lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <1e3f6c31-366e-41d7-8692-32c031383530@intel.com>
Date: Mon, 5 Jan 2026 09:42:30 -0700
From: Dave Jiang <dave.jiang@...el.com>
To: yangqixiao <yangqixiao@...pur.com>, jdmason@...zu.us
Cc: allenbh@...il.com, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v1] ntb/ntb_tool: correct sscanf format for u64 and size_t
 in tool_peer_mw_trans_write



On 12/30/25 5:46 AM, yangqixiao wrote:
> The sscanf() call in tool_peer_mw_trans_write() uses "%lli:%zi" to parse
> user input into 'u64 addr' and 'size_t wsize'. This is incorrect:
> 
>  - "%lli" expects a signed long long *, but 'addr' is u64 (unsigned).
>    Input like "0x8000000000000000" is misinterpreted as negative,
>    leading to corrupted address values.
> 
>  - "%zi" expects a signed ssize_t *, but 'wsize' is size_t (unsigned).
>    Input of "-1" is successfully parsed and stored as SIZE_MAX
>    (e.g., 0xFFFFFFFFFFFFFFFF), which may cause buffer overflows
>    or infinite loops in subsequent memory operations.
> 
> Fix by using format specifiers that match the actual variable types:
>  - "%llu" for u64 (supports hex/decimal, standard for kernel u64 parsing)
>  - "%zu" for size_t (standard and safe; rejects negative input)
> 
> Signed-off-by: yangqixiao <yangqixiao@...pur.com>

Reviewed-by: Dave Jiang <dave.jiang@...el.com>

> ---
>  drivers/ntb/test/ntb_tool.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/ntb/test/ntb_tool.c b/drivers/ntb/test/ntb_tool.c
> index 641cb7e05a47..06881047f5bc 100644
> --- a/drivers/ntb/test/ntb_tool.c
> +++ b/drivers/ntb/test/ntb_tool.c
> @@ -936,7 +936,7 @@ static ssize_t tool_peer_mw_trans_write(struct file *filep,
>  
>  	buf[buf_size] = '\0';
>  
> -	n = sscanf(buf, "%lli:%zi", &addr, &wsize);
> +	n = sscanf(buf, "%llu:%zu", &addr, &wsize);
>  	if (n != 2)
>  		return -EINVAL;
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ