[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20171115025603.GB10377@voyager>
Date: Tue, 14 Nov 2017 18:56:03 -0800
From: Ricardo Neri <ricardo.neri-calderon@...ux.intel.com>
To: Ingo Molnar <mingo@...nel.org>
Cc: Thomas Gleixner <tglx@...utronix.de>,
"H. Peter Anvin" <hpa@...or.com>, Borislav Petkov <bp@...e.de>,
Andy Lutomirski <luto@...nel.org>,
Tony Luck <tony.luck@...el.com>,
Paolo Bonzini <pbonzini@...hat.com>,
"Ravi V. Shankar" <ravi.v.shankar@...el.com>, x86@...nel.org,
ricardo.neri@...el.com, linux-kernel@...r.kernel.org
Subject: Re: [RESEND PATCH v2 4/4] x86/umip: Warn if UMIP-protected
instructions are used
On Tue, Nov 14, 2017 at 08:34:08AM +0100, Ingo Molnar wrote:
>
> * Ricardo Neri <ricardo.neri-calderon@...ux.intel.com> wrote:
>
> > +const char * const umip_insns[5] = {
> > + [UMIP_INST_SGDT] = "sgdt",
> > + [UMIP_INST_SIDT] = "sidt",
> > + [UMIP_INST_SMSW] = "smsw",
> > + [UMIP_INST_SLDT] = "sldt",
> > + [UMIP_INST_STR] = "str",
> > +};
>
> Sigh ...
It made sense to me to capitalize code and changelogs but keep the printed warnings
in lower case. Thus, the format would look like:
umip: smsw instruction cannot be used by applications.
I do see that this could be confusing with STR. I will capitalize these as well.
>
> > +/*
> > + * If you change these strings, ensure that buffers using them are sufficiently
> > + * large.
> > + */
> > +static const char umip_warn_use[] = "cannot be used by applications.";
> > +static const char umip_warn_emu[] = "For now, expensive software emulation returns result.";
>
> Please use the string literals directly, don't add an extra obfuscation layer.
>
> Plus:
>
> > + unsigned char buf[MAX_INSN_SIZE], warn[128];
>
> > + snprintf(warn, sizeof(warn), "%s %s", umip_insns[umip_inst],
> > + umip_warn_use);
>
> This is incredibly fragile against future buffer overflows, and warning about it
> in comments does not make it less fragile!
I need to concatenate the instruction mnemonic with the a string. Does something like
this is more acceptable?
unsigned char warn[50];
...
strcpy(warn, umip_insns[umip_inst]);
strcat(warn, " instruction cannot be used by applications.");
umip_pr_warn(regs, warn, 0);
In this manner I use the string literal directly but I still have a buffer that might
overflow. Code looks more clear to me. I could #defines for the string lengths or
set a maximum length.
Thanks and BR,
Ricardo
Powered by blists - more mailing lists