From: Demi Marie Obenour <demi@invisiblethingslab.com>
To: Hans de Goede <hdegoede@redhat.com>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
Sakari Ailus <sakari.ailus@linux.intel.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Juergen Gross <jgross@suse.com>,
Stefano Stabellini <sstabellini@kernel.org>,
Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>,
Lee Jones <lee@kernel.org>, Andy Lutomirski <luto@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
Vincenzo Frascino <vincenzo.frascino@arm.com>,
Petr Mladek <pmladek@suse.com>,
Steven Rostedt <rostedt@goodmis.org>,
Sergey Senozhatsky <senozhatsky@chromium.org>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc: Demi Marie Obenour <demi@invisiblethingslab.com>,
linux-media@vger.kernel.org, linux-staging@lists.linux.dev,
linux-kernel@vger.kernel.org, xen-devel@lists.xenproject.org,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH v3 2/4] vsscanf(): Integer overflow is a conversion failure
Date: Sat, 10 Jun 2023 16:40:42 -0400 [thread overview]
Message-ID: <20230610204044.3653-3-demi@invisiblethingslab.com> (raw)
In-Reply-To: <20230610204044.3653-1-demi@invisiblethingslab.com>
sscanf() and friends currently ignore integer overflow, but this is a
bad idea. It is much better to detect integer overflow errors and
consider this a conversion failure.
This implements Linus's suggestion of using '!' to treat integer
overflow as wrapping. It does _not_ allow wrapping of unsigned
conversions by default, though, as in at least some cases accepting
negative numbers is _not_ intended.
Suggested-By: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
lib/vsprintf.c | 90 ++++++++++++++++++++++++++++++++++++++------------
1 file changed, 69 insertions(+), 21 deletions(-)
diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index 40f560959b169b4c4ac6154d658cfe76cfd0c5a6..9e53355c35b1d6260631868228ede1d178fe3325 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -59,7 +59,7 @@
bool no_hash_pointers __ro_after_init;
EXPORT_SYMBOL_GPL(no_hash_pointers);
-static noinline unsigned long long simple_strntoull(const char *startp, size_t max_chars, char **endp, unsigned int base)
+static noinline unsigned long long simple_strntoull(const char *startp, size_t max_chars, char **endp, unsigned int base, bool *overflow)
{
const char *cp;
unsigned long long result = 0ULL;
@@ -70,11 +70,13 @@ static noinline unsigned long long simple_strntoull(const char *startp, size_t m
prefix_chars = cp - startp;
if (prefix_chars < max_chars) {
rv = _parse_integer_limit(cp, base, &result, max_chars - prefix_chars);
- /* FIXME */
+ *overflow = !!(rv & KSTRTOX_OVERFLOW);
cp += (rv & ~KSTRTOX_OVERFLOW);
} else {
/* Field too short for prefix + digit, skip over without converting */
cp = startp + max_chars;
+ /* Treat this as a conversion failure */
+ *overflow = true;
}
if (endp)
@@ -94,7 +96,9 @@ static noinline unsigned long long simple_strntoull(const char *startp, size_t m
noinline
unsigned long long simple_strtoull(const char *cp, char **endp, unsigned int base)
{
- return simple_strntoull(cp, INT_MAX, endp, base);
+ bool _placeholder;
+
+ return simple_strntoull(cp, INT_MAX, endp, base, &_placeholder);
}
EXPORT_SYMBOL(simple_strtoull);
@@ -130,18 +134,22 @@ long simple_strtol(const char *cp, char **endp, unsigned int base)
EXPORT_SYMBOL(simple_strtol);
static long long simple_strntoll(const char *cp, size_t max_chars, char **endp,
- unsigned int base)
+ unsigned int base, bool *overflow)
{
+ unsigned long long minand;
+ bool negate;
+
/*
* simple_strntoull() safely handles receiving max_chars==0 in the
* case cp[0] == '-' && max_chars == 1.
* If max_chars == 0 we can drop through and pass it to simple_strntoull()
* and the content of *cp is irrelevant.
*/
- if (*cp == '-' && max_chars > 0)
- return -simple_strntoull(cp + 1, max_chars - 1, endp, base);
-
- return simple_strntoull(cp, max_chars, endp, base);
+ negate = *cp == '-' && max_chars > 0;
+ minand = simple_strntoull(cp + negate, max_chars - negate, endp, base, overflow);
+ if (minand > (unsigned long long)LONG_MAX + negate)
+ *overflow = true;
+ return negate ? -minand : minand;
}
/**
@@ -154,7 +162,9 @@ static long long simple_strntoll(const char *cp, size_t max_chars, char **endp,
*/
long long simple_strtoll(const char *cp, char **endp, unsigned int base)
{
- return simple_strntoll(cp, INT_MAX, endp, base);
+ bool _placeholder;
+
+ return simple_strntoll(cp, INT_MAX, endp, base, &_placeholder);
}
EXPORT_SYMBOL(simple_strtoll);
@@ -3441,7 +3451,7 @@ int vsscanf(const char *buf, const char *fmt, va_list args)
unsigned long long u;
} val;
s16 field_width;
- bool is_sign;
+ bool is_sign, overflow, allow_overflow;
while (*fmt) {
/* skip any white space in format */
@@ -3464,6 +3474,9 @@ int vsscanf(const char *buf, const char *fmt, va_list args)
break;
++fmt;
+ allow_overflow = *fmt == '!';
+ fmt += (int)allow_overflow;
+
/* skip this conversion.
* advance both strings to next white space
*/
@@ -3649,45 +3662,80 @@ int vsscanf(const char *buf, const char *fmt, va_list args)
if (is_sign)
val.s = simple_strntoll(str,
field_width >= 0 ? field_width : INT_MAX,
- &next, base);
+ &next, base, &overflow);
else
val.u = simple_strntoull(str,
field_width >= 0 ? field_width : INT_MAX,
- &next, base);
+ &next, base, &overflow);
+ if (unlikely(overflow) && !allow_overflow)
+ break;
switch (qualifier) {
case 'H': /* that's 'hh' in format */
- if (is_sign)
+ if (is_sign) {
+ if (unlikely(val.s < SCHAR_MIN || val.s > SCHAR_MAX) &&
+ !allow_overflow)
+ return num;
*va_arg(args, signed char *) = val.s;
- else
+ } else {
+ if (unlikely(val.u > UCHAR_MAX) && !allow_overflow)
+ return num;
*va_arg(args, unsigned char *) = val.u;
+ }
break;
case 'h':
- if (is_sign)
+ if (is_sign) {
+ if (unlikely(val.s < SHRT_MIN || val.s > SHRT_MAX) &&
+ !allow_overflow)
+ return num;
*va_arg(args, short *) = val.s;
- else
+ } else {
+ if (unlikely(val.u > USHRT_MAX) && !allow_overflow)
+ return num;
*va_arg(args, unsigned short *) = val.u;
+ }
break;
case 'l':
- if (is_sign)
+ if (is_sign) {
+ if (unlikely(val.s < LONG_MIN || val.s > LONG_MAX) &&
+ !allow_overflow)
+ return num;
*va_arg(args, long *) = val.s;
- else
+ } else {
+ if (unlikely(val.u > ULONG_MAX) && !allow_overflow)
+ return num;
*va_arg(args, unsigned long *) = val.u;
+ }
break;
case 'L':
+ /* No overflow check needed */
if (is_sign)
*va_arg(args, long long *) = val.s;
else
*va_arg(args, unsigned long long *) = val.u;
break;
case 'z':
- *va_arg(args, size_t *) = val.u;
+ if (is_sign) {
+ if (unlikely(val.s < SSIZE_MIN || val.s > SSIZE_MAX))
+ return num;
+ *va_arg(args, ssize_t *) = val.s;
+ } else {
+ if (unlikely(val.u > SIZE_MAX) && !allow_overflow)
+ return num;
+ *va_arg(args, size_t *) = val.u;
+ }
break;
default:
- if (is_sign)
+ if (is_sign) {
+ if (unlikely(val.s < INT_MIN || val.s > INT_MAX) &&
+ !allow_overflow)
+ return num;
*va_arg(args, int *) = val.s;
- else
+ } else {
+ if (unlikely(val.u > UINT_MAX) && !allow_overflow)
+ return num;
*va_arg(args, unsigned int *) = val.u;
+ }
break;
}
num++;
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
next prev parent reply other threads:[~2023-06-10 20:41 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-10 20:40 [PATCH v3 0/4] Make sscanf() stricter Demi Marie Obenour
2023-06-10 20:40 ` [PATCH v3 1/4] limits.h: add UCHAR_MAX, SCHAR_MAX, and SCHAR_MIN Demi Marie Obenour
2023-06-12 11:19 ` Lee Jones
2023-06-12 16:31 ` Vincenzo Frascino
2023-06-12 20:19 ` Demi Marie Obenour
2023-06-10 20:40 ` Demi Marie Obenour [this message]
2023-06-12 10:53 ` [PATCH v3 2/4] vsscanf(): Integer overflow is a conversion failure Rasmus Villemoes
2023-06-10 20:40 ` [PATCH v3 3/4] vsscanf(): do not skip spaces Demi Marie Obenour
2023-06-12 11:08 ` Rasmus Villemoes
2023-06-13 12:42 ` David Laight
2023-06-12 11:11 ` David Laight
2023-06-10 20:40 ` [PATCH v3 4/4] Reject NUL bytes in xenstore nodes Demi Marie Obenour
2023-06-12 15:34 ` [PATCH v3 0/4] Make sscanf() stricter Andy Shevchenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230610204044.3653-3-demi@invisiblethingslab.com \
--to=demi@invisiblethingslab.com \
--cc=andriy.shevchenko@linux.intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=hdegoede@redhat.com \
--cc=jgross@suse.com \
--cc=lee@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
--cc=linux@rasmusvillemoes.dk \
--cc=luto@kernel.org \
--cc=mchehab@kernel.org \
--cc=oleksandr_tyshchenko@epam.com \
--cc=pmladek@suse.com \
--cc=rostedt@goodmis.org \
--cc=sakari.ailus@linux.intel.com \
--cc=senozhatsky@chromium.org \
--cc=sstabellini@kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=vincenzo.frascino@arm.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox