Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp98549ybi; Fri, 24 May 2019 00:28:04 -0700 (PDT) X-Google-Smtp-Source: APXvYqxQ79WBkNQGtxvdU6+vd6aVVU6Og7tnnB7ODgoPXiEWT4Fv79qmkxa2xHXistVtX/35Vzfu X-Received: by 2002:a17:90b:d8c:: with SMTP id bg12mr7139366pjb.70.1558682883926; Fri, 24 May 2019 00:28:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558682883; cv=none; d=google.com; s=arc-20160816; b=LYG9usn3HnjrmVwfnYSmBdzWtcWQOLmXq+rWkYWrxR24V6mC7/byhF5/qJRKsY8RAm ThoAwOsQaWRTJxzfSTGvI5ouLY/8MKee6Sfv6xD980sIelMSvLgG549mTp7ExxGvsdGI lw1poIjU0/HhA6k1yHctOgQz+eLn3dW5fhXAgTGpJQvIDzGs2nxx5MXuUdIkFMhgsSUv 0xdavrGDWKigzGHCh7Rp/SKMd13ZOoErFsbKzor2gOsHeHRtdg9ZxyORjbqbWzjxEAyp SjIt/j2/BPhUSXc/txyyuunitYqllRn4ppwGS5RU4HCDzk0/yL3giZfnM7OmCOcMkZNE qtPQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-disposition :content-transfer-encoding:mime-version:in-reply-to:references :subject:cc:to:from:date:message-id; bh=r0lLb+W7S89u8R0FTCvMeIKYeSBr0Vvrl+WCeot7PI0=; b=vqZyhvuxKnjHwvEYGsoi4ecJ4jY8Xe/FIyChWaYS7z2tTKMekW25IXL+LUOL9aJYKZ kdZUkbAcEv+2XZodKWCNxxogLCWGId12eyklrRWJqZ+FH3Ia5KHhz4iBjTFnTGkSU/1z 3JvAFkKNfzcil+G8678uqlzRivT3l95LoZYuZaOvzDqfR55OnGvmjUJCzGVw2n9ITKH+ iO0H6FjA9wcCLQ7p3TSiaDAcWtfg5qUhmkJ+hIcufc4tYzDSjF94unITDnVBi+gYe+5/ SXA+Cq2hoo4xLO8Q3bhB1HmWbcMp6H7zYZrkcdzy08LGtNrIixa+cj60Ob7HXhyHEBJ2 ESLA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b13si2675867plz.194.2019.05.24.00.27.45; Fri, 24 May 2019 00:28:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389115AbfEXHYn convert rfc822-to-8bit (ORCPT + 99 others); Fri, 24 May 2019 03:24:43 -0400 Received: from prv1-mh.provo.novell.com ([137.65.248.33]:46880 "EHLO prv1-mh.provo.novell.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388982AbfEXHYm (ORCPT ); Fri, 24 May 2019 03:24:42 -0400 Received: from INET-PRV1-MTA by prv1-mh.provo.novell.com with Novell_GroupWise; Fri, 24 May 2019 01:24:40 -0600 Message-Id: <5CE79C360200007800231E1D@prv1-mh.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 18.1.1 Date: Fri, 24 May 2019 01:24:38 -0600 From: "Jan Beulich" To: "Fredrik Noring" Cc: , , "Jessica Yu" , Subject: Re: [PATCH RFC] sscanf: Fix integer overflow with sscanf field width References: <20190523172758.GA54373@sx9> In-Reply-To: <20190523172758.GA54373@sx9> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8BIT Content-Disposition: inline Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org >>> On 23.05.19 at 19:27, wrote: > This fixes 53809751ac23 ("sscanf: don't ignore field widths for numeric > conversions"). sscanf overflows integers with simple strings such as dates. > As an example, consider > > r = sscanf("20190523123456", "%4d%2d%2d%2d%2d%2d", > &year, &month, &day, > &hour, &minute, &second); > > pr_info("%d %04d-%02d-%2d %02d:%02d:%02d\n", > r, > year, month, day, > hour, minute, second); > > On a 32-bit machine this prints > > 6 0000-05-23 12:34:56 > > where the year is zero, and not 2019 as expected. The reason is that sscanf > attempts to read 20190523123456 as a whole integer and then divide it with > 10^10 to obtain 2019, which obviously fails. Of course, 64-bit machines fail > similarly on longer numerical strings. Right, and that's also what that commit's description says remains as non-conforming behavior. > I'm offering a simple patch to correct this below. The idea is to have a > variant of _parse_integer() called _parse_integer_end(), with the ability > to stop consuming digits. The functions > > simple_{strtol,strtoll,strtoul,strtoull}() > > now have the corresponding > > sscanf_{strtol,strtoll,strtoul,strtoull}() > > taking a field width into account. There are some code duplication issues > etc. so one might consider making more extensive changes than these. I'm not the maintainer here, but to me it looks mostly okay. > +static long sscanf_strtol(const char *cp, int field_width, > + char **endp, unsigned int base) > +{ > + if (*cp == '-') > + return -sscanf_strtoul(cp + 1, field_width - 1, endp, base); I'm afraid you may neither convert a field width of zero to -1 here, nor convert a field width of 1 to zero (unlimited). I'd also like to note that the 'u' and 'x' format characters also accept a sign as per the standard, but that's an orthogonal issue which you may or may not want to address at the same time. Jan