Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp2823909rwl; Fri, 6 Jan 2023 11:17:45 -0800 (PST) X-Google-Smtp-Source: AMrXdXtnMJKTJrsWTyIqxh6FOB75tgmVGVqyLJNyOzoHqmvns1QGZT/ysVmPIrsqKem7+yZY4opv X-Received: by 2002:a17:906:b041:b0:7c1:22a6:818e with SMTP id bj1-20020a170906b04100b007c122a6818emr48615656ejb.24.1673032665591; Fri, 06 Jan 2023 11:17:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673032665; cv=none; d=google.com; s=arc-20160816; b=GFI7rMLONJutX/7Ll0Edemuy+eui3WP0R618TOtoOkOk//GpZ0IwlrUxNTqF9OfZYm 7X7lo8FAmG4xcyEdIsO43/rBcNays8Co8Z8hXQwuw9mlPhy/NT++/5exbsmmB2z1JcMk 0KZPoqXcUVgXC+9p0IacTiV9DmjG6Zubp4aYvFiUItqtz0KqCpcWGmMGgGDC6zurSAoo 5sLqOmEROEqxCaHgo1siz0WiwcQNQW+vPnbjohTrrYm7n0dUr2qSUGlfwvIOMkK3D3kg ryNgZk1aAFyrOTFgu2ZAatOAVcqtzeM/54P/n8+iH53phTdlIZpOdJwrJD64Tzy6kEeL x+dQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=8D3UMgiXLWkn97zxdcVsZ26wy/4Qk/KB4lcp4wb6CBg=; b=nrLjWWXnGm6ZwTO779zH/dYoe2tws57lvNdE1FbBOizktLJEA7ivULP62ND1Yepi1J o9VNqbUab3Eu12STW5ShWzz549/V6jov2pfahuyK/nQHCX9lFtLyjeTEFvT6QKWV2OGf fEU94aP2XjlhVz8p+YhBKClmNUs61EJJlvbucJO0zqPXeLAtiVnJIosd7LY/cS0DSt2a SkVViztAGr6W7wNAhuVnU5Tk6kGu2JOQ5VdrNjgrgmBWUG2OERAPwigNcJ4OSCnUmcg5 xuUhnZ7LXNmFODWPGy39ozGtKFAviheuILMhKRy6ofg3FfCnzPA5wwHMgdukc9b53+CE drYQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=A4AqfUS5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id xh10-20020a170906da8a00b007c0ea5a7ca4si2256458ejb.858.2023.01.06.11.17.32; Fri, 06 Jan 2023 11:17:45 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=A4AqfUS5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231531AbjAFTLW (ORCPT + 56 others); Fri, 6 Jan 2023 14:11:22 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51506 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229547AbjAFTLU (ORCPT ); Fri, 6 Jan 2023 14:11:20 -0500 Received: from mail-pj1-x102f.google.com (mail-pj1-x102f.google.com [IPv6:2607:f8b0:4864:20::102f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AF1D965AF8 for ; Fri, 6 Jan 2023 11:11:19 -0800 (PST) Received: by mail-pj1-x102f.google.com with SMTP id gq18so2228367pjb.2 for ; Fri, 06 Jan 2023 11:11:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=8D3UMgiXLWkn97zxdcVsZ26wy/4Qk/KB4lcp4wb6CBg=; b=A4AqfUS5XUfLmvuEwP4oYqK2ebk4628oLq8T74ED9gI/jsApNxIUxodGWGQb0A3cXM eRO1DyGJJK2WjsworIDKJ7ufOGIEkbe6lybdBjsrvWkehXq870VUkEVa00BSjANutHiW oTJs0pI9PQf+0H6roXuPbQzeUkKXk4cteN3qg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=8D3UMgiXLWkn97zxdcVsZ26wy/4Qk/KB4lcp4wb6CBg=; b=54B3uLxxJAtKCYXXEhD6wzN0z3exgkJSa168l75nielOzDPWvjTcwqFs/rREK7ePNt tLaoKrftILtVIk3a88ToImKtlqiXov/0jL0VK05f3BuQ0R9ma6Bf5F599LyX8NIuu9tH aOFdR2YBVGGiSvwuiQRN2gsR3t44sfAi8rZboI47Yi5IkXfv1MZdXKAJ/JFfLa3TY18E ChbwicRS5+vZgghLZgq8BTCdv8HGfY8d0dJneuPZdcsADRtjNRPNLgETKItfbjWWvF3L 4xdSE/4FAVHENRW9ZHdenV73vAWkIwbCP0BkGDviNCmCg8emeGuAH8Pqb3vnfxJfiQ4e +fqA== X-Gm-Message-State: AFqh2koTh55lj4h23sjnPQcgSK7RFmgDrJVbK17lWkwHOFOuNAR+8bzt fJ190kXrWJOz58cpLz6jDHCrSFNPv6ibJrf2 X-Received: by 2002:a05:6a21:7893:b0:af:1a39:553d with SMTP id bf19-20020a056a21789300b000af1a39553dmr86781422pzc.14.1673032279194; Fri, 06 Jan 2023 11:11:19 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id z188-20020a6265c5000000b0055f209690c0sm688639pfb.50.2023.01.06.11.11.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Jan 2023 11:11:18 -0800 (PST) Date: Fri, 6 Jan 2023 11:11:17 -0800 From: Kees Cook To: Steven Rostedt Cc: Petr Mladek , Sergey Shtylyov , Sergey Senozhatsky , Andy Shevchenko , Rasmus Villemoes , Linus Torvalds , linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] vsprintf: fix possible NULL pointer deref in vsnprintf() Message-ID: <202301061107.C56365E@keescook> References: <1f4d159e-5382-3c75-bd5e-42337ecd8c28@omp.ru> <20230106121457.05edbbdf@gandalf.local.home> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230106121457.05edbbdf@gandalf.local.home> X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jan 06, 2023 at 12:14:57PM -0500, Steven Rostedt wrote: > On Fri, 6 Jan 2023 16:49:46 +0100 > Petr Mladek wrote: > > > > Index: linux/lib/vsprintf.c > > > =================================================================== > > > --- linux.orig/lib/vsprintf.c > > > +++ linux/lib/vsprintf.c > > > @@ -2738,6 +2738,15 @@ int vsnprintf(char *buf, size_t size, co > > > if (WARN_ON_ONCE(size > INT_MAX)) > > > return 0; > > > > > > + /* > > > + * C99 allows @buf to be NULL when @size is 0. We treat such NULL as if > > > + * @buf pointed to 0-sized buffer, so we can both avoid a NULL pointer > > > + * dereference and still return # of characters that would be written > > > + * if @buf pointed to a valid buffer... > > > + */ > > > + if (!buf) > > > + size = 0; > > > > It makes sense except that it would hide bugs. It should print a > > warning, for example: > > I agree. This is a bug, and should not be quietly ignored. Yup. > > > > > char *err_msg; > > > > err_msg = check_pointer_msg(buf); > > if (err_msg) { > > WARN_ONCE(1, "Invalid buffer passed to vsnprintf(). Trying to continue with 0 length limit\n"); > > size = 0; > > } > > if (WARN_ONCE(err_msg, "Invalid buffer passed to vsnprintf(). Trying to continue with 0 length limit\n")) > size = 0; Also good. Please CC me for an Ack when this is a full patch. :) -Kees -- Kees Cook