lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 16 Sep 2022 09:11:37 +0300
From:   Alexey Dobriyan <adobriyan@...il.com>
To:     linux-kernel@...r.kernel.org
Cc:     yangyicong@...ilicon.com, viro@...iv.linux.org.uk,
        jonnyc@...zon.com, hhhawa@...zon.com, andriy.shevchenko@...el.com,
        farbere@...zon.com, akpm@...ux-foundation.org
Subject: Re: + libfs-fix-error-format-in-simple_attr_write.patch added to
 mm-nonmm-unstable branch

On Thu, Sep 15, 2022 at 02:34:25PM -0700, Andrew Morton wrote:
>      libfs-fix-error-format-in-simple_attr_write.patch

> From: Eliav Farber <farbere@...zon.com>
> Subject: libfs: fix error format in simple_attr_write()
> Date: Thu, 15 Sep 2022 09:15:44 +0000
> 
> In commit 488dac0c9237 ("libfs: fix error cast of negative value in
> simple_attr_write()"), simple_attr_write() was changed to use kstrtoull()
> instead of simple_strtoll() to convert a string got from a user.  A user
> trying to set a negative value will get an error.
> 
> This is wrong since it breaks all the places that use
> DEFINE_DEBUGFS_ATTRIBUTE() with format of a signed integer.
> 
> For the record there are 43 current users of signed integer which are
> likely to be effected by this:
> 
> $ git grep -n -A1 -w DEFINE_DEBUGFS_ATTRIBUTE | grep ');' |
> sed 's,.*\(".*%.*"\).*,\1,' | sort | uniq -c
>   1 "%08llx\n"
>   5 "0x%016llx\n"
>   5 "0x%02llx\n"
>   5 "0x%04llx\n"
>  13 "0x%08llx\n"
>   1 "0x%4.4llx\n"
>   3 "0x%.4llx\n"
>   4 "0x%llx\n"
>   1 "%1lld\n"
>  40 "%lld\n"
>   2 "%lli\n"
> 129 "%llu\n"
>   1 "%#llx\n"
>   2 "%llx\n"
> 
> u64 is not an issue for negative numbers.
> The %lld and %llu in any case are for 64-bit value, representing it as
> unsigned simplifies the generic code, but it doesn't mean we can't keep
> their signed value if we know that.
> 
> This change uses sscanf() to fix the problem since it does the conversion
> based on the supplied format string.

> --- a/fs/libfs.c~libfs-fix-error-format-in-simple_attr_write
> +++ a/fs/libfs.c
> @@ -1017,9 +1017,12 @@ ssize_t simple_attr_write(struct file *f
>  		goto out;
>  
>  	attr->set_buf[size] = '\0';
> -	ret = kstrtoull(attr->set_buf, 0, &val);
> -	if (ret)
> +	ret = sscanf(attr->set_buf, attr->fmt, &val);
> +	if (ret != 1) {
> +		ret = -EINVAL;
>  		goto out;
> +	}
> +
>  	ret = attr->set(attr->data, val);
>  	if (ret == 0)
>  		ret = len; /* on success, claim we got the whole input */

No scanf please. Just revert original patch if something broke.

scanf may be tolerable if it is just one format conversion but it is
disaster as an interface.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ