[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <202301061107.C56365E@keescook>
Date: Fri, 6 Jan 2023 11:11:17 -0800
From: Kees Cook <keescook@...omium.org>
To: Steven Rostedt <rostedt@...dmis.org>
Cc: Petr Mladek <pmladek@...e.com>,
Sergey Shtylyov <s.shtylyov@....ru>,
Sergey Senozhatsky <senozhatsky@...omium.org>,
Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
Rasmus Villemoes <linux@...musvillemoes.dk>,
Linus Torvalds <torvalds@...ux-foundation.org>,
linux-hardening@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] vsprintf: fix possible NULL pointer deref in vsnprintf()
On Fri, Jan 06, 2023 at 12:14:57PM -0500, Steven Rostedt wrote:
> On Fri, 6 Jan 2023 16:49:46 +0100
> Petr Mladek <pmladek@...e.com> wrote:
>
> > > Index: linux/lib/vsprintf.c
> > > ===================================================================
> > > --- linux.orig/lib/vsprintf.c
> > > +++ linux/lib/vsprintf.c
> > > @@ -2738,6 +2738,15 @@ int vsnprintf(char *buf, size_t size, co
> > > if (WARN_ON_ONCE(size > INT_MAX))
> > > return 0;
> > >
> > > + /*
> > > + * C99 allows @buf to be NULL when @size is 0. We treat such NULL as if
> > > + * @buf pointed to 0-sized buffer, so we can both avoid a NULL pointer
> > > + * dereference and still return # of characters that would be written
> > > + * if @buf pointed to a valid buffer...
> > > + */
> > > + if (!buf)
> > > + size = 0;
> >
> > It makes sense except that it would hide bugs. It should print a
> > warning, for example:
>
> I agree. This is a bug, and should not be quietly ignored.
Yup.
>
> >
> > char *err_msg;
> >
> > err_msg = check_pointer_msg(buf);
> > if (err_msg) {
> > WARN_ONCE(1, "Invalid buffer passed to vsnprintf(). Trying to continue with 0 length limit\n");
> > size = 0;
> > }
>
> if (WARN_ONCE(err_msg, "Invalid buffer passed to vsnprintf(). Trying to continue with 0 length limit\n"))
> size = 0;
Also good. Please CC me for an Ack when this is a full patch. :)
-Kees
--
Kees Cook
Powered by blists - more mailing lists