Commit 6618d69a authored by Miguel Ojeda's avatar Miguel Ojeda

rust: print: avoid evaluating arguments in `pr_*` macros in `unsafe` blocks

At the moment it is possible to perform unsafe operations in
the arguments of `pr_*` macros since they are evaluated inside
an `unsafe` block:

    let x = &10u32 as *const u32;
    pr_info!("{}", *x);

In other words, this is a soundness issue.

Fix it so that it requires an explicit `unsafe` block.
Reported-by: default avatarWedson Almeida Filho <wedsonaf@gmail.com>
Reported-by: default avatarDomen Puncer Kugler <domen.puncerkugler@nccgroup.com>
Link: https://github.com/Rust-for-Linux/linux/issues/479Signed-off-by: default avatarMiguel Ojeda <ojeda@kernel.org>
Reviewed-by: default avatarBoqun Feng <boqun.feng@gmail.com>
Reviewed-by: default avatarGary Guo <gary@garyguo.net>
Reviewed-by: default avatarBjörn Roy Baron <bjorn3_gh@protonmail.com>
Reviewed-by: default avatarVincenzo Palazzo <vincenzopalazzodev@gmail.com>
parent 5dc4c995
...@@ -142,18 +142,25 @@ pub fn call_printk_cont(args: fmt::Arguments<'_>) { ...@@ -142,18 +142,25 @@ pub fn call_printk_cont(args: fmt::Arguments<'_>) {
macro_rules! print_macro ( macro_rules! print_macro (
// The non-continuation cases (most of them, e.g. `INFO`). // The non-continuation cases (most of them, e.g. `INFO`).
($format_string:path, false, $($arg:tt)+) => ( ($format_string:path, false, $($arg:tt)+) => (
// To remain sound, `arg`s must be expanded outside the `unsafe` block.
// Typically one would use a `let` binding for that; however, `format_args!`
// takes borrows on the arguments, but does not extend the scope of temporaries.
// Therefore, a `match` expression is used to keep them around, since
// the scrutinee is kept until the end of the `match`.
match format_args!($($arg)+) {
// SAFETY: This hidden macro should only be called by the documented // SAFETY: This hidden macro should only be called by the documented
// printing macros which ensure the format string is one of the fixed // printing macros which ensure the format string is one of the fixed
// ones. All `__LOG_PREFIX`s are null-terminated as they are generated // ones. All `__LOG_PREFIX`s are null-terminated as they are generated
// by the `module!` proc macro or fixed values defined in a kernel // by the `module!` proc macro or fixed values defined in a kernel
// crate. // crate.
unsafe { args => unsafe {
$crate::print::call_printk( $crate::print::call_printk(
&$format_string, &$format_string,
crate::__LOG_PREFIX, crate::__LOG_PREFIX,
format_args!($($arg)+), args,
); );
} }
}
); );
// The `CONT` case. // The `CONT` case.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment