Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4203131imu; Mon, 14 Jan 2019 17:28:18 -0800 (PST) X-Google-Smtp-Source: ALg8bN75x7z5Gn3L91QA7m6hJM+4wz4Bk/WJ9kt/6cdhBfQEfw1mI88rKg/B0Ef3gsG4U7Cg+sP/ X-Received: by 2002:a17:902:45:: with SMTP id 63mr1391879pla.272.1547515698493; Mon, 14 Jan 2019 17:28:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547515698; cv=none; d=google.com; s=arc-20160816; b=TMdHkfhjcFVDxNj4gpXw0yD3v6OeqMb//3lfdtTQE3rnSqKJuu0gDwHO9fUzrB8AFa ZbAHgdIC5v1DC+GUdCK8cuB242cvGqdVRhZQjVfzTGVnM2L76NWWa5gPma98u8B4Q1ul kAHigWaTmZSvG/9vmh04GROoutBEcJ3dw8ygnFREn65MvL93Bn4GcQStWk7bi3RZ2GVm GdquMv1+KuQumT9BXiZ88WPnAEeWnuLlIIvqY6CnUX1RCnhL8beNLDrGJzSR0hcT0m12 dXrnzT5GWR+bUNqMKYEuHq+qjJzxSEENb1sr0xh1FHamukdHSVXPzBo5z6rN180ZZd8E pK4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=/glRo+PwNhXl+8KxWNMyUyAGwpyFFP18lUKdE16Mes0=; b=c0ZJClS0BCH3aFtA6qND1OXKDK5P0iqAxK1EuM7w4FvzLdRfAgU0HobhEaFKwfCsIv RUVKjjZE3Z/jr4Geeu/VZRt7/DdHDlubK40nlzFeGk0pDgdHnWDHjfgf4egJWZ1Wbncx JRZMGysARhrWDb//5D9vOW0rENlaH7S9uhMiDArMMlhVC1IO35HSak/anHkMuOlP0LVh 3zewXS5wSrbK9uumBa4Oj37VeMQuA+NCQ77PMz4+c8GKZlBV5eqnYR2G6Iqo/3Sqh+xa JtTVGsS332aaaB4qWCP0Bv5dbr6xdUIDXFZh5346+9MXw+AdEDJbODplKim5A1paubC0 0udQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=LI54vBPY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j61si1744730plb.232.2019.01.14.17.28.03; Mon, 14 Jan 2019 17:28:18 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=LI54vBPY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727711AbfAOBOY (ORCPT + 99 others); Mon, 14 Jan 2019 20:14:24 -0500 Received: from mail-vs1-f66.google.com ([209.85.217.66]:43581 "EHLO mail-vs1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727122AbfAOBOY (ORCPT ); Mon, 14 Jan 2019 20:14:24 -0500 Received: by mail-vs1-f66.google.com with SMTP id x1so650230vsc.10 for ; Mon, 14 Jan 2019 17:14:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/glRo+PwNhXl+8KxWNMyUyAGwpyFFP18lUKdE16Mes0=; b=LI54vBPY8z+4b+2M6Yv5ZrzizDyxQT3xAnbrr/06OCn6g+EBFRBEaiNvM7s5MJf3cB oZFwrkTY3NOrVaojuZG28VNOVaaHG6C/ki1gvJqf0ZZb1j7AjBC/40k+KVlNcNhSCjav YakX+V9AVY7uWESKgOA1HUjtshTbEjwFfrhVs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/glRo+PwNhXl+8KxWNMyUyAGwpyFFP18lUKdE16Mes0=; b=S5mtdsNKsk/RNG/ZOeZMElThdEZCpxkSIu0GHi+MC8qkLUzVPyDkmb86J3fjVyf3Zi S32puBewcb+74SW8Kgy/HGBOTjTB4XD380QDA7gYax26u4dSgVI41mQE3hP+OmSQv2VG OUXmlYAWKrrpWjc6QG2D1zMtHbv+I3sBUMelb9KkAKcKUuh/p/kSTvSIQfctv1MU6Kbd +I8Oao6PjLr/uPNaUIq1iuUWlpKtOigvkhrLXhz/C3ga3SSimiJQBo+TOOyaJSzgMGZu GTw45+nzBzVFqFEonzDlRgid95POCpMClUblTHXC9vA7eSMk+apDTE2A4F+Se1gG3U5w nONA== X-Gm-Message-State: AJcUukfeL0Ze9cnCgR4n/WRymBVMmoyfsGBkUqDbs9rXTUvpMlYkkbP/ VRAkT+9kmm5rD6+rBX8NtCq/FOxWsVE= X-Received: by 2002:a67:c104:: with SMTP id d4mr546384vsj.171.1547514862692; Mon, 14 Jan 2019 17:14:22 -0800 (PST) Received: from mail-ua1-f45.google.com (mail-ua1-f45.google.com. [209.85.222.45]) by smtp.gmail.com with ESMTPSA id o1sm1187545uaj.4.2019.01.14.17.14.21 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 14 Jan 2019 17:14:21 -0800 (PST) Received: by mail-ua1-f45.google.com with SMTP id d19so359536uaq.11 for ; Mon, 14 Jan 2019 17:14:21 -0800 (PST) X-Received: by 2002:ab0:470d:: with SMTP id h13mr577693uac.122.1547514860832; Mon, 14 Jan 2019 17:14:20 -0800 (PST) MIME-Version: 1.0 References: <20190112152844.26550-1-w@1wt.eu> <20190112152844.26550-3-w@1wt.eu> In-Reply-To: <20190112152844.26550-3-w@1wt.eu> From: Kees Cook Date: Mon, 14 Jan 2019 17:14:09 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 3/8] ocfs2: change snprintf to scnprintf for possible overflow To: Willy Tarreau Cc: Silvio Cesare , LKML , Mark Fasheh , Joel Becker , Dan Carpenter , Will Deacon , Greg KH Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Jan 12, 2019 at 7:28 AM Willy Tarreau wrote: > > From: Silvio Cesare > > Change snprintf to scnprintf. There are generally two cases where using > snprintf causes problems. > > 1) Uses of size += snprintf(buf, SIZE - size, fmt, ...) > In this case, if snprintf would have written more characters than what the > buffer size (SIZE) is, then size will end up larger than SIZE. In later > uses of snprintf, SIZE - size will result in a negative number, leading > to problems. Note that size might already be too large by using > size = snprintf before the code reaches a case of size += snprintf. > > 2) If size is ultimately used as a length parameter for a copy back to user > space, then it will potentially allow for a buffer overflow and information > disclosure when size is greater than SIZE. When the size is used to index > the buffer directly, we can have memory corruption. This also means when > size = snprintf... is used, it may also cause problems since size may become > large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel > configuration. > > The solution to these issues is to use scnprintf which returns the number of > characters actually written to the buffer, so the size variable will never > exceed SIZE. > > Signed-off-by: Silvio Cesare > Cc: Mark Fasheh > Cc: Joel Becker > Cc: Dan Carpenter > Cc: Kees Cook > Cc: Will Deacon > Cc: Greg KH > Signed-off-by: Willy Tarreau Reviewed-by: Kees Cook -Kees > > --- > fs/ocfs2/cluster/heartbeat.c | 10 +++++----- > 1 file changed, 5 insertions(+), 5 deletions(-) > > diff --git a/fs/ocfs2/cluster/heartbeat.c b/fs/ocfs2/cluster/heartbeat.c > index 9b2ed62dd638..2a0af0887ba0 100644 > --- a/fs/ocfs2/cluster/heartbeat.c > +++ b/fs/ocfs2/cluster/heartbeat.c > @@ -1324,7 +1324,7 @@ static int o2hb_debug_open(struct inode *inode, struct file *file) > > case O2HB_DB_TYPE_REGION_NUMBER: > reg = (struct o2hb_region *)db->db_data; > - out += snprintf(buf + out, PAGE_SIZE - out, "%d\n", > + out += scnprintf(buf + out, PAGE_SIZE - out, "%d\n", > reg->hr_region_num); > goto done; > > @@ -1334,12 +1334,12 @@ static int o2hb_debug_open(struct inode *inode, struct file *file) > /* If 0, it has never been set before */ > if (lts) > lts = jiffies_to_msecs(jiffies - lts); > - out += snprintf(buf + out, PAGE_SIZE - out, "%lu\n", lts); > + out += scnprintf(buf + out, PAGE_SIZE - out, "%lu\n", lts); > goto done; > > case O2HB_DB_TYPE_REGION_PINNED: > reg = (struct o2hb_region *)db->db_data; > - out += snprintf(buf + out, PAGE_SIZE - out, "%u\n", > + out += scnprintf(buf + out, PAGE_SIZE - out, "%u\n", > !!reg->hr_item_pinned); > goto done; > > @@ -1348,8 +1348,8 @@ static int o2hb_debug_open(struct inode *inode, struct file *file) > } > > while ((i = find_next_bit(map, db->db_len, i + 1)) < db->db_len) > - out += snprintf(buf + out, PAGE_SIZE - out, "%d ", i); > - out += snprintf(buf + out, PAGE_SIZE - out, "\n"); > + out += scnprintf(buf + out, PAGE_SIZE - out, "%d ", i); > + out += scnprintf(buf + out, PAGE_SIZE - out, "\n"); > > done: > i_size_write(inode, out); > -- > 2.19.2 > -- Kees Cook