Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp1396886rwd; Wed, 7 Jun 2023 15:55:23 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6ygY8c4JQHqcIdXS8YOcRib+z4xXQQrk1J6kaNcUr83jjYrblo6peNMbgkwrySU2N9uPN5 X-Received: by 2002:a05:6a20:9388:b0:101:2160:ff8f with SMTP id x8-20020a056a20938800b001012160ff8fmr2517347pzh.11.1686178523145; Wed, 07 Jun 2023 15:55:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1686178523; cv=none; d=google.com; s=arc-20160816; b=kltJdSpP1Yfr0EwhSTY/DQs9E7wzkXlWGZHF8xw/WE0/fPUicE6joyZhrIASVwturz pzXh0rzZCU+KV17S8QEf1gcDCEfWjf5e3Zoyq2zV4hgbi5jThx6/LKoHa6E5O9mS0Dpx TfDkIWL3v59JB6a9DwaH8N3lGESjCy5lM6lD8HBWWHW6vKbXyRXpxnuHC+gvIxwQUEWz ENPPtcTNld4uaU5uVZ/w3DLegA5FNjoOHhLgxexeQxQ50n1tX9QXR1fOl3jbMIrnJPlz lZi9uTteAwqT07lF+E4qv3V7qbgbr1Cj6hkB13yHJ6IppgEPjtN8jmmIxALbxRhA6wlE aYBw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=1HDPU6vymAX4boxCrDGTlGD4SiZhM04/Y8dHQVuEQ1A=; b=sQVt8KJFSul5y5CUYxqOwOs8NEn0Y5s5SSGu0xNPcQTYx+Izx5wzPgLL9xc6j2OEhg 2ulqT1fAAHFYkaVLlbucfyzsm/aLvh9J9Nk6HEv6uUcUONFhfkiCEocybjSyA2Bp5erf wMzslKcno/r8vMHui/fttI/25obpmocmx8s4NQ4AwBE5lLxMGYTluacsgiIOPP9BQNGo 9JM7dI81sr918zku94kc9J2IZoHOO15lgdgnNr94n/BLhCkvfBIeGzgJe2echQG34KpG AlXSL58jhTANjDnOhG6uuIcShWu79WSRxwI9zH/MnwLh51wUfCXGpEtKL8xkkY2azIv+ E3GA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d64-20020a621d43000000b0064d2c1fb45dsi7389841pfd.154.2023.06.07.15.55.09; Wed, 07 Jun 2023 15:55:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231643AbjFGWi0 (ORCPT + 99 others); Wed, 7 Jun 2023 18:38:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47612 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231178AbjFGWiZ (ORCPT ); Wed, 7 Jun 2023 18:38:25 -0400 Received: from lithops.sigma-star.at (lithops.sigma-star.at [195.201.40.130]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 05B299E; Wed, 7 Jun 2023 15:38:18 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by lithops.sigma-star.at (Postfix) with ESMTP id 5876863CC10C; Thu, 8 Jun 2023 00:38:17 +0200 (CEST) Received: from lithops.sigma-star.at ([127.0.0.1]) by localhost (lithops.sigma-star.at [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id 2NQlVBlpCf14; Thu, 8 Jun 2023 00:38:16 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by lithops.sigma-star.at (Postfix) with ESMTP id D668963CC111; Thu, 8 Jun 2023 00:38:16 +0200 (CEST) Received: from lithops.sigma-star.at ([127.0.0.1]) by localhost (lithops.sigma-star.at [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id OnWj-RF31K1B; Thu, 8 Jun 2023 00:38:16 +0200 (CEST) Received: from foxxylove.corp.sigma-star.at (unknown [82.150.214.1]) by lithops.sigma-star.at (Postfix) with ESMTPSA id 2F98E63CC10C; Thu, 8 Jun 2023 00:38:16 +0200 (CEST) From: Richard Weinberger To: linux-hardening@vger.kernel.org Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, keescook@chromium.org, Richard Weinberger , Petr Mladek , Steven Rostedt , Sergey Senozhatsky , Andy Shevchenko , Rasmus Villemoes , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Miguel Ojeda , Alex Gaynor , Wedson Almeida Filho , Boqun Feng , Gary Guo , =?UTF-8?q?Bj=C3=B6rn=20Roy=20Baron?= , Benno Lossin , Alexei Starovoitov , Daniel Borkmann , Jesper Dangaard Brouer , John Fastabend Subject: [RFC PATCH 1/1] vsprintf: Warn on integer scanning overflows Date: Thu, 8 Jun 2023 00:37:55 +0200 Message-Id: <20230607223755.1610-2-richard@nod.at> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20230607223755.1610-1-richard@nod.at> References: <20230607223755.1610-1-richard@nod.at> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, T_SCC_BODY_TEXT_LINE,T_SPF_TEMPERROR autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The scanf function family has no way to indicate overflows while scanning. As consequence users of these function have to make sure their input cannot cause an overflow. Since this is not always the case add WARN_ON_ONCE() guards to trigger a warning upon an overflow. Signed-off-by: Richard Weinberger --- lib/vsprintf.c | 33 +++++++++++++++++++++++++-------- 1 file changed, 25 insertions(+), 8 deletions(-) diff --git a/lib/vsprintf.c b/lib/vsprintf.c index 40f560959b169..3d8d751306cdc 100644 --- a/lib/vsprintf.c +++ b/lib/vsprintf.c @@ -70,6 +70,7 @@ static noinline unsigned long long simple_strntoull(con= st char *startp, size_t m prefix_chars =3D cp - startp; if (prefix_chars < max_chars) { rv =3D _parse_integer_limit(cp, base, &result, max_chars - prefix_char= s); + WARN_ON_ONCE(rv & KSTRTOX_OVERFLOW); /* FIXME */ cp +=3D (rv & ~KSTRTOX_OVERFLOW); } else { @@ -3657,22 +3658,34 @@ int vsscanf(const char *buf, const char *fmt, va_= list args) =20 switch (qualifier) { case 'H': /* that's 'hh' in format */ - if (is_sign) + if (is_sign) { + WARN_ON_ONCE(val.s > 127); + WARN_ON_ONCE(val.s < -128); *va_arg(args, signed char *) =3D val.s; - else + } else { + WARN_ON_ONCE(val.u > 255); *va_arg(args, unsigned char *) =3D val.u; + } break; case 'h': - if (is_sign) + if (is_sign) { + WARN_ON_ONCE(val.s > SHRT_MAX); + WARN_ON_ONCE(val.s < SHRT_MIN); *va_arg(args, short *) =3D val.s; - else + } else { + WARN_ON_ONCE(val.u > USHRT_MAX); *va_arg(args, unsigned short *) =3D val.u; + } break; case 'l': - if (is_sign) + if (is_sign) { + WARN_ON_ONCE(val.s > LONG_MAX); + WARN_ON_ONCE(val.s < LONG_MIN); *va_arg(args, long *) =3D val.s; - else + } else { + WARN_ON_ONCE(val.u > ULONG_MAX); *va_arg(args, unsigned long *) =3D val.u; + } break; case 'L': if (is_sign) @@ -3684,10 +3697,14 @@ int vsscanf(const char *buf, const char *fmt, va_= list args) *va_arg(args, size_t *) =3D val.u; break; default: - if (is_sign) + if (is_sign) { + WARN_ON_ONCE(val.s > INT_MAX); + WARN_ON_ONCE(val.s < INT_MIN); *va_arg(args, int *) =3D val.s; - else + } else { + WARN_ON_ONCE(val.u > UINT_MAX); *va_arg(args, unsigned int *) =3D val.u; + } break; } num++; --=20 2.35.3