Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752997AbdF2SYn (ORCPT ); Thu, 29 Jun 2017 14:24:43 -0400 Received: from imap0.codethink.co.uk ([185.43.218.159]:38554 "EHLO imap0.codethink.co.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751936AbdF2SYi (ORCPT ); Thu, 29 Jun 2017 14:24:38 -0400 Message-ID: <1498760667.1935.69.camel@codethink.co.uk> Subject: Re: [PATCH 4.4 03/26] lib/cmdline.c: fix get_options() overflow while parsing ranges From: Ben Hutchings To: "Ilya V. Matveychikov" Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org, Jonathan Corbet , Andrew Morton , Linus Torvalds , Greg Kroah-Hartman Date: Thu, 29 Jun 2017 19:24:27 +0100 In-Reply-To: <20170627124529.091915723@linuxfoundation.org> References: <20170627124528.581163327@linuxfoundation.org> <20170627124529.091915723@linuxfoundation.org> Organization: Codethink Ltd. Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.12.9-1+b1 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1740 Lines: 58 On Tue, 2017-06-27 at 14:49 +0200, Greg Kroah-Hartman wrote: > 4.4-stable review patch. If anyone has any objections, please let me know. > > ------------------ > > From: Ilya Matveychikov > > commit a91e0f680bcd9e10c253ae8b62462a38bd48f09f upstream. > > When using get_options() it's possible to specify a range of numbers, > like 1-100500. The problem is that it doesn't track array size while > calling internally to get_range() which iterates over the range and > fills the memory with numbers. [...] > --- a/lib/cmdline.c > +++ b/lib/cmdline.c > @@ -22,14 +22,14 @@ > * the values[M, M+1, ..., N] into the ints array in get_options. > */ > > -static int get_range(char **str, int *pint) > +static int get_range(char **str, int *pint, int n) > { > int x, inc_counter, upper_range; > > (*str)++; > upper_range = simple_strtol((*str), NULL, 0); > inc_counter = upper_range - *pint; > - for (x = *pint; x < upper_range; x++) > + for (x = *pint; n && x < upper_range; x++, n--) > *pint++ = x; > return inc_counter; > } But this still returns the number of integers in the range (minus 1)... > @@ -96,7 +96,7 @@ char *get_options(const char *str, int n > break; > if (res == 3) { > int range_nums; > - range_nums = get_range((char **)&str, ints + i); > + range_nums = get_range((char **)&str, ints + i, nints - i); > if (range_nums < 0) > break; > /* ...so that get_options() may set i > nints and ints[0] > nints - 1. That will presumably result in out-of-bounds reads in callers. (This set of functions really deserves to be given a test suite and then rewritten, because they are a *mess*.) Ben. -- Ben Hutchings Software Developer, Codethink Ltd.