lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20251230124656.4709-1-yangqixiao@inspur.com>
Date: Tue, 30 Dec 2025 20:46:56 +0800
From: yangqixiao <yangqixiao@...pur.com>
To: jdmason@...zu.us,
	dave.jiang@...el.com
Cc: allenbh@...il.com,
	linux-kernel@...r.kernel.org,
	yangqixiao <yangqixiao@...pur.com>
Subject: [PATCH v1] ntb/ntb_tool: correct sscanf format for u64 and size_t in tool_peer_mw_trans_write

The sscanf() call in tool_peer_mw_trans_write() uses "%lli:%zi" to parse
user input into 'u64 addr' and 'size_t wsize'. This is incorrect:

 - "%lli" expects a signed long long *, but 'addr' is u64 (unsigned).
   Input like "0x8000000000000000" is misinterpreted as negative,
   leading to corrupted address values.

 - "%zi" expects a signed ssize_t *, but 'wsize' is size_t (unsigned).
   Input of "-1" is successfully parsed and stored as SIZE_MAX
   (e.g., 0xFFFFFFFFFFFFFFFF), which may cause buffer overflows
   or infinite loops in subsequent memory operations.

Fix by using format specifiers that match the actual variable types:
 - "%llu" for u64 (supports hex/decimal, standard for kernel u64 parsing)
 - "%zu" for size_t (standard and safe; rejects negative input)

Signed-off-by: yangqixiao <yangqixiao@...pur.com>
---
 drivers/ntb/test/ntb_tool.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/ntb/test/ntb_tool.c b/drivers/ntb/test/ntb_tool.c
index 641cb7e05a47..06881047f5bc 100644
--- a/drivers/ntb/test/ntb_tool.c
+++ b/drivers/ntb/test/ntb_tool.c
@@ -936,7 +936,7 @@ static ssize_t tool_peer_mw_trans_write(struct file *filep,
 
 	buf[buf_size] = '\0';
 
-	n = sscanf(buf, "%lli:%zi", &addr, &wsize);
+	n = sscanf(buf, "%llu:%zu", &addr, &wsize);
 	if (n != 2)
 		return -EINVAL;
 
-- 
2.47.3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ