Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp2663813rwl; Fri, 6 Jan 2023 09:18:42 -0800 (PST) X-Google-Smtp-Source: AMrXdXvmRQcNbYdDpMM1UmYwoOi3jZo6DEz92LdJ7bSUwPapdobAOCl5IiR3H81SNy7CHouKLZZ9 X-Received: by 2002:a05:6a20:4655:b0:aa:23f9:7314 with SMTP id eb21-20020a056a20465500b000aa23f97314mr57640707pzb.46.1673025522300; Fri, 06 Jan 2023 09:18:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673025522; cv=none; d=google.com; s=arc-20160816; b=0ZDsp/ElGkLYo9gkp1hVf0Fkw4NKZlmppbA/KCIPj9ACXslTyMESX/jfRVaSaCGTg8 70FMoJtOWF1MH7+xRaF47cfYvMWccDi3E5CS0yIyZyijTFLa7O+XrzsqJuYqGF7A8AVH HT3qdQ8BFyjUUvSi9AKMiD1SOsn03iLNEFRYSE8kqtVpGlVKREJ8iWTDJibiOndNNpJP qmqJQVevttFP3kds/dqap9hKlvqze+GxScqfozuRdgqbN7p747T8cs366leFMf3rvn4A dteKKmLFRJhSbE4FfEguNdYSMNsqLq118PmjFWDKOcWt8EmRbdLMXHUTZV2snJPJhT9j iItQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date; bh=h+OlNwV1dvLLHvx3Pu+EQG9wL1WAzW3AK2NljfOMxFw=; b=wrH5ZGYDoEcphDkAJFkHqIK7ib2ORXURv6DTy5uPXU6FzLA+PVoHXPHrKX97RXncdN cuPnhMNZNBlSlDEFDTdjJjSFv9ql5Nf9AjhA6zcHQaD9nJcnhQC6frJB+ipUXciPpOqN HGffGw8OwK68pEkoL/zwznoCxS+MEGFTwbk0HbQnT3RAHzyyzkrKPQozYySBj+6/XGo+ m9Lj5t8SHQONpNXf/xHv+CaOlFo0gDooa/yj+oEyjYfnme440cMV2LSjwdxSyPUXMMiJ 3xY2mr0Fk/TuLByqinyK67gLiW05n3PSEbkO0DXJ/prITooaEkxIeyO5O+b42fsESmN3 Q6Kg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j1-20020a63fc01000000b00463dbc5cebfsi2036010pgi.67.2023.01.06.09.18.35; Fri, 06 Jan 2023 09:18:42 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234416AbjAFRPH (ORCPT + 54 others); Fri, 6 Jan 2023 12:15:07 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50508 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234652AbjAFRPE (ORCPT ); Fri, 6 Jan 2023 12:15:04 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 08EB17CBCA; Fri, 6 Jan 2023 09:15:04 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id B7862B81E1F; Fri, 6 Jan 2023 17:15:02 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6C2BCC433D2; Fri, 6 Jan 2023 17:15:00 +0000 (UTC) Date: Fri, 6 Jan 2023 12:14:57 -0500 From: Steven Rostedt To: Petr Mladek Cc: Sergey Shtylyov , Sergey Senozhatsky , Andy Shevchenko , Rasmus Villemoes , Kees Cook , Linus Torvalds , linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] vsprintf: fix possible NULL pointer deref in vsnprintf() Message-ID: <20230106121457.05edbbdf@gandalf.local.home> In-Reply-To: References: <1f4d159e-5382-3c75-bd5e-42337ecd8c28@omp.ru> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-6.7 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 6 Jan 2023 16:49:46 +0100 Petr Mladek wrote: > > Index: linux/lib/vsprintf.c > > =================================================================== > > --- linux.orig/lib/vsprintf.c > > +++ linux/lib/vsprintf.c > > @@ -2738,6 +2738,15 @@ int vsnprintf(char *buf, size_t size, co > > if (WARN_ON_ONCE(size > INT_MAX)) > > return 0; > > > > + /* > > + * C99 allows @buf to be NULL when @size is 0. We treat such NULL as if > > + * @buf pointed to 0-sized buffer, so we can both avoid a NULL pointer > > + * dereference and still return # of characters that would be written > > + * if @buf pointed to a valid buffer... > > + */ > > + if (!buf) > > + size = 0; > > It makes sense except that it would hide bugs. It should print a > warning, for example: I agree. This is a bug, and should not be quietly ignored. > > char *err_msg; > > err_msg = check_pointer_msg(buf); > if (err_msg) { > WARN_ONCE(1, "Invalid buffer passed to vsnprintf(). Trying to continue with 0 length limit\n"); > size = 0; > } if (WARN_ONCE(err_msg, "Invalid buffer passed to vsnprintf(). Trying to continue with 0 length limit\n")) size = 0; ;-) -- Steve > > check_pointer_msg() allows to catch even more buggy pointers. WARN() > helps to locate the caller. WARN_ONCE() variant is used to prevent > a potential infinite loop. > > > + > > str = buf; > > end = buf + size; > >