[PATCH 06/12] scanf: fix type range overflow

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Alexey Dobriyan <adobriyan@gmail.com>
To: akpm@linux-foundation.org
Cc: linux-kernel@vger.kernel.org, linux@rasmusvillemoes.dk
Subject: [PATCH 06/12] scanf: fix type range overflow
Date: Fri, 8 May 2015 21:34:32 +0300	[thread overview]
Message-ID: <20150508183432.GD9182@p183.telecom.by> (raw)
In-Reply-To: <20150508182911.GA9044@p183.telecom.by>

Fun fact:

	uint8_t val;
	sscanf("256", "%hhu", &val);

will return 1 and make val=0 (clearly bogus).

Userspace sscanf() reports 1 parsed value, returns incorrect value
but sets errno to ERANGE only for "%u" conversion and higher.
%hhu and %hu are left in the cold.

Having no way to report errno=ERANGE in kernel, don't report
successful parsing.

Patch allows to remove checks and switch to proper types
in several (most?) cases:

	grep -e 'scanf.*%[0-9]\+[dioux]' -n -r .

Such checks can be incorrect too -- checking for 3 digits with %3u
for parsing uint8_t is not enough.

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
---
 lib/vsprintf.c | 45 ++++++++++++++++++++++++++++++++++-----------
 1 file changed, 34 insertions(+), 11 deletions(-)

diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index 6509c54..58051b4 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -2632,44 +2632,67 @@ int vsscanf(const char *buf, const char *fmt, va_list args)
 
 		switch (qualifier) {
 		case 'H':	/* that's 'hh' in format */
-			if (is_sign)
+			if (is_sign) {
+				if (val.s != (signed char)val.s)
+					goto out;
 				*va_arg(args, signed char *) = val.s;
-			else
+			} else {
+				if (val.u != (unsigned char)val.u)
+					goto out;
 				*va_arg(args, unsigned char *) = val.u;
+			}
 			break;
 		case 'h':
-			if (is_sign)
+			if (is_sign) {
+				if (val.s != (short)val.s)
+					goto out;
 				*va_arg(args, short *) = val.s;
-			else
+			} else {
+				if (val.u != (unsigned short)val.u)
+					goto out;
 				*va_arg(args, unsigned short *) = val.u;
+			}
 			break;
 		case 'l':
-			if (is_sign)
+			if (is_sign) {
+				if (val.s != (long)val.s)
+					goto out;
 				*va_arg(args, long *) = val.s;
-			else
+			} else {
+				if (val.u != (unsigned long)val.u)
+					goto out;
 				*va_arg(args, unsigned long *) = val.u;
+			}
 			break;
 		case 'L':
-			if (is_sign)
+			if (is_sign) {
 				*va_arg(args, long long *) = val.s;
-			else
+			} else {
 				*va_arg(args, unsigned long long *) = val.u;
+			}
 			break;
 		case 'Z':
 		case 'z':
+			if (val.u != (size_t)val.u)
+				goto out;
 			*va_arg(args, size_t *) = val.u;
 			break;
 		default:
-			if (is_sign)
+			if (is_sign) {
+				if (val.s != (int)val.s)
+					goto out;
 				*va_arg(args, int *) = val.s;
-			else
+			} else {
+				if (val.u != (unsigned int)val.u)
+					goto out;
 				*va_arg(args, unsigned int *) = val.u;
+			}
 			break;
 		}
 		num++;
 		str += len;
 	}
-
+out:
 	return num;
 }
 EXPORT_SYMBOL(vsscanf);
-- 
2.0.4

next prev parent reply	other threads:[~2015-05-08 18:34 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-05-08 18:29 [PATCH 01/12] kstrto*: accept "-0" for signed conversion Alexey Dobriyan
2015-05-08 18:30 ` [PATCH 02/12] Add parse_integer() (replacement for simple_strto*()) Alexey Dobriyan
2015-05-08 20:46   ` Andrew Morton
2015-05-08 21:52     ` Rasmus Villemoes
2015-05-10 13:52     ` Alexey Dobriyan
2015-05-13 12:19       ` Alexey Dobriyan
2015-05-10 15:52   ` Noel Grandin
2015-07-09 19:28   ` Andrew Morton
2015-07-10  6:46     ` Alexey Dobriyan
2015-05-08 18:31 ` [PATCH 03/12] parse_integer: add runtime testsuite Alexey Dobriyan
2015-05-08 18:33 ` [PATCH 04/12] parse-integer: rewrite kstrto*() Alexey Dobriyan
2015-05-08 18:33 ` [PATCH 05/12] parse_integer: convert scanf() Alexey Dobriyan
2015-05-08 18:34 ` Alexey Dobriyan [this message]
2015-05-08 18:35 ` [PATCH 07/12] parse_integer: convert lib/ Alexey Dobriyan
2015-05-08 18:35 ` [PATCH 08/12] parse_integer: convert mm/ Alexey Dobriyan
2015-05-08 18:36 ` [PATCH 09/12] parse_integer: convert fs/ Alexey Dobriyan
2015-05-08 18:37 ` [PATCH 10/37] parse_integer: convert fs/cachefiles/ Alexey Dobriyan
2015-05-08 18:39 ` [PATCH 11/12] parse_integer: convert ext2, ext3, ext4 Alexey Dobriyan
2015-05-08 18:40 ` [PATCH 12/12] parse_integer: convert fs/ocfs2/ Alexey Dobriyan

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:6509c54 dfblob:58051b4 )
 OR (
bs:"[PATCH 06/12] scanf: fix type range overflow" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150508183432.GD9182@p183.telecom.by \
    --to=adobriyan@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux@rasmusvillemoes.dk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.