public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: thomas.preston@codethink.co.uk,
	Andrew Morton <akpm@linux-foundation.org>,
	Petr Mladek <pmladek@suse.com>,
	Steven Rostedt <rostedt@goodmis.org>,
	geert+renesas@glider.be, Jonathan Corbet <corbet@lwn.net>,
	tcharding <me@tobin.cc>,
	Sergey Senozhatsky <sergey.senozhatsky@gmail.com>,
	Linux List Kernel Mailing <linux-kernel@vger.kernel.org>,
	ben.dooks@codethink.co.uk
Subject: Re: [PATCH 2/2] vsprintf: Stop using obsolete simple_strtoul()
Date: Tue, 11 Dec 2018 20:04:58 +0200	[thread overview]
Message-ID: <20181211180458.GE10650@smile.fi.intel.com> (raw)
In-Reply-To: <CAHk-=wi2kvoDh3z_X3ZCBcyAX1MU4OedPkQjA-4=bR=6q7AT3w@mail.gmail.com>

On Tue, Dec 11, 2018 at 09:22:22AM -0800, Linus Torvalds wrote:
> On Tue, Dec 11, 2018 at 7:21 AM Thomas Preston
> <thomas.preston@codethink.co.uk> wrote:
> >
> > Stop using the obsolete functions simple_strtoul() and
> > simple_strtoull(). Instead, we should use the improved kstrtol() and
> > kstrtoll() functions. To do this, we must copy the current field into a
> > null-terminated tmpstr and advance the variable `next` manually.
> 
> I see what you're trying to do, but this fix is much much worse than
> the bug was.
> 
> > +               if (field_width > 0) {
> > +                       char tmpstr[INT_BUF_LEN];
> > +                       int ret;
> > +
> > +                       strscpy(tmpstr, str, field_width+1);
> 
> If field_width is larger than INT_BUF_LEN, you are now corrupting kernel stack.
> 
> And no, you can't fix it by limiting field_width, since a large
> field_width is quite possible and might even be valid - and still fit
> in an int. Maybe the number is
> 
>     000000000000000000000001
> 
> or something?
> 
> A fix might be to skip leading zeroes.
> 
> Honestly, just do it by hand. Don't use kstrol and friends at all.
> Just do something like
> 
>     unsigned long long val = 0;
>     p = str;
>     for (;;) {
>         int c;
>         if (field_width > 0 && p - str >= field_width)
>             break;
>         c = hexval(*p++);
>         if (c < 0 || c > base)
>             break;
>         val = val * base + c;
>         // check for overflow

I think it's slightly more complicated, I run the following test case on glibc:

	uint32_t hi, lo, t;

        sscanf("00fafafafa0d0b0b0b0c000000", "%8x%8x%x", &hi, &lo, &t);

64-bit:
	HI: 00fafafa LO: fa0d0b0b (c000000)
32-bit:
	HI: 00fafafa LO: fa0d0b0b (ffffffff)

>     }
>     /* Now do "sign" and range checking on val */
>     /* Ta-daa, all done */
> 
> or similar.  Treat the above as pseudo-code, I didn't fill in all the details.
> 
>             Linus

-- 
With Best Regards,
Andy Shevchenko



  reply	other threads:[~2018-12-11 18:05 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-12-11 15:21 [PATCH 0/2] vsprintf Stop using obsolete simple_strtoul() Thomas Preston
2018-12-11 15:21 ` [PATCH 1/2] vsprintf: Specify type for union val members Thomas Preston
2018-12-11 15:21 ` [PATCH 2/2] vsprintf: Stop using obsolete simple_strtoul() Thomas Preston
2018-12-11 17:22   ` Linus Torvalds
2018-12-11 18:04     ` Andy Shevchenko [this message]
2018-12-11 18:19       ` Linus Torvalds
2018-12-11 21:30         ` Andy Shevchenko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20181211180458.GE10650@smile.fi.intel.com \
    --to=andriy.shevchenko@linux.intel.com \
    --cc=akpm@linux-foundation.org \
    --cc=ben.dooks@codethink.co.uk \
    --cc=corbet@lwn.net \
    --cc=geert+renesas@glider.be \
    --cc=linux-kernel@vger.kernel.org \
    --cc=me@tobin.cc \
    --cc=pmladek@suse.com \
    --cc=rostedt@goodmis.org \
    --cc=sergey.senozhatsky@gmail.com \
    --cc=thomas.preston@codethink.co.uk \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox