| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 10 Jun 2023 10:10:26 +0200 (CEST)
From: Richard Weinberger <richard@....at>
To: Christoph Hellwig <hch@...radead.org>
Cc: Demi Marie Obenour <demi@...isiblethingslab.com>,
torvalds <torvalds@...ux-foundation.org>,
Dwaipayan Ray <dwaipayanray1@...il.com>,
Lukas Bulwahn <lukas.bulwahn@...il.com>,
Joe Perches <joe@...ches.com>,
Jonathan Corbet <corbet@....net>,
Federico Vaga <federico.vaga@...a.pv.it>,
jgross <jgross@...e.com>,
Stefano Stabellini <sstabellini@...nel.org>,
Oleksandr Tyshchenko <oleksandr_tyshchenko@...m.com>,
Lee Jones <lee@...nel.org>, Andy Lutomirski <luto@...nel.org>,
tglx <tglx@...utronix.de>,
Vincenzo Frascino <vincenzo.frascino@....com>,
Petr Mladek <pmladek@...e.com>,
Steven Rostedt <rostedt@...dmis.org>,
senozhatsky <senozhatsky@...omium.org>,
Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
Rasmus Villemoes <linux@...musvillemoes.dk>,
Linux Doc Mailing List <linux-doc@...r.kernel.org>,
linux-kernel <linux-kernel@...r.kernel.org>,
xen-devel@...ts.xenproject.org
Subject: Re: [PATCH 2/4] vsscanf(): Return -ERANGE on integer overflow
----- Ursprüngliche Mail -----
> Von: "Christoph Hellwig" <hch@...radead.org>
> [Adding Richard and Linus as they're having another overflow checking
> discussion and we should probably merge those]
Thx for letting me know!
> On Fri, Jun 09, 2023 at 10:57:57PM -0400, Demi Marie Obenour wrote:
>> Userspace sets errno to ERANGE, but the kernel can't do that.
>
> That seems like a very parse commit log, and also kinda besides
> the point - the kernel always returns error in-line and not through
> errno. I think you need to document here why we want to do the
> overflow checking (not that I doubt it, but it really needs to be
> in the commit message).
>
> Leaving the rest of the quote here for the new arrivals.
>
>>
>> Signed-off-by: Demi Marie Obenour <demi@...isiblethingslab.com>
>> ---
>> include/linux/limits.h | 1 +
>> include/linux/mfd/wl1273-core.h | 3 --
>> include/vdso/limits.h | 3 ++
>> lib/vsprintf.c | 80 ++++++++++++++++++++++++---------
>> 4 files changed, 63 insertions(+), 24 deletions(-)
>>
>> diff --git a/include/linux/limits.h b/include/linux/limits.h
>> index
>> f6bcc936901071f496e3e85bb6e1d93905b12e32..8f7fd85b41fb46e6992d9e5912da00424119227a
>> 100644
>> --- a/include/linux/limits.h
>> +++ b/include/linux/limits.h
>> @@ -8,6 +8,7 @@
>>
>> #define SIZE_MAX (~(size_t)0)
>> #define SSIZE_MAX ((ssize_t)(SIZE_MAX >> 1))
>> +#define SSIZE_MIN (-SSIZE_MAX - 1)
>> #define PHYS_ADDR_MAX (~(phys_addr_t)0)
>>
>> #define U8_MAX ((u8)~0U)
>> diff --git a/include/linux/mfd/wl1273-core.h b/include/linux/mfd/wl1273-core.h
>> index
>> c28cf76d5c31ee1c94a9319a2e2d318bf00283a6..b81a229135ed9f756c749122a8341816031c8311
>> 100644
>> --- a/include/linux/mfd/wl1273-core.h
>> +++ b/include/linux/mfd/wl1273-core.h
>> @@ -204,9 +204,6 @@
>> WL1273_IS2_TRI_OPT | \
>> WL1273_IS2_RATE_48K)
>>
>> -#define SCHAR_MIN (-128)
>> -#define SCHAR_MAX 127
>> -
>> #define WL1273_FR_EVENT BIT(0)
>> #define WL1273_BL_EVENT BIT(1)
>> #define WL1273_RDS_EVENT BIT(2)
>> diff --git a/include/vdso/limits.h b/include/vdso/limits.h
>> index
>> 0197888ad0e00b2f853d3f25ffa764f61cca7385..0cad0a2490e5efc194d874025eb3e3b846a5c7b4
>> 100644
>> --- a/include/vdso/limits.h
>> +++ b/include/vdso/limits.h
>> @@ -2,6 +2,9 @@
>> #ifndef __VDSO_LIMITS_H
>> #define __VDSO_LIMITS_H
>>
>> +#define UCHAR_MAX ((unsigned char)~0U)
>> +#define SCHAR_MAX ((signed char)(UCHAR_MAX >> 1))
>> +#define SCHAR_MIN ((signed char)(-SCHAR_MAX - 1))
>> #define USHRT_MAX ((unsigned short)~0U)
>> #define SHRT_MAX ((short)(USHRT_MAX >> 1))
>> #define SHRT_MIN ((short)(-SHRT_MAX - 1))
>> diff --git a/lib/vsprintf.c b/lib/vsprintf.c
>> index
>> a60d348efb276d66ca07fe464883408df7fdab97..9846d2385f5b9e8f3945a5664d81047e97cf10d5
>> 100644
>> --- a/lib/vsprintf.c
>> +++ b/lib/vsprintf.c
>> @@ -59,7 +59,7 @@
>> bool no_hash_pointers __ro_after_init;
>> EXPORT_SYMBOL_GPL(no_hash_pointers);
>>
>> -static noinline unsigned long long simple_strntoull(const char *startp, size_t
>> max_chars, char **endp, unsigned int base)
>> +static noinline unsigned long long simple_strntoull(const char *startp, size_t
>> max_chars, char **endp, unsigned int base, bool *overflow)
>> {
>> const char *cp;
>> unsigned long long result = 0ULL;
>> @@ -71,6 +71,8 @@ static noinline unsigned long long simple_strntoull(const char
>> *startp, size_t m
>> if (prefix_chars < max_chars) {
>> rv = _parse_integer_limit(cp, base, &result, max_chars - prefix_chars);
>> /* FIXME */
>> + if (overflow)
>> + *overflow = !!(rv & KSTRTOX_OVERFLOW);
>> cp += (rv & ~KSTRTOX_OVERFLOW);
>> } else {
>> /* Field too short for prefix + digit, skip over without converting */
>> @@ -94,7 +96,7 @@ static noinline unsigned long long simple_strntoull(const char
>> *startp, size_t m
>> noinline
>> unsigned long long simple_strtoull(const char *cp, char **endp, unsigned int
>> base)
>> {
>> - return simple_strntoull(cp, INT_MAX, endp, base);
>> + return simple_strntoull(cp, INT_MAX, endp, base, NULL);
>> }
>> EXPORT_SYMBOL(simple_strtoull);
>>
>> @@ -130,18 +132,22 @@ long simple_strtol(const char *cp, char **endp, unsigned
>> int base)
>> EXPORT_SYMBOL(simple_strtol);
>>
>> static long long simple_strntoll(const char *cp, size_t max_chars, char **endp,
>> - unsigned int base)
>> + unsigned int base, bool *overflow)
>> {
>> + unsigned long long minand;
>> + bool negate;
>> +
>> /*
>> * simple_strntoull() safely handles receiving max_chars==0 in the
>> * case cp[0] == '-' && max_chars == 1.
>> * If max_chars == 0 we can drop through and pass it to simple_strntoull()
>> * and the content of *cp is irrelevant.
>> */
>> - if (*cp == '-' && max_chars > 0)
>> - return -simple_strntoull(cp + 1, max_chars - 1, endp, base);
>> -
>> - return simple_strntoull(cp, max_chars, endp, base);
>> + negate = *cp == '-' && max_chars > 0;
>> + minand = simple_strntoull(cp + negate, max_chars - negate, endp, base,
>> overflow);
>> + if (minand > (unsigned long long)LONG_MAX + negate)
>> + *overflow = true;
>> + return negate ? -minand : minand;
>> }
>>
>> static noinline_for_stack
>> @@ -3427,7 +3433,7 @@ int vsscanf(const char *buf, const char *fmt, va_list
>> args)
>> unsigned long long u;
>> } val;
>> s16 field_width;
>> - bool is_sign;
>> + bool is_sign, overflow;
>>
>> while (*fmt) {
>> /* skip any white space in format */
>> @@ -3635,45 +3641,77 @@ int vsscanf(const char *buf, const char *fmt, va_list
>> args)
>> if (is_sign)
>> val.s = simple_strntoll(str,
>> field_width >= 0 ? field_width : INT_MAX,
>> - &next, base);
>> + &next, base, &overflow);
>> else
>> val.u = simple_strntoull(str,
>> field_width >= 0 ? field_width : INT_MAX,
>> - &next, base);
>> + &next, base, &overflow);
>> + if (unlikely(overflow))
>> + return -ERANGE;
>>
>> switch (qualifier) {
>> case 'H': /* that's 'hh' in format */
>> - if (is_sign)
>> + if (is_sign) {
>> + if (unlikely(val.s < SCHAR_MIN || val.s > SCHAR_MAX))
>> + return -ERANGE;
>> *va_arg(args, signed char *) = val.s;
>> - else
>> + } else {
>> + if (unlikely(val.u > UCHAR_MAX))
>> + return -ERANGE;
>> *va_arg(args, unsigned char *) = val.u;
>> + }
>> break;
>> case 'h':
>> - if (is_sign)
>> + if (is_sign) {
>> + if (unlikely(val.s < SHRT_MIN || val.s > SHRT_MAX))
>> + return -ERANGE;
Returning a negative value here will break many existing in-kernel users.
Most users just check for the number of matched elements.
Linus' idea was returning 0 upon overflow (nothing matched) and allowing
overflows (if really needed) by adding a new format string qualifier "!".
e.g. "%!d".
Thanks,
//richard
Powered by blists - more mailing lists