2023-06-10 17:25:44

by Demi Marie Obenour

[permalink] [raw]
Subject: [PATCH v2 0/3] Make sscanf() stricter

Roger Pau Monné suggested making xenbus_scanf() stricter instead of
using a custom parser. Christoph Hellwig asked why the normal vsscanf()
cannot be made stricter. Richard Weinberger mentioned Linus Torvalds’s
suggestion of using ! to allow overflow.

Changes since v1:

- Better commit messages.
- Use ! to explicitly opt-in to allowing overflow.
- Treat overflow as a conversion failure instead of returning ERANGE.
- Drop the first patch (removal of simple_strtoll()) as it breaks
bcache.
- Stop skipping spaces in vsscanf() instead of adding a separate
vsscanf_strict() function.

Demi Marie Obenour (3):
vsscanf(): Integer overflow is a conversion failure
vsscanf(): do not skip spaces
Strict XenStore entry parsing

.../hive_isp_css_include/platform_support.h | 1 -
drivers/xen/xenbus/xenbus_xs.c | 17 ++--
include/linux/limits.h | 1 +
include/linux/mfd/wl1273-core.h | 3 -
include/vdso/limits.h | 3 +
lib/vsprintf.c | 90 +++++++++++++------
6 files changed, 80 insertions(+), 35 deletions(-)

--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab



2023-06-10 17:26:25

by Demi Marie Obenour

[permalink] [raw]
Subject: [PATCH v2 1/3] vsscanf(): Integer overflow is a conversion failure

sscanf() and friends currently ignore integer overflow, but this is a
bad idea. It is much better to detect integer overflow errors and
consider this a conversion failure.

This implements Linus's suggestion of using '!' to treat integer
overflow as wrapping. It does _not_ allow wrapping of unsigned
conversions by default, though, as in at least some cases accepting
negative numbers is _not_ intended.

Suggested-By: Linus Torvalds <[email protected]>
Signed-off-by: Demi Marie Obenour <[email protected]>
---
.../hive_isp_css_include/platform_support.h | 1 -
include/linux/limits.h | 1 +
include/linux/mfd/wl1273-core.h | 3 -
include/vdso/limits.h | 3 +
lib/vsprintf.c | 82 ++++++++++++++-----
5 files changed, 67 insertions(+), 23 deletions(-)

diff --git a/drivers/staging/media/atomisp/pci/hive_isp_css_include/platform_support.h b/drivers/staging/media/atomisp/pci/hive_isp_css_include/platform_support.h
index 0cdef4a5e8b1bed9884133f1a0b9d853d59d43a4..e29b96d8bebf14839f6dd48fdc6c0f8b029ef31d 100644
--- a/drivers/staging/media/atomisp/pci/hive_isp_css_include/platform_support.h
+++ b/drivers/staging/media/atomisp/pci/hive_isp_css_include/platform_support.h
@@ -27,7 +27,6 @@

#define UINT16_MAX USHRT_MAX
#define UINT32_MAX UINT_MAX
-#define UCHAR_MAX (255)

#define CSS_ALIGN(d, a) d __attribute__((aligned(a)))

diff --git a/include/linux/limits.h b/include/linux/limits.h
index f6bcc936901071f496e3e85bb6e1d93905b12e32..8f7fd85b41fb46e6992d9e5912da00424119227a 100644
--- a/include/linux/limits.h
+++ b/include/linux/limits.h
@@ -8,6 +8,7 @@

#define SIZE_MAX (~(size_t)0)
#define SSIZE_MAX ((ssize_t)(SIZE_MAX >> 1))
+#define SSIZE_MIN (-SSIZE_MAX - 1)
#define PHYS_ADDR_MAX (~(phys_addr_t)0)

#define U8_MAX ((u8)~0U)
diff --git a/include/linux/mfd/wl1273-core.h b/include/linux/mfd/wl1273-core.h
index c28cf76d5c31ee1c94a9319a2e2d318bf00283a6..b81a229135ed9f756c749122a8341816031c8311 100644
--- a/include/linux/mfd/wl1273-core.h
+++ b/include/linux/mfd/wl1273-core.h
@@ -204,9 +204,6 @@
WL1273_IS2_TRI_OPT | \
WL1273_IS2_RATE_48K)

-#define SCHAR_MIN (-128)
-#define SCHAR_MAX 127
-
#define WL1273_FR_EVENT BIT(0)
#define WL1273_BL_EVENT BIT(1)
#define WL1273_RDS_EVENT BIT(2)
diff --git a/include/vdso/limits.h b/include/vdso/limits.h
index 0197888ad0e00b2f853d3f25ffa764f61cca7385..0cad0a2490e5efc194d874025eb3e3b846a5c7b4 100644
--- a/include/vdso/limits.h
+++ b/include/vdso/limits.h
@@ -2,6 +2,9 @@
#ifndef __VDSO_LIMITS_H
#define __VDSO_LIMITS_H

+#define UCHAR_MAX ((unsigned char)~0U)
+#define SCHAR_MAX ((signed char)(UCHAR_MAX >> 1))
+#define SCHAR_MIN ((signed char)(-SCHAR_MAX - 1))
#define USHRT_MAX ((unsigned short)~0U)
#define SHRT_MAX ((short)(USHRT_MAX >> 1))
#define SHRT_MIN ((short)(-SHRT_MAX - 1))
diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index 40f560959b169b4c4ac6154d658cfe76cfd0c5a6..8caccdcda0a2b470cda70c9b3837de37207eb512 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -59,7 +59,7 @@
bool no_hash_pointers __ro_after_init;
EXPORT_SYMBOL_GPL(no_hash_pointers);

-static noinline unsigned long long simple_strntoull(const char *startp, size_t max_chars, char **endp, unsigned int base)
+static noinline unsigned long long simple_strntoull(const char *startp, size_t max_chars, char **endp, unsigned int base, bool *overflow)
{
const char *cp;
unsigned long long result = 0ULL;
@@ -71,6 +71,8 @@ static noinline unsigned long long simple_strntoull(const char *startp, size_t m
if (prefix_chars < max_chars) {
rv = _parse_integer_limit(cp, base, &result, max_chars - prefix_chars);
/* FIXME */
+ if (overflow)
+ *overflow = !!(rv & KSTRTOX_OVERFLOW);
cp += (rv & ~KSTRTOX_OVERFLOW);
} else {
/* Field too short for prefix + digit, skip over without converting */
@@ -94,7 +96,7 @@ static noinline unsigned long long simple_strntoull(const char *startp, size_t m
noinline
unsigned long long simple_strtoull(const char *cp, char **endp, unsigned int base)
{
- return simple_strntoull(cp, INT_MAX, endp, base);
+ return simple_strntoull(cp, INT_MAX, endp, base, NULL);
}
EXPORT_SYMBOL(simple_strtoull);

@@ -130,18 +132,22 @@ long simple_strtol(const char *cp, char **endp, unsigned int base)
EXPORT_SYMBOL(simple_strtol);

static long long simple_strntoll(const char *cp, size_t max_chars, char **endp,
- unsigned int base)
+ unsigned int base, bool *overflow)
{
+ unsigned long long minand;
+ bool negate;
+
/*
* simple_strntoull() safely handles receiving max_chars==0 in the
* case cp[0] == '-' && max_chars == 1.
* If max_chars == 0 we can drop through and pass it to simple_strntoull()
* and the content of *cp is irrelevant.
*/
- if (*cp == '-' && max_chars > 0)
- return -simple_strntoull(cp + 1, max_chars - 1, endp, base);
-
- return simple_strntoull(cp, max_chars, endp, base);
+ negate = *cp == '-' && max_chars > 0;
+ minand = simple_strntoull(cp + negate, max_chars - negate, endp, base, overflow);
+ if (minand > (unsigned long long)LONG_MAX + negate)
+ *overflow = true;
+ return negate ? -minand : minand;
}

/**
@@ -3441,7 +3447,7 @@ int vsscanf(const char *buf, const char *fmt, va_list args)
unsigned long long u;
} val;
s16 field_width;
- bool is_sign;
+ bool is_sign, overflow, allow_overflow;

while (*fmt) {
/* skip any white space in format */
@@ -3464,6 +3470,9 @@ int vsscanf(const char *buf, const char *fmt, va_list args)
break;
++fmt;

+ allow_overflow = *fmt == '!';
+ fmt += (int)allow_overflow;
+
/* skip this conversion.
* advance both strings to next white space
*/
@@ -3649,45 +3658,80 @@ int vsscanf(const char *buf, const char *fmt, va_list args)
if (is_sign)
val.s = simple_strntoll(str,
field_width >= 0 ? field_width : INT_MAX,
- &next, base);
+ &next, base, &overflow);
else
val.u = simple_strntoull(str,
field_width >= 0 ? field_width : INT_MAX,
- &next, base);
+ &next, base, &overflow);
+ if (unlikely(overflow && !allow_overflow))
+ break;

switch (qualifier) {
case 'H': /* that's 'hh' in format */
- if (is_sign)
+ if (is_sign) {
+ if (unlikely(val.s < SCHAR_MIN || val.s > SCHAR_MAX) &&
+ !allow_overflow)
+ return num;
*va_arg(args, signed char *) = val.s;
- else
+ } else {
+ if (unlikely(val.u > UCHAR_MAX) && !allow_overflow)
+ return num;
*va_arg(args, unsigned char *) = val.u;
+ }
break;
case 'h':
- if (is_sign)
+ if (is_sign) {
+ if (unlikely(val.s < SHRT_MIN || val.s > SHRT_MAX) &&
+ !allow_overflow)
+ return num;
*va_arg(args, short *) = val.s;
- else
+ } else {
+ if (unlikely(val.u > USHRT_MAX) && !allow_overflow)
+ return num;
*va_arg(args, unsigned short *) = val.u;
+ }
break;
case 'l':
- if (is_sign)
+ if (is_sign) {
+ if (unlikely(val.s < LONG_MIN || val.s > LONG_MAX) &&
+ !allow_overflow)
+ return num;
*va_arg(args, long *) = val.s;
- else
+ } else {
+ if (unlikely(val.u > ULONG_MAX) && !allow_overflow)
+ return num;
*va_arg(args, unsigned long *) = val.u;
+ }
break;
case 'L':
+ /* No overflow check needed */
if (is_sign)
*va_arg(args, long long *) = val.s;
else
*va_arg(args, unsigned long long *) = val.u;
break;
case 'z':
- *va_arg(args, size_t *) = val.u;
+ if (is_sign) {
+ if (unlikely(val.s < SSIZE_MIN || val.s > SSIZE_MAX))
+ return num;
+ *va_arg(args, ssize_t *) = val.s;
+ } else {
+ if (unlikely(val.u > SIZE_MAX) && !allow_overflow)
+ return num;
+ *va_arg(args, size_t *) = val.u;
+ }
break;
default:
- if (is_sign)
+ if (is_sign) {
+ if (unlikely(val.s < INT_MIN || val.s > INT_MAX) &&
+ !allow_overflow)
+ return num;
*va_arg(args, int *) = val.s;
- else
+ } else {
+ if (unlikely(val.u > UINT_MAX) && !allow_overflow)
+ return num;
*va_arg(args, unsigned int *) = val.u;
+ }
break;
}
num++;
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab


2023-06-10 17:26:47

by Demi Marie Obenour

[permalink] [raw]
Subject: [PATCH v2 3/3] Strict XenStore entry parsing

This rejects bogus xenstore node values that include e.g. leading spaces
or overflow the expected integer type.

Signed-off-by: Demi Marie Obenour <[email protected]>
---
drivers/xen/xenbus/xenbus_xs.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/drivers/xen/xenbus/xenbus_xs.c b/drivers/xen/xenbus/xenbus_xs.c
index 12e02eb01f5991b31db451cc57037205359b347f..7cb2a22a7698ac40c81add23476594d9f27de8d0 100644
--- a/drivers/xen/xenbus/xenbus_xs.c
+++ b/drivers/xen/xenbus/xenbus_xs.c
@@ -569,16 +569,20 @@ int xenbus_scanf(struct xenbus_transaction t,
const char *dir, const char *node, const char *fmt, ...)
{
va_list ap;
- int ret;
+ int ret = 0;
+ unsigned int len;
char *val;

- val = xenbus_read(t, dir, node, NULL);
+ val = xenbus_read(t, dir, node, &len);
if (IS_ERR(val))
return PTR_ERR(val);
+ if (strlen(val) != len)
+ goto bad;

va_start(ap, fmt);
ret = vsscanf(val, fmt, ap);
va_end(ap);
+bad:
kfree(val);
/* Distinctive errno. */
if (ret == 0)
@@ -636,15 +640,18 @@ int xenbus_gather(struct xenbus_transaction t, const char *dir, ...)
while (ret == 0 && (name = va_arg(ap, char *)) != NULL) {
const char *fmt = va_arg(ap, char *);
void *result = va_arg(ap, void *);
+ unsigned len;
char *p;

- p = xenbus_read(t, dir, name, NULL);
+ p = xenbus_read(t, dir, name, &len);
if (IS_ERR(p)) {
ret = PTR_ERR(p);
break;
}
- if (fmt) {
- if (sscanf(p, fmt, result) == 0)
+ if (strlen(p) != len)
+ ret = -EINVAL;
+ else if (fmt) {
+ if (sscanf(p, fmt, result) <= 0)
ret = -EINVAL;
kfree(p);
} else
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab


2023-06-10 20:12:12

by kernel test robot

[permalink] [raw]
Subject: Re: [PATCH v2 1/3] vsscanf(): Integer overflow is a conversion failure

Hi Demi,

kernel test robot noticed the following build errors:

[auto build test ERROR on media-tree/master]
[also build test ERROR on lee-mfd/for-mfd-next xen-tip/linux-next linus/master lee-mfd/for-mfd-fixes v6.4-rc5 next-20230609]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url: https://github.com/intel-lab-lkp/linux/commits/Demi-Marie-Obenour/vsscanf-Integer-overflow-is-a-conversion-failure/20230611-010926
base: git://linuxtv.org/media_tree.git master
patch link: https://lore.kernel.org/r/20230610170743.2510-2-demi%40invisiblethingslab.com
patch subject: [PATCH v2 1/3] vsscanf(): Integer overflow is a conversion failure
config: arc-randconfig-r033-20230611 (https://download.01.org/0day-ci/archive/20230611/[email protected]/config)
compiler: arceb-elf-gcc (GCC) 12.3.0
reproduce (this is a W=1 build):
mkdir -p ~/bin
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
git remote add media-tree git://linuxtv.org/media_tree.git
git fetch media-tree master
git checkout media-tree/master
b4 shazam https://lore.kernel.org/r/[email protected]
# save the config file
mkdir build_dir && cp config build_dir/.config
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.3.0 ~/bin/make.cross W=1 O=build_dir ARCH=arc olddefconfig
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.3.0 ~/bin/make.cross W=1 O=build_dir ARCH=arc SHELL=/bin/bash

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <[email protected]>
| Closes: https://lore.kernel.org/oe-kbuild-all/[email protected]/

All errors (new ones prefixed by >>):

lib/vsprintf.c: In function 'simple_strtoll':
>> lib/vsprintf.c:163:16: error: too few arguments to function 'simple_strntoll'
163 | return simple_strntoll(cp, INT_MAX, endp, base);
| ^~~~~~~~~~~~~~~
lib/vsprintf.c:134:18: note: declared here
134 | static long long simple_strntoll(const char *cp, size_t max_chars, char **endp,
| ^~~~~~~~~~~~~~~
lib/vsprintf.c: In function 'va_format':
lib/vsprintf.c:1687:9: warning: function 'va_format' might be a candidate for 'gnu_printf' format attribute [-Wsuggest-attribute=format]
1687 | buf += vsnprintf(buf, end > buf ? end - buf : 0, va_fmt->fmt, va);
| ^~~
lib/vsprintf.c: In function 'simple_strtoll':
lib/vsprintf.c:164:1: error: control reaches end of non-void function [-Werror=return-type]
164 | }
| ^
cc1: some warnings being treated as errors


vim +/simple_strntoll +163 lib/vsprintf.c

900fdc4573766d Richard Fitzgerald 2021-05-14 152
^1da177e4c3f41 Linus Torvalds 2005-04-16 153 /**
^1da177e4c3f41 Linus Torvalds 2005-04-16 154 * simple_strtoll - convert a string to a signed long long
^1da177e4c3f41 Linus Torvalds 2005-04-16 155 * @cp: The start of the string
^1da177e4c3f41 Linus Torvalds 2005-04-16 156 * @endp: A pointer to the end of the parsed string will be placed here
^1da177e4c3f41 Linus Torvalds 2005-04-16 157 * @base: The number base to use
462e471107624f Eldad Zack 2012-12-17 158 *
e8cc2b97ca5aa1 Andy Shevchenko 2020-02-21 159 * This function has caveats. Please use kstrtoll instead.
^1da177e4c3f41 Linus Torvalds 2005-04-16 160 */
^1da177e4c3f41 Linus Torvalds 2005-04-16 161 long long simple_strtoll(const char *cp, char **endp, unsigned int base)
^1da177e4c3f41 Linus Torvalds 2005-04-16 162 {
900fdc4573766d Richard Fitzgerald 2021-05-14 @163 return simple_strntoll(cp, INT_MAX, endp, base);
^1da177e4c3f41 Linus Torvalds 2005-04-16 164 }
98d5ce0d004466 Hans Verkuil 2010-04-23 165 EXPORT_SYMBOL(simple_strtoll);
^1da177e4c3f41 Linus Torvalds 2005-04-16 166

--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

2023-06-10 20:36:37

by Dan Carpenter

[permalink] [raw]
Subject: Re: [PATCH v2 1/3] vsscanf(): Integer overflow is a conversion failure

On Sat, Jun 10, 2023 at 01:07:41PM -0400, Demi Marie Obenour wrote:
> ---
> .../hive_isp_css_include/platform_support.h | 1 -
> include/linux/limits.h | 1 +
> include/linux/mfd/wl1273-core.h | 3 -
> include/vdso/limits.h | 3 +
> lib/vsprintf.c | 82 ++++++++++++++-----
> 5 files changed, 67 insertions(+), 23 deletions(-)
>
> diff --git a/drivers/staging/media/atomisp/pci/hive_isp_css_include/platform_support.h b/drivers/staging/media/atomisp/pci/hive_isp_css_include/platform_support.h
> index 0cdef4a5e8b1bed9884133f1a0b9d853d59d43a4..e29b96d8bebf14839f6dd48fdc6c0f8b029ef31d 100644
> --- a/drivers/staging/media/atomisp/pci/hive_isp_css_include/platform_support.h
> +++ b/drivers/staging/media/atomisp/pci/hive_isp_css_include/platform_support.h
> @@ -27,7 +27,6 @@
>
> #define UINT16_MAX USHRT_MAX
> #define UINT32_MAX UINT_MAX
> -#define UCHAR_MAX (255)
>
> #define CSS_ALIGN(d, a) d __attribute__((aligned(a)))
>
> diff --git a/include/linux/limits.h b/include/linux/limits.h
> index f6bcc936901071f496e3e85bb6e1d93905b12e32..8f7fd85b41fb46e6992d9e5912da00424119227a 100644
> --- a/include/linux/limits.h
> +++ b/include/linux/limits.h
> @@ -8,6 +8,7 @@
>
> #define SIZE_MAX (~(size_t)0)
> #define SSIZE_MAX ((ssize_t)(SIZE_MAX >> 1))
> +#define SSIZE_MIN (-SSIZE_MAX - 1)
> #define PHYS_ADDR_MAX (~(phys_addr_t)0)
>
> #define U8_MAX ((u8)~0U)
> diff --git a/include/linux/mfd/wl1273-core.h b/include/linux/mfd/wl1273-core.h
> index c28cf76d5c31ee1c94a9319a2e2d318bf00283a6..b81a229135ed9f756c749122a8341816031c8311 100644
> --- a/include/linux/mfd/wl1273-core.h
> +++ b/include/linux/mfd/wl1273-core.h
> @@ -204,9 +204,6 @@
> WL1273_IS2_TRI_OPT | \
> WL1273_IS2_RATE_48K)
>
> -#define SCHAR_MIN (-128)
> -#define SCHAR_MAX 127
> -
> #define WL1273_FR_EVENT BIT(0)
> #define WL1273_BL_EVENT BIT(1)
> #define WL1273_RDS_EVENT BIT(2)
> diff --git a/include/vdso/limits.h b/include/vdso/limits.h
> index 0197888ad0e00b2f853d3f25ffa764f61cca7385..0cad0a2490e5efc194d874025eb3e3b846a5c7b4 100644
> --- a/include/vdso/limits.h
> +++ b/include/vdso/limits.h
> @@ -2,6 +2,9 @@
> #ifndef __VDSO_LIMITS_H
> #define __VDSO_LIMITS_H
>
> +#define UCHAR_MAX ((unsigned char)~0U)
> +#define SCHAR_MAX ((signed char)(UCHAR_MAX >> 1))
> +#define SCHAR_MIN ((signed char)(-SCHAR_MAX - 1))
> #define USHRT_MAX ((unsigned short)~0U)
> #define SHRT_MAX ((short)(USHRT_MAX >> 1))
> #define SHRT_MIN ((short)(-SHRT_MAX - 1))

It looks like you're going to have to redo these patches anyway for
various reasons. Could you pull the U/SCHAR_MAX changes out into a
separate patch?

> diff --git a/lib/vsprintf.c b/lib/vsprintf.c
> index 40f560959b169b4c4ac6154d658cfe76cfd0c5a6..8caccdcda0a2b470cda70c9b3837de37207eb512 100644
> --- a/lib/vsprintf.c
> +++ b/lib/vsprintf.c
> @@ -59,7 +59,7 @@
> bool no_hash_pointers __ro_after_init;
> EXPORT_SYMBOL_GPL(no_hash_pointers);
>
> -static noinline unsigned long long simple_strntoull(const char *startp, size_t max_chars, char **endp, unsigned int base)
> +static noinline unsigned long long simple_strntoull(const char *startp, size_t max_chars, char **endp, unsigned int base, bool *overflow)
> {
> const char *cp;
> unsigned long long result = 0ULL;
> @@ -71,6 +71,8 @@ static noinline unsigned long long simple_strntoull(const char *startp, size_t m
> if (prefix_chars < max_chars) {
> rv = _parse_integer_limit(cp, base, &result, max_chars - prefix_chars);
> /* FIXME */

It's not clear what this FIXME is for, but probably it should go next to
the cp += (rv & ~KSTRTOX_OVERFLOW); line? Does anyone know what it
means? Maybe just delete it.

> + if (overflow)
> + *overflow = !!(rv & KSTRTOX_OVERFLOW);
> cp += (rv & ~KSTRTOX_OVERFLOW);
> } else {

*overflow isn't initialized on the else path.

> /* Field too short for prefix + digit, skip over without converting */
> @@ -94,7 +96,7 @@ static noinline unsigned long long simple_strntoull(const char *startp, size_t m
> noinline
> unsigned long long simple_strtoull(const char *cp, char **endp, unsigned int base)
> {
> - return simple_strntoull(cp, INT_MAX, endp, base);
> + return simple_strntoull(cp, INT_MAX, endp, base, NULL);
> }
> EXPORT_SYMBOL(simple_strtoull);
>
> @@ -130,18 +132,22 @@ long simple_strtol(const char *cp, char **endp, unsigned int base)
> EXPORT_SYMBOL(simple_strtol);
>
> static long long simple_strntoll(const char *cp, size_t max_chars, char **endp,
> - unsigned int base)
> + unsigned int base, bool *overflow)
> {
> + unsigned long long minand;
> + bool negate;
> +
> /*
> * simple_strntoull() safely handles receiving max_chars==0 in the
> * case cp[0] == '-' && max_chars == 1.
> * If max_chars == 0 we can drop through and pass it to simple_strntoull()
> * and the content of *cp is irrelevant.
> */
> - if (*cp == '-' && max_chars > 0)
> - return -simple_strntoull(cp + 1, max_chars - 1, endp, base);
> -
> - return simple_strntoull(cp, max_chars, endp, base);
> + negate = *cp == '-' && max_chars > 0;
> + minand = simple_strntoull(cp + negate, max_chars - negate, endp, base, overflow);
> + if (minand > (unsigned long long)LONG_MAX + negate)
> + *overflow = true;
> + return negate ? -minand : minand;
> }
>
> /**
> @@ -3441,7 +3447,7 @@ int vsscanf(const char *buf, const char *fmt, va_list args)
> unsigned long long u;
> } val;
> s16 field_width;
> - bool is_sign;
> + bool is_sign, overflow, allow_overflow;
>
> while (*fmt) {
> /* skip any white space in format */
> @@ -3464,6 +3470,9 @@ int vsscanf(const char *buf, const char *fmt, va_list args)
> break;
> ++fmt;
>
> + allow_overflow = *fmt == '!';
> + fmt += (int)allow_overflow;
> +
> /* skip this conversion.
> * advance both strings to next white space
> */
> @@ -3649,45 +3658,80 @@ int vsscanf(const char *buf, const char *fmt, va_list args)
> if (is_sign)
> val.s = simple_strntoll(str,
> field_width >= 0 ? field_width : INT_MAX,
> - &next, base);
> + &next, base, &overflow);
> else
> val.u = simple_strntoull(str,
> field_width >= 0 ? field_width : INT_MAX,
> - &next, base);
> + &next, base, &overflow);
> + if (unlikely(overflow && !allow_overflow))

So that means that *overflow can be uninitialized here.

> + break;
>
> switch (qualifier) {

regards,
dan carpenter