Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1777694imu;
        Sat, 12 Jan 2019 07:31:59 -0800 (PST)
X-Google-Smtp-Source: ALg8bN6YznHAxK5wBzsP8a/2+ZWfg1xy67Hf1YmRY3Yavr+2EUshs7FAAD2ygcQuAJMz7mefO99D
X-Received: by 2002:a17:902:292b:: with SMTP id g40mr19166569plb.82.1547307119047;
        Sat, 12 Jan 2019 07:31:59 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1547307119; cv=none;
        d=google.com; s=arc-20160816;
        b=NNVeyK3a4+Tpz3qgFu56g57HeLNhrgzSTtfY7jBVSrJZYq4qfNg+OBcjKqut3ZMml8
         2sa1iibVbPZkKzsYqI+7CXGJxq9xaEepCJOGmwB6hGPGN4k0TkyAjC/J7fzN8kHcqhaS
         Y6sV4aZ74LR5k85kYPob6wgNfkZ9kBDxjukNq0JRQw2wzzs1iIfC3yjs4lqISrmSiN0S
         AdRH7enKuaEFNGx9CsFWD8o8kwWCMJmCaBpVS7z3q+ktJadiO0eFEQ+okV23ggzjY3xT
         smJT4uy8BNJyn5D21d3yatnBklmBewYHs9jc94q/+ISXFyZqFMK4z9MDYyswE4oVEYMA
         ThKg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from;
        bh=ghgcZqxKWP80McA0SY9LwogwXdf9501jMA4kDKQIG0A=;
        b=Hv3Mj9hYv+1PCyCiQmx4gx0MBR3tl/QA7oYvz5ecLnedvVMshFRI4k+iU6+wJhOavR
         jNl/3aui2P7zIyPO1Oqs/3dOzfPvO3lZ9r+Rrk4pncAlTdgz6LLGjIU+hme3SQ3bVNyd
         aeXOX3yEhzPFRV+L+I2UiHZ5k2R3HFItHHnZwNCFC3g7sBOFL/9qvC0Teou+CVLE6aMO
         aRvDJna8d1GKNGYxALuwXJT+cmAyHWCa/n+kBF7F700j4LlPMkXe9Viq4LxkiVjhNrV1
         Fzg76pyCVghYfZNvzuAejA//YZRXFvElRSzhYWP6EDHTnTeT76ahkarBy2jc7JIaoHs9
         nA1Q==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b61si1786324plb.70.2019.01.12.07.31.42;
        Sat, 12 Jan 2019 07:31:59 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726527AbfALP3Y (ORCPT <rfc822;patchstalker@gmail.com>
        + 99 others); Sat, 12 Jan 2019 10:29:24 -0500
Received: from wtarreau.pck.nerim.net ([62.212.114.60]:34295 "EHLO 1wt.eu"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726433AbfALP3J (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 12 Jan 2019 10:29:09 -0500
Received: (from willy@localhost)
        by pcw.home.local (8.15.2/8.15.2/Submit) id x0CFSn53026596;
        Sat, 12 Jan 2019 16:28:49 +0100
From:   Willy Tarreau <w@1wt.eu>
To:     Silvio Cesare <silvio.cesare@gmail.com>
Cc:     linux-kernel@vger.kernel.org,
        Dan Carpenter <dan.carpenter@oracle.com>,
        Kees Cook <keescook@chromium.org>,
        Will Deacon <will.deacon@arm.com>, Greg KH <greg@kroah.com>
Subject: [PATCH 1/8] lkdtm: change snprintf to scnprintf for possible overflow
Date:   Sat, 12 Jan 2019 16:28:37 +0100
Message-Id: <20190112152844.26550-1-w@1wt.eu>
X-Mailer: git-send-email 2.9.0
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Silvio Cesare <silvio.cesare@gmail.com>

Change snprintf to scnprintf. There are generally two cases where using
snprintf causes problems.

1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
In this case, if snprintf would have written more characters than what the
buffer size (SIZE) is, then size will end up larger than SIZE. In later
uses of snprintf, SIZE - size will result in a negative number, leading
to problems. Note that size might already be too large by using
size = snprintf before the code reaches a case of size += snprintf.

2) If size is ultimately used as a length parameter for a copy back to user
space, then it will potentially allow for a buffer overflow and information
disclosure when size is greater than SIZE. When the size is used to index
the buffer directly, we can have memory corruption. This also means when
size = snprintf... is used, it may also cause problems since size may become
large.  Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
configuration.

The solution to these issues is to use scnprintf which returns the number of
characters actually written to the buffer, so the size variable will never
exceed SIZE.

Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Greg KH <greg@kroah.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>

---
 drivers/misc/lkdtm/core.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c
index 2837dc77478e..610aa3bfe630 100644
--- a/drivers/misc/lkdtm/core.c
+++ b/drivers/misc/lkdtm/core.c
@@ -347,9 +347,9 @@ static ssize_t lkdtm_debugfs_read(struct file *f, char __user *user_buf,
 	if (buf == NULL)
 		return -ENOMEM;
 
-	n = snprintf(buf, PAGE_SIZE, "Available crash types:\n");
+	n = scnprintf(buf, PAGE_SIZE, "Available crash types:\n");
 	for (i = 0; i < ARRAY_SIZE(crashtypes); i++) {
-		n += snprintf(buf + n, PAGE_SIZE - n, "%s\n",
+		n += scnprintf(buf + n, PAGE_SIZE - n, "%s\n",
 			      crashtypes[i].name);
 	}
 	buf[n] = '\0';
-- 
2.19.2