Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp1447835rwd; Wed, 7 Jun 2023 16:55:03 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7927vd2KI/qNrSg8VXIIXom3Sy91+iTe/+Isjbp5Qb/9AYV1k+NEby2b8IYvvTCYOhKxQg X-Received: by 2002:ac8:5acf:0:b0:3f3:93cd:ff39 with SMTP id d15-20020ac85acf000000b003f393cdff39mr5550710qtd.31.1686182103499; Wed, 07 Jun 2023 16:55:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1686182103; cv=none; d=google.com; s=arc-20160816; b=EgBrFBjyJ6bxLBI1lwAAOGPtyseiCS8nfJOeYKltdPlTnuKuuj9Vvdilj0QtVtygR5 XuT8JCvOhlB4UwZR3AAAG4mD88NXzx76JaxWkqJaupuWw2pLtesKkgRmMjZkGLUMT5HX 4kgPrKpVwJEV/c8+QtYATi8LNanFHMSh2oM92CJ4V87VE6J3LhhmEepmsShZnbEnYVst DInTXN2R4pIKxLd87Ygw424a3GNCVyjUCl9KWG9bNzcaCqpJixQo9bU1/+YlU798wvVf rrvZzciL/7Nv+OnafOhp+cjM0d6ncjzaeAyfe6XQufD+YDi8aXJlqY/3xhgSydXxbTrx jh7Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=bV+QBIRbd/x+WNmZHSjuCVNmS4EwLkVhDD4/QF5LwNk=; b=c4FaGp7U/CgERBTovc6EFVzl9ARgY9kp4P9XEj+wYYFNRmBOLrssL6F/7gP3+QN0gV FoKqUPBehaMk+roDxMDPP+YbcjmkWMAye4oy+felrC8mWVhyh6uuEOHz3OUfYCj6YcMM vpze0maOAlbxpe6fy2Ntnj22FJEpii+O2A48Kw+Dnc4COgUiLFEjDHjYfAii9K1tdsFz AzMd7PG5J8kkzaVC5rdyPiHHmVWCErukIwf9lJoyZuZtYn+aHLEK71yZosyKtyxh+fq4 nQANEmDGS9Qif0LGA/b1jvXuNSOgOO+Hq32j6QQemYtXvosMwOc9XdtVIPx0VeY/uU+H uDHg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Ik88XCvI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 2-20020a630202000000b00546838027aasi7339pgc.829.2023.06.07.16.54.51; Wed, 07 Jun 2023 16:55:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Ik88XCvI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231577AbjFGXgR (ORCPT + 99 others); Wed, 7 Jun 2023 19:36:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44896 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231712AbjFGXgP (ORCPT ); Wed, 7 Jun 2023 19:36:15 -0400 Received: from mail-pf1-x435.google.com (mail-pf1-x435.google.com [IPv6:2607:f8b0:4864:20::435]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 66BC3268F for ; Wed, 7 Jun 2023 16:36:14 -0700 (PDT) Received: by mail-pf1-x435.google.com with SMTP id d2e1a72fcca58-65131e85be4so8098626b3a.1 for ; Wed, 07 Jun 2023 16:36:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1686180974; x=1688772974; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=bV+QBIRbd/x+WNmZHSjuCVNmS4EwLkVhDD4/QF5LwNk=; b=Ik88XCvI4hJ6a3p3dYxnf2+7ZugbODinVbcRE5BytxNEbbTTldgODWhxxfct3EDVl8 OHla4HcW9Z0Xx9GrUV7HeHYZy4Ubu4XBdf3+GlqLzUfIZinEk8Nlf20AxB9Lvu8ugH2V NZbQ9Drkx0s7//LQf/au6HjQpueXauTefGqw4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686180974; x=1688772974; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=bV+QBIRbd/x+WNmZHSjuCVNmS4EwLkVhDD4/QF5LwNk=; b=jO8i2WHCbVq8NsmrQdX0IZy9llqgOmtfTqIH7OUtppchhojq5vhmoar2NZg85+akJP I1mfZp0rTUwC7c2PSQBn8oqKMf809H9UNehBF1hEBE75/4R94VggiDqX2VvmgRl8PIRA NbpdD12AvNdMaNhh4BqjHbktZQ93dJ652tiyjujAlXivQFyNSG1EhrBaIZq5phz9DbiE 7IML7d08oTJ+jVTpnR7hSDHPDD09MCwUQdoVDnsa8kkQNk2YF6dlt/7DZ30sMheb0msL b4WJlEDXScggnpmxrSPQefUgaVd9llAuFB7XjLIpWIpCmsPK7h2UV6Kk3jjg4eAoa+XL dm2A== X-Gm-Message-State: AC+VfDwGM6uh6O1xFnXP3wXPVpel8VC2lrw1d09Fw2+J1q+BNiabugqX KLxYSLhMQ09hhlqL46p21DOZrw== X-Received: by 2002:a05:6a20:4c8:b0:110:9b0b:71b6 with SMTP id 8-20020a056a2004c800b001109b0b71b6mr3691768pzd.37.1686180973830; Wed, 07 Jun 2023 16:36:13 -0700 (PDT) Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241]) by smtp.gmail.com with ESMTPSA id d18-20020aa78152000000b00640e64aa9b7sm9148225pfn.10.2023.06.07.16.36.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jun 2023 16:36:12 -0700 (PDT) Date: Wed, 7 Jun 2023 16:36:12 -0700 From: Kees Cook To: Richard Weinberger Cc: linux-hardening@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Petr Mladek , Steven Rostedt , Sergey Senozhatsky , Andy Shevchenko , Rasmus Villemoes , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Miguel Ojeda , Alex Gaynor , Wedson Almeida Filho , Boqun Feng , Gary Guo , =?iso-8859-1?Q?Bj=F6rn?= Roy Baron , Benno Lossin , Alexei Starovoitov , Daniel Borkmann , Jesper Dangaard Brouer , John Fastabend Subject: Re: [RFC PATCH 0/1] Integer overflows while scanning for integers Message-ID: <202306071634.51BBAFD14@keescook> References: <20230607223755.1610-1-richard@nod.at> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230607223755.1610-1-richard@nod.at> X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jun 08, 2023 at 12:37:54AM +0200, Richard Weinberger wrote: > Hi! > > Lately I wondered whether users of integer scanning functions check > for overflows. > To detect such overflows around scanf I came up with the following > patch. It simply triggers a WARN_ON_ONCE() upon an overflow. > > After digging into various scanf users I found that the network device > naming code can trigger an overflow. > > e.g: > $ ip link add 1 type veth peer name 9999999999 > $ ip link set name "%d" dev 1 > > It will trigger the following WARN_ON_ONCE(): > ------------[ cut here ]------------ > WARNING: CPU: 2 PID: 433 at lib/vsprintf.c:3701 vsscanf+0x6ce/0x990 Hm, it's considered a bug if a WARN or BUG can be reached from userspace, so this probably needs to be rearranged (or callers fixed). Do we need to change the scanf API for sane use inside the kernel? -Kees -- Kees Cook