Re: [PATCH] lib: vsprintf: fix invalid arg check

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Vasiliy Kulikov <segooon@gmail.com>
To: David Rientjes <rientjes@google.com>
Cc: "Andrew Morton" <akpm@linux-foundation.org>,
	kernel-janitors@vger.kernel.org,
	"André Goddard Rosa" <andre.goddard@gmail.com>,
	"Joe Perches" <joe@perches.com>,
	"Frederic Weisbecker" <fweisbec@gmail.com>,
	"Bjorn Helgaas" <bjorn.helgaas@hp.com>,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH] lib: vsprintf: fix invalid arg check
Date: Fri, 12 Nov 2010 17:42:03 +0000	[thread overview]
Message-ID: <20101112174203.GA10430@albatros> (raw)
In-Reply-To: <alpine.DEB.2.00.1011111319110.25829@chino.kir.corp.google.com>

On Thu, Nov 11, 2010 at 13:34 -0800, David Rientjes wrote:
> On Fri, 12 Nov 2010, Vasiliy Kulikov wrote:
> > OK, if the main reason here is return value type, then the correct
> > handling should be:
> > 
> > 	/* Reject out-of-range values early.  Large positive sizes are
> > 	   used for unknown buffer sizes. */
> > -	if (WARN_ON_ONCE((int) size < 0))
> > +	if (WARN_ON_ONCE(size > INT_MAX)
> > 		return 0;
> > 
> > This should catch all underflows and too big integers.
> > 
> 
> That is equivalent since size_t is always unsigned;

Not equivalent:

void test_size(size_t size)
{
    char buffer[128];
    sprintf(buffer, "size %lx is BAD", size);
    snprintf(buffer, size, "size %lx is OK", size);
    pr_info("%s\n", buffer);
    if (size > INT_MAX)
        pr_info("%lx is catched by (size) > INT_MAX", size);
}

static int init(void) {
        test_size(0x7FFFFFFF);
        test_size(0x80000000);
        test_size(0x80000001);
        test_size(0xFFFFFFFF);
        test_size(0x100000000);
        test_size(0x100000001);
        test_size(0x17fffffff);
        test_size(0x180000000);
        test_size(0x180000001);

        return 0;
}


Output on x86_64:

[12486.542047] size 7fffffff is OK
[12486.542051] size 80000000 is BAD
[12486.542053] 80000000 is catched by (size) > INT_MAX
[12486.542055] size 80000001 is BAD
[12486.542057] 80000001 is catched by (size) > INT_MAX
[12486.542059] size ffffffff is BAD
[12486.542061] ffffffff is catched by (size) > INT_MAX
[12486.542063] size 100000000 is OK
[12486.542065] 100000000 is catched by (size) > INT_MAX
[12486.542067] size 100000001 is OK
[12486.542069] 100000001 is catched by (size) > INT_MAX
[12486.542071] size 17fffffff is OK
[12486.542073] 17fffffff is catched by (size) > INT_MAX
[12486.542075] size 180000000 is BAD
[12486.542077] 180000000 is catched by (size) > INT_MAX
[12486.542079] size 180000001 is BAD
[12486.542081] 180000001 is catched by (size) > INT_MAX


-- 
Vasiliy

WARNING: multiple messages have this Message-ID (diff)

From: Vasiliy Kulikov <segooon@gmail.com>
To: David Rientjes <rientjes@google.com>
Cc: "Andrew Morton" <akpm@linux-foundation.org>,
	kernel-janitors@vger.kernel.org,
	"André Goddard Rosa" <andre.goddard@gmail.com>,
	"Joe Perches" <joe@perches.com>,
	"Frederic Weisbecker" <fweisbec@gmail.com>,
	"Bjorn Helgaas" <bjorn.helgaas@hp.com>,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH] lib: vsprintf: fix invalid arg check
Date: Fri, 12 Nov 2010 20:42:03 +0300	[thread overview]
Message-ID: <20101112174203.GA10430@albatros> (raw)
In-Reply-To: <alpine.DEB.2.00.1011111319110.25829@chino.kir.corp.google.com>

On Thu, Nov 11, 2010 at 13:34 -0800, David Rientjes wrote:
> On Fri, 12 Nov 2010, Vasiliy Kulikov wrote:
> > OK, if the main reason here is return value type, then the correct
> > handling should be:
> > 
> > 	/* Reject out-of-range values early.  Large positive sizes are
> > 	   used for unknown buffer sizes. */
> > -	if (WARN_ON_ONCE((int) size < 0))
> > +	if (WARN_ON_ONCE(size > INT_MAX)
> > 		return 0;
> > 
> > This should catch all underflows and too big integers.
> > 
> 
> That is equivalent since size_t is always unsigned;

Not equivalent:

void test_size(size_t size)
{
    char buffer[128];
    sprintf(buffer, "size %lx is BAD", size);
    snprintf(buffer, size, "size %lx is OK", size);
    pr_info("%s\n", buffer);
    if (size > INT_MAX)
        pr_info("%lx is catched by (size) > INT_MAX", size);
}

static int init(void) {
        test_size(0x7FFFFFFF);
        test_size(0x80000000);
        test_size(0x80000001);
        test_size(0xFFFFFFFF);
        test_size(0x100000000);
        test_size(0x100000001);
        test_size(0x17fffffff);
        test_size(0x180000000);
        test_size(0x180000001);

        return 0;
}


Output on x86_64:

[12486.542047] size 7fffffff is OK
[12486.542051] size 80000000 is BAD
[12486.542053] 80000000 is catched by (size) > INT_MAX
[12486.542055] size 80000001 is BAD
[12486.542057] 80000001 is catched by (size) > INT_MAX
[12486.542059] size ffffffff is BAD
[12486.542061] ffffffff is catched by (size) > INT_MAX
[12486.542063] size 100000000 is OK
[12486.542065] 100000000 is catched by (size) > INT_MAX
[12486.542067] size 100000001 is OK
[12486.542069] 100000001 is catched by (size) > INT_MAX
[12486.542071] size 17fffffff is OK
[12486.542073] 17fffffff is catched by (size) > INT_MAX
[12486.542075] size 180000000 is BAD
[12486.542077] 180000000 is catched by (size) > INT_MAX
[12486.542079] size 180000001 is BAD
[12486.542081] 180000001 is catched by (size) > INT_MAX


-- 
Vasiliy

next prev parent reply	other threads:[~2010-11-12 17:42 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-11-10 20:38 [PATCH] lib: vsprintf: fix invalid arg check Vasiliy Kulikov
2010-11-10 20:38 ` Vasiliy Kulikov
2010-11-10 21:08 ` Andrew Morton
2010-11-10 21:08   ` Andrew Morton
2010-11-10 21:38   ` David Rientjes
2010-11-10 21:38     ` David Rientjes
2010-11-11  8:34     ` Vasiliy Kulikov
2010-11-11  8:34       ` Vasiliy Kulikov
2010-11-11 20:38       ` David Rientjes
2010-11-11 20:38         ` David Rientjes
2010-11-11 21:02         ` Vasiliy Kulikov
2010-11-11 21:02           ` Vasiliy Kulikov
2010-11-11 21:34           ` David Rientjes
2010-11-11 21:34             ` David Rientjes
2010-11-12 17:42             ` Vasiliy Kulikov [this message]
2010-11-12 17:42               ` Vasiliy Kulikov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20101112174203.GA10430@albatros \
    --to=segooon@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=andre.goddard@gmail.com \
    --cc=bjorn.helgaas@hp.com \
    --cc=fweisbec@gmail.com \
    --cc=joe@perches.com \
    --cc=kernel-janitors@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=rientjes@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.