lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <880576435.3707190.1686384626249.JavaMail.zimbra@nod.at>
Date:   Sat, 10 Jun 2023 10:10:26 +0200 (CEST)
From:   Richard Weinberger <richard@....at>
To:     Christoph Hellwig <hch@...radead.org>
Cc:     Demi Marie Obenour <demi@...isiblethingslab.com>,
        torvalds <torvalds@...ux-foundation.org>,
        Dwaipayan Ray <dwaipayanray1@...il.com>,
        Lukas Bulwahn <lukas.bulwahn@...il.com>,
        Joe Perches <joe@...ches.com>,
        Jonathan Corbet <corbet@....net>,
        Federico Vaga <federico.vaga@...a.pv.it>,
        jgross <jgross@...e.com>,
        Stefano Stabellini <sstabellini@...nel.org>,
        Oleksandr Tyshchenko <oleksandr_tyshchenko@...m.com>,
        Lee Jones <lee@...nel.org>, Andy Lutomirski <luto@...nel.org>,
        tglx <tglx@...utronix.de>,
        Vincenzo Frascino <vincenzo.frascino@....com>,
        Petr Mladek <pmladek@...e.com>,
        Steven Rostedt <rostedt@...dmis.org>,
        senozhatsky <senozhatsky@...omium.org>,
        Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
        Rasmus Villemoes <linux@...musvillemoes.dk>,
        Linux Doc Mailing List <linux-doc@...r.kernel.org>,
        linux-kernel <linux-kernel@...r.kernel.org>,
        xen-devel@...ts.xenproject.org
Subject: Re: [PATCH 2/4] vsscanf(): Return -ERANGE on integer overflow

----- Ursprüngliche Mail -----
> Von: "Christoph Hellwig" <hch@...radead.org>
> [Adding Richard and Linus as they're having another overflow checking
> discussion and we should probably merge those]

Thx for letting me know!
 
> On Fri, Jun 09, 2023 at 10:57:57PM -0400, Demi Marie Obenour wrote:
>> Userspace sets errno to ERANGE, but the kernel can't do that.
> 
> That seems like a very parse commit log, and also kinda besides
> the point - the kernel always returns error in-line and not through
> errno.  I think you need to document here why we want to do the
> overflow checking (not that I doubt it, but it really needs to be
> in the commit message).
> 
> Leaving the rest of the quote here for the new arrivals.
> 
>> 
>> Signed-off-by: Demi Marie Obenour <demi@...isiblethingslab.com>
>> ---
>>  include/linux/limits.h          |  1 +
>>  include/linux/mfd/wl1273-core.h |  3 --
>>  include/vdso/limits.h           |  3 ++
>>  lib/vsprintf.c                  | 80 ++++++++++++++++++++++++---------
>>  4 files changed, 63 insertions(+), 24 deletions(-)
>> 
>> diff --git a/include/linux/limits.h b/include/linux/limits.h
>> index
>> f6bcc936901071f496e3e85bb6e1d93905b12e32..8f7fd85b41fb46e6992d9e5912da00424119227a
>> 100644
>> --- a/include/linux/limits.h
>> +++ b/include/linux/limits.h
>> @@ -8,6 +8,7 @@
>>  
>>  #define SIZE_MAX	(~(size_t)0)
>>  #define SSIZE_MAX	((ssize_t)(SIZE_MAX >> 1))
>> +#define SSIZE_MIN	(-SSIZE_MAX - 1)
>>  #define PHYS_ADDR_MAX	(~(phys_addr_t)0)
>>  
>>  #define U8_MAX		((u8)~0U)
>> diff --git a/include/linux/mfd/wl1273-core.h b/include/linux/mfd/wl1273-core.h
>> index
>> c28cf76d5c31ee1c94a9319a2e2d318bf00283a6..b81a229135ed9f756c749122a8341816031c8311
>> 100644
>> --- a/include/linux/mfd/wl1273-core.h
>> +++ b/include/linux/mfd/wl1273-core.h
>> @@ -204,9 +204,6 @@
>>  				 WL1273_IS2_TRI_OPT | \
>>  				 WL1273_IS2_RATE_48K)
>>  
>> -#define SCHAR_MIN (-128)
>> -#define SCHAR_MAX 127
>> -
>>  #define WL1273_FR_EVENT			BIT(0)
>>  #define WL1273_BL_EVENT			BIT(1)
>>  #define WL1273_RDS_EVENT		BIT(2)
>> diff --git a/include/vdso/limits.h b/include/vdso/limits.h
>> index
>> 0197888ad0e00b2f853d3f25ffa764f61cca7385..0cad0a2490e5efc194d874025eb3e3b846a5c7b4
>> 100644
>> --- a/include/vdso/limits.h
>> +++ b/include/vdso/limits.h
>> @@ -2,6 +2,9 @@
>>  #ifndef __VDSO_LIMITS_H
>>  #define __VDSO_LIMITS_H
>>  
>> +#define UCHAR_MAX	((unsigned char)~0U)
>> +#define SCHAR_MAX	((signed char)(UCHAR_MAX >> 1))
>> +#define SCHAR_MIN	((signed char)(-SCHAR_MAX - 1))
>>  #define USHRT_MAX	((unsigned short)~0U)
>>  #define SHRT_MAX	((short)(USHRT_MAX >> 1))
>>  #define SHRT_MIN	((short)(-SHRT_MAX - 1))
>> diff --git a/lib/vsprintf.c b/lib/vsprintf.c
>> index
>> a60d348efb276d66ca07fe464883408df7fdab97..9846d2385f5b9e8f3945a5664d81047e97cf10d5
>> 100644
>> --- a/lib/vsprintf.c
>> +++ b/lib/vsprintf.c
>> @@ -59,7 +59,7 @@
>>  bool no_hash_pointers __ro_after_init;
>>  EXPORT_SYMBOL_GPL(no_hash_pointers);
>>  
>> -static noinline unsigned long long simple_strntoull(const char *startp, size_t
>> max_chars, char **endp, unsigned int base)
>> +static noinline unsigned long long simple_strntoull(const char *startp, size_t
>> max_chars, char **endp, unsigned int base, bool *overflow)
>>  {
>>  	const char *cp;
>>  	unsigned long long result = 0ULL;
>> @@ -71,6 +71,8 @@ static noinline unsigned long long simple_strntoull(const char
>> *startp, size_t m
>>  	if (prefix_chars < max_chars) {
>>  		rv = _parse_integer_limit(cp, base, &result, max_chars - prefix_chars);
>>  		/* FIXME */
>> +		if (overflow)
>> +			*overflow = !!(rv & KSTRTOX_OVERFLOW);
>>  		cp += (rv & ~KSTRTOX_OVERFLOW);
>>  	} else {
>>  		/* Field too short for prefix + digit, skip over without converting */
>> @@ -94,7 +96,7 @@ static noinline unsigned long long simple_strntoull(const char
>> *startp, size_t m
>>  noinline
>>  unsigned long long simple_strtoull(const char *cp, char **endp, unsigned int
>>  base)
>>  {
>> -	return simple_strntoull(cp, INT_MAX, endp, base);
>> +	return simple_strntoull(cp, INT_MAX, endp, base, NULL);
>>  }
>>  EXPORT_SYMBOL(simple_strtoull);
>>  
>> @@ -130,18 +132,22 @@ long simple_strtol(const char *cp, char **endp, unsigned
>> int base)
>>  EXPORT_SYMBOL(simple_strtol);
>>  
>>  static long long simple_strntoll(const char *cp, size_t max_chars, char **endp,
>> -				 unsigned int base)
>> +				 unsigned int base, bool *overflow)
>>  {
>> +	unsigned long long minand;
>> +	bool negate;
>> +
>>  	/*
>>  	 * simple_strntoull() safely handles receiving max_chars==0 in the
>>  	 * case cp[0] == '-' && max_chars == 1.
>>  	 * If max_chars == 0 we can drop through and pass it to simple_strntoull()
>>  	 * and the content of *cp is irrelevant.
>>  	 */
>> -	if (*cp == '-' && max_chars > 0)
>> -		return -simple_strntoull(cp + 1, max_chars - 1, endp, base);
>> -
>> -	return simple_strntoull(cp, max_chars, endp, base);
>> +	negate = *cp == '-' && max_chars > 0;
>> +	minand = simple_strntoull(cp + negate, max_chars - negate, endp, base,
>> overflow);
>> +	if (minand > (unsigned long long)LONG_MAX + negate)
>> +		*overflow = true;
>> +	return negate ? -minand : minand;
>>  }
>>  
>>  static noinline_for_stack
>> @@ -3427,7 +3433,7 @@ int vsscanf(const char *buf, const char *fmt, va_list
>> args)
>>  		unsigned long long u;
>>  	} val;
>>  	s16 field_width;
>> -	bool is_sign;
>> +	bool is_sign, overflow;
>>  
>>  	while (*fmt) {
>>  		/* skip any white space in format */
>> @@ -3635,45 +3641,77 @@ int vsscanf(const char *buf, const char *fmt, va_list
>> args)
>>  		if (is_sign)
>>  			val.s = simple_strntoll(str,
>>  						field_width >= 0 ? field_width : INT_MAX,
>> -						&next, base);
>> +						&next, base, &overflow);
>>  		else
>>  			val.u = simple_strntoull(str,
>>  						 field_width >= 0 ? field_width : INT_MAX,
>> -						 &next, base);
>> +						 &next, base, &overflow);
>> +		if (unlikely(overflow))
>> +			return -ERANGE;
>>  
>>  		switch (qualifier) {
>>  		case 'H':	/* that's 'hh' in format */
>> -			if (is_sign)
>> +			if (is_sign) {
>> +				if (unlikely(val.s < SCHAR_MIN || val.s > SCHAR_MAX))
>> +					return -ERANGE;
>>  				*va_arg(args, signed char *) = val.s;
>> -			else
>> +			} else {
>> +				if (unlikely(val.u > UCHAR_MAX))
>> +					return -ERANGE;
>>  				*va_arg(args, unsigned char *) = val.u;
>> +			}
>>  			break;
>>  		case 'h':
>> -			if (is_sign)
>> +			if (is_sign) {
>> +				if (unlikely(val.s < SHRT_MIN || val.s > SHRT_MAX))
>> +					return -ERANGE;

Returning a negative value here will break many existing in-kernel users.
Most users just check for the number of matched elements.

Linus' idea was returning 0 upon overflow (nothing matched) and allowing
overflows (if really needed) by adding a new format string qualifier "!".
e.g. "%!d".

Thanks,
//richard

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ