lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 10 Mar 2019 19:56:29 +0300
From:   Konstantin Khlebnikov <khlebnikov@...dex-team.ru>
To:     linux-kernel@...r.kernel.org
Cc:     Tejun Heo <tj@...nel.org>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Alexey Dobriyan <adobriyan@...il.com>
Subject: [PATCH v1 0/6] Make sscanf safer

Standard sscanf isn't well designed for input validation:

 * no way to detect interger overflow
 * unmached tail text is ignored
 * no mandatory buffer overflow checks

All these problems were found in the wild in cgroup interfaces:
https://patchwork.kernel.org/patch/10831387/
https://lore.kernel.org/patchwork/patch/1046130/

This patchset has patches for first two issues.
Unbounded "%s" is out of scope for now.

Second patch handles integer overlow as parse error:
sscanf exits without touching related argument.

Third patch adds convenient way for checking that
whole text was matched and nothing left.

Fourth adds missing standard features for %[...],
this might be useful for input validation.

Fifth adds __must_check and will generate some new warnings.

The last is a simple test module for chechking some basic and
new corner-cases added by this patchset.


Code haven't chaneged much:

$ ./scripts/bloat-o-meter lib/vsprintf.o.old lib/vsprintf.o.new
add/remove: 0/0 grow/shrink: 1/0 up/down: 60/0 (60)
Function                                     old     new   delta
vsscanf                                     2270    2330     +60
Total: Before=16904, After=16964, chg +0.35%


Unbounded "%s" could be fixed only by making field width mandatory.
There are only few users and in most cases sscanf could be eliminated.


---

Konstantin Khlebnikov (6):
      lib: scanf: document features of scanf format string
      lib: scanf: handle integer overflows in vsscanf
      lib: scanf: add vsscanf feature for matching end of text
      lib: scanf: handle character ranges in %[...]
      lib: scanf: mark sscanf and vsscanf as __must_check
      lib: scanf: add test module


 include/linux/kernel.h |   10 ++
 lib/Kconfig.debug      |    3 +
 lib/Makefile           |    1 
 lib/test_scanf.c       |  252 ++++++++++++++++++++++++++++++++++++++++++++++++
 lib/vsprintf.c         |  153 +++++++++++++++++++++--------
 5 files changed, 376 insertions(+), 43 deletions(-)
 create mode 100644 lib/test_scanf.c

--
Signature

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ