Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4203131imu;
        Mon, 14 Jan 2019 17:28:18 -0800 (PST)
X-Google-Smtp-Source: ALg8bN75x7z5Gn3L91QA7m6hJM+4wz4Bk/WJ9kt/6cdhBfQEfw1mI88rKg/B0Ef3gsG4U7Cg+sP/
X-Received: by 2002:a17:902:45:: with SMTP id 63mr1391879pla.272.1547515698493;
        Mon, 14 Jan 2019 17:28:18 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1547515698; cv=none;
        d=google.com; s=arc-20160816;
        b=TMdHkfhjcFVDxNj4gpXw0yD3v6OeqMb//3lfdtTQE3rnSqKJuu0gDwHO9fUzrB8AFa
         ZbAHgdIC5v1DC+GUdCK8cuB242cvGqdVRhZQjVfzTGVnM2L76NWWa5gPma98u8B4Q1ul
         kAHigWaTmZSvG/9vmh04GROoutBEcJ3dw8ygnFREn65MvL93Bn4GcQStWk7bi3RZ2GVm
         GdquMv1+KuQumT9BXiZ88WPnAEeWnuLlIIvqY6CnUX1RCnhL8beNLDrGJzSR0hcT0m12
         dXrnzT5GWR+bUNqMKYEuHq+qjJzxSEENb1sr0xh1FHamukdHSVXPzBo5z6rN180ZZd8E
         pK4Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=/glRo+PwNhXl+8KxWNMyUyAGwpyFFP18lUKdE16Mes0=;
        b=c0ZJClS0BCH3aFtA6qND1OXKDK5P0iqAxK1EuM7w4FvzLdRfAgU0HobhEaFKwfCsIv
         RUVKjjZE3Z/jr4Geeu/VZRt7/DdHDlubK40nlzFeGk0pDgdHnWDHjfgf4egJWZ1Wbncx
         JRZMGysARhrWDb//5D9vOW0rENlaH7S9uhMiDArMMlhVC1IO35HSak/anHkMuOlP0LVh
         3zewXS5wSrbK9uumBa4Oj37VeMQuA+NCQ77PMz4+c8GKZlBV5eqnYR2G6Iqo/3Sqh+xa
         JtTVGsS332aaaB4qWCP0Bv5dbr6xdUIDXFZh5346+9MXw+AdEDJbODplKim5A1paubC0
         0udQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=LI54vBPY;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id j61si1744730plb.232.2019.01.14.17.28.03;
        Mon, 14 Jan 2019 17:28:18 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=LI54vBPY;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727711AbfAOBOY (ORCPT <rfc822;sbrunau@gmail.com> + 99 others);
        Mon, 14 Jan 2019 20:14:24 -0500
Received: from mail-vs1-f66.google.com ([209.85.217.66]:43581 "EHLO
        mail-vs1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727122AbfAOBOY (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 14 Jan 2019 20:14:24 -0500
Received: by mail-vs1-f66.google.com with SMTP id x1so650230vsc.10
        for <linux-kernel@vger.kernel.org>; Mon, 14 Jan 2019 17:14:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=/glRo+PwNhXl+8KxWNMyUyAGwpyFFP18lUKdE16Mes0=;
        b=LI54vBPY8z+4b+2M6Yv5ZrzizDyxQT3xAnbrr/06OCn6g+EBFRBEaiNvM7s5MJf3cB
         oZFwrkTY3NOrVaojuZG28VNOVaaHG6C/ki1gvJqf0ZZb1j7AjBC/40k+KVlNcNhSCjav
         YakX+V9AVY7uWESKgOA1HUjtshTbEjwFfrhVs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=/glRo+PwNhXl+8KxWNMyUyAGwpyFFP18lUKdE16Mes0=;
        b=S5mtdsNKsk/RNG/ZOeZMElThdEZCpxkSIu0GHi+MC8qkLUzVPyDkmb86J3fjVyf3Zi
         S32puBewcb+74SW8Kgy/HGBOTjTB4XD380QDA7gYax26u4dSgVI41mQE3hP+OmSQv2VG
         OUXmlYAWKrrpWjc6QG2D1zMtHbv+I3sBUMelb9KkAKcKUuh/p/kSTvSIQfctv1MU6Kbd
         +I8Oao6PjLr/uPNaUIq1iuUWlpKtOigvkhrLXhz/C3ga3SSimiJQBo+TOOyaJSzgMGZu
         GTw45+nzBzVFqFEonzDlRgid95POCpMClUblTHXC9vA7eSMk+apDTE2A4F+Se1gG3U5w
         nONA==
X-Gm-Message-State: AJcUukfeL0Ze9cnCgR4n/WRymBVMmoyfsGBkUqDbs9rXTUvpMlYkkbP/
        VRAkT+9kmm5rD6+rBX8NtCq/FOxWsVE=
X-Received: by 2002:a67:c104:: with SMTP id d4mr546384vsj.171.1547514862692;
        Mon, 14 Jan 2019 17:14:22 -0800 (PST)
Received: from mail-ua1-f45.google.com (mail-ua1-f45.google.com. [209.85.222.45])
        by smtp.gmail.com with ESMTPSA id o1sm1187545uaj.4.2019.01.14.17.14.21
        for <linux-kernel@vger.kernel.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 14 Jan 2019 17:14:21 -0800 (PST)
Received: by mail-ua1-f45.google.com with SMTP id d19so359536uaq.11
        for <linux-kernel@vger.kernel.org>; Mon, 14 Jan 2019 17:14:21 -0800 (PST)
X-Received: by 2002:ab0:470d:: with SMTP id h13mr577693uac.122.1547514860832;
 Mon, 14 Jan 2019 17:14:20 -0800 (PST)
MIME-Version: 1.0
References: <20190112152844.26550-1-w@1wt.eu> <20190112152844.26550-3-w@1wt.eu>
In-Reply-To: <20190112152844.26550-3-w@1wt.eu>
From:   Kees Cook <keescook@chromium.org>
Date:   Mon, 14 Jan 2019 17:14:09 -0800
X-Gmail-Original-Message-ID: <CAGXu5jK4VQe75MQuwAx6dxqv3F2nMUxCHGjQpPeuOE3Vq6iVBw@mail.gmail.com>
Message-ID: <CAGXu5jK4VQe75MQuwAx6dxqv3F2nMUxCHGjQpPeuOE3Vq6iVBw@mail.gmail.com>
Subject: Re: [PATCH 3/8] ocfs2: change snprintf to scnprintf for possible overflow
To:     Willy Tarreau <w@1wt.eu>
Cc:     Silvio Cesare <silvio.cesare@gmail.com>,
        LKML <linux-kernel@vger.kernel.org>,
        Mark Fasheh <mark@fasheh.com>,
        Joel Becker <jlbec@evilplan.org>,
        Dan Carpenter <dan.carpenter@oracle.com>,
        Will Deacon <will.deacon@arm.com>, Greg KH <greg@kroah.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat, Jan 12, 2019 at 7:28 AM Willy Tarreau <w@1wt.eu> wrote:
>
> From: Silvio Cesare <silvio.cesare@gmail.com>
>
> Change snprintf to scnprintf. There are generally two cases where using
> snprintf causes problems.
>
> 1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
> In this case, if snprintf would have written more characters than what the
> buffer size (SIZE) is, then size will end up larger than SIZE. In later
> uses of snprintf, SIZE - size will result in a negative number, leading
> to problems. Note that size might already be too large by using
> size = snprintf before the code reaches a case of size += snprintf.
>
> 2) If size is ultimately used as a length parameter for a copy back to user
> space, then it will potentially allow for a buffer overflow and information
> disclosure when size is greater than SIZE. When the size is used to index
> the buffer directly, we can have memory corruption. This also means when
> size = snprintf... is used, it may also cause problems since size may become
> large.  Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
> configuration.
>
> The solution to these issues is to use scnprintf which returns the number of
> characters actually written to the buffer, so the size variable will never
> exceed SIZE.
>
> Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
> Cc: Mark Fasheh <mark@fasheh.com>
> Cc: Joel Becker <jlbec@evilplan.org>
> Cc: Dan Carpenter <dan.carpenter@oracle.com>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Will Deacon <will.deacon@arm.com>
> Cc: Greg KH <greg@kroah.com>
> Signed-off-by: Willy Tarreau <w@1wt.eu>

Reviewed-by: Kees Cook <keescook@chromium.org>

-Kees

>
> ---
>  fs/ocfs2/cluster/heartbeat.c | 10 +++++-----
>  1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/fs/ocfs2/cluster/heartbeat.c b/fs/ocfs2/cluster/heartbeat.c
> index 9b2ed62dd638..2a0af0887ba0 100644
> --- a/fs/ocfs2/cluster/heartbeat.c
> +++ b/fs/ocfs2/cluster/heartbeat.c
> @@ -1324,7 +1324,7 @@ static int o2hb_debug_open(struct inode *inode, struct file *file)
>
>         case O2HB_DB_TYPE_REGION_NUMBER:
>                 reg = (struct o2hb_region *)db->db_data;
> -               out += snprintf(buf + out, PAGE_SIZE - out, "%d\n",
> +               out += scnprintf(buf + out, PAGE_SIZE - out, "%d\n",
>                                 reg->hr_region_num);
>                 goto done;
>
> @@ -1334,12 +1334,12 @@ static int o2hb_debug_open(struct inode *inode, struct file *file)
>                 /* If 0, it has never been set before */
>                 if (lts)
>                         lts = jiffies_to_msecs(jiffies - lts);
> -               out += snprintf(buf + out, PAGE_SIZE - out, "%lu\n", lts);
> +               out += scnprintf(buf + out, PAGE_SIZE - out, "%lu\n", lts);
>                 goto done;
>
>         case O2HB_DB_TYPE_REGION_PINNED:
>                 reg = (struct o2hb_region *)db->db_data;
> -               out += snprintf(buf + out, PAGE_SIZE - out, "%u\n",
> +               out += scnprintf(buf + out, PAGE_SIZE - out, "%u\n",
>                                 !!reg->hr_item_pinned);
>                 goto done;
>
> @@ -1348,8 +1348,8 @@ static int o2hb_debug_open(struct inode *inode, struct file *file)
>         }
>
>         while ((i = find_next_bit(map, db->db_len, i + 1)) < db->db_len)
> -               out += snprintf(buf + out, PAGE_SIZE - out, "%d ", i);
> -       out += snprintf(buf + out, PAGE_SIZE - out, "\n");
> +               out += scnprintf(buf + out, PAGE_SIZE - out, "%d ", i);
> +       out += scnprintf(buf + out, PAGE_SIZE - out, "\n");
>
>  done:
>         i_size_write(inode, out);
> --
> 2.19.2
>


-- 
Kees Cook