0.150s
      user    0m0.026s
      sys     0m0.121s
      
      == After patch ==
      [root@bluextal test]# time ./stat_check.py
      
      real    0m0.055s
      user    0m0.022s
      sys     0m0.030s
      
      [akpm@linux-foundation.org: remove incorrect comment, use less statck in num_to_str(), move comment from .h to .c, simplify seq_put_decimal_ull()]
      [andrea@betterlinux.com: avoid breaking the ABI in /proc/stat]
      Signed-off-by: NKAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
      Signed-off-by: NAndrea Righi <andrea@betterlinux.com>
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Cc: Glauber Costa <glommer@parallels.com>
      Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
      Cc: Ingo Molnar <mingo@elte.hu>
      Cc: Paul Turner <pjt@google.com>
      Cc: Russell King <rmk@arm.linux.org.uk>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      1ac101a5
  15. 08 3月, 2012 1 次提交
  16. 07 3月, 2012 1 次提交
    • J
      vsprintf: make %pV handling compatible with kasprintf() · 5756b76e
      Jan Beulich 提交于
      kasprintf() (and potentially other functions that I didn't run across so
      far) want to evaluate argument lists twice.  Caring to do so for the
      primary list is obviously their job, but they can't reasonably be
      expected to check the format string for instances of %pV, which however
      need special handling too: On architectures like x86-64 (as opposed to
      e.g.  ix86), using the same argument list twice doesn't produce the
      expected results, as an internally managed cursor gets updated during
      the first run.
      
      Fix the problem by always acting on a copy of the original list when
      handling %pV.
      Signed-off-by: NJan Beulich <jbeulich@suse.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      5756b76e
  17. 17 11月, 2011 1 次提交
  18. 01 11月, 2011 2 次提交
  19. 26 7月, 2011 1 次提交
  20. 15 7月, 2011 1 次提交
  21. 10 6月, 2011 1 次提交
  22. 25 5月, 2011 1 次提交
  23. 13 5月, 2011 1 次提交
    • I
      vsprintf: Turn kptr_restrict off by default · 411f05f1
      Ingo Molnar 提交于
      kptr_restrict has been triggering bugs in apps such as perf, and it also makes
      the system less useful by default, so turn it off by default.
      
      This is how we generally handle security features that remove functionality,
      such as firewall code or SELinux - they have to be configured and activated
      from user-space.
      
      Distributions can turn kptr_restrict on again via this line in
      /etc/sysctrl.conf:
      
      kernel.kptr_restrict = 1
      
      ( Also mark the variable __read_mostly while at it, as it's typically modified
        only once per bootup, or not at all. )
      Signed-off-by: NIngo Molnar <mingo@elte.hu>
      Acked-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      411f05f1
  24. 06 4月, 2011 1 次提交
  25. 24 3月, 2011 1 次提交
    • N
      vsprintf: Introduce %pB format specifier · 0f77a8d3
      Namhyung Kim 提交于
      The %pB format specifier is for stack backtrace. Its handler
      sprint_backtrace() does symbol lookup using (address-1) to
      ensure the address will not point outside of the function.
      
      If there is a tail-call to the function marked "noreturn",
      gcc optimized out the code after the call then causes saved
      return address points outside of the function (i.e. the start
      of the next function), so pollutes call trace somewhat.
      
      This patch adds the %pB printk mechanism that allows architecture
      call-trace printout functions to improve backtrace printouts.
      Signed-off-by: NNamhyung Kim <namhyung@gmail.com>
      Acked-by: NSteven Rostedt <rostedt@goodmis.org>
      Acked-by: NFrederic Weisbecker <fweisbec@gmail.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: linux-arch@vger.kernel.org
      LKML-Reference: <1300934550-21394-1-git-send-email-namhyung@gmail.com>
      Signed-off-by: NIngo Molnar <mingo@elte.hu>
      0f77a8d3
  26. 23 3月, 2011 1 次提交
    • A
      kstrto*: converting strings to integers done (hopefully) right · 33ee3b2e
      Alexey Dobriyan 提交于
      1. simple_strto*() do not contain overflow checks and crufty,
         libc way to indicate failure.
      2. strict_strto*() also do not have overflow checks but the name and
         comments pretend they do.
      3. Both families have only "long long" and "long" variants,
         but users want strtou8()
      4. Both "simple" and "strict" prefixes are wrong:
         Simple doesn't exactly say what's so simple, strict should not exist
         because conversion should be strict by default.
      
      The solution is to use "k" prefix and add convertors for more types.
      Enter
      	kstrtoull()
      	kstrtoll()
      	kstrtoul()
      	kstrtol()
      	kstrtouint()
      	kstrtoint()
      
      	kstrtou64()
      	kstrtos64()
      	kstrtou32()
      	kstrtos32()
      	kstrtou16()
      	kstrtos16()
      	kstrtou8()
      	kstrtos8()
      
      Include runtime testsuite (somewhat incomplete) as well.
      
      strict_strto*() become deprecated, stubbed to kstrto*() and
      eventually will be removed altogether.
      
      Use kstrto*() in code today!
      
      Note: on some archs _kstrtoul() and _kstrtol() are left in tree, even if
            they'll be unused at runtime. This is temporarily solution,
            because I don't want to hardcode list of archs where these
            functions aren't needed. Current solution with sizeof() and
            __alignof__ at least always works.
      Signed-off-by: NAlexey Dobriyan <adobriyan@gmail.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      33ee3b2e