Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp929220rwd; Thu, 8 Jun 2023 09:32:13 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ43uVt3W6Hr0eCM87dpQ0oz58tp4LlTN5T+Pm1k82l0M2b6PPmuymsTw/S6Qknol8bsjI2y X-Received: by 2002:a05:6a00:2d91:b0:63b:6149:7ad6 with SMTP id fb17-20020a056a002d9100b0063b61497ad6mr5871148pfb.34.1686241933489; Thu, 08 Jun 2023 09:32:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1686241933; cv=none; d=google.com; s=arc-20160816; b=jP3m+Zh0CMedSX2q7clWMQkcTrM5unEHMJuGC/7yxVbNYhPGPvtOxzldSquS90M7LM lzn1zfH7aRw/+FP7wJpTlWuCgyY/vPGR4w/F4KK9LpmPfXPzDku/MAyvOXDlU6hGbpDi P/33ty/EZyhr4SRmXK0mab+BGXVaVra8DMhHMd7hF+samWgSGlViBU0yY+o5xhhqTtVB lvslYoJ5pun0B0yxITPjRltGIH0sfboWFtk9lf/GqSCjgp5j0W0WZVoH74bOqrk3lzI2 FE8+2dsV9Kn8u4Hi1ttDOOgITvjrPD9TKhRKr6xAzR8c0n2AvxuJMio6hDA1JU32SNju Aw6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:thread-index:thread-topic :content-transfer-encoding:mime-version:subject:references :in-reply-to:message-id:cc:to:from:date; bh=ubf3ChPJq9spKQ9J/Fkx88Tgdy7jl4pMztvjYWSH8r0=; b=xNpyDTpaa9Uq9ringHP6oEWDv+TD29MU/wRpF/lbXfyZyRTy1xCGB5lBsiLIW7UA0c 2M3wSpflrHftpqkUylCEVYq77UL1KOLhwk17FyYYAEIcI91N86k8TNHQxzyApbJXwfjb EQS1/5gburzc436dKrWakoTMxyPacR/CynLo5wNT3bHcmFVQxzI95ciTWCL82y76ZdYw O7kToxx2wff254PUaplIV++7bKWXN0Y/e42W/kZYNyv8hiH6bbWcJ9Gk2Ez2gW1TYJ5M R98aqns7XjYgzbuXVhh8rK2lLyxubTUptnzkYt7arhuLWNtCNwOlar2Ba0Z23CY019QH qzww== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c23-20020aa79537000000b00656f1d69ec6si1019319pfp.292.2023.06.08.09.32.01; Thu, 08 Jun 2023 09:32:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232040AbjFHQMY convert rfc822-to-8bit (ORCPT + 99 others); Thu, 8 Jun 2023 12:12:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57040 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231192AbjFHQMX (ORCPT ); Thu, 8 Jun 2023 12:12:23 -0400 Received: from lithops.sigma-star.at (lithops.sigma-star.at [195.201.40.130]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8C28311A; Thu, 8 Jun 2023 09:12:19 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by lithops.sigma-star.at (Postfix) with ESMTP id 093FC605DED7; Thu, 8 Jun 2023 18:12:12 +0200 (CEST) Received: from lithops.sigma-star.at ([127.0.0.1]) by localhost (lithops.sigma-star.at [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id YsTv-yOP3HrN; Thu, 8 Jun 2023 18:12:11 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by lithops.sigma-star.at (Postfix) with ESMTP id 7E9E36081100; Thu, 8 Jun 2023 18:12:11 +0200 (CEST) Received: from lithops.sigma-star.at ([127.0.0.1]) by localhost (lithops.sigma-star.at [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id VYHkTxYt_ulp; Thu, 8 Jun 2023 18:12:11 +0200 (CEST) Received: from lithops.sigma-star.at (lithops.sigma-star.at [195.201.40.130]) by lithops.sigma-star.at (Postfix) with ESMTP id 508B4605DED7; Thu, 8 Jun 2023 18:12:11 +0200 (CEST) Date: Thu, 8 Jun 2023 18:12:11 +0200 (CEST) From: Richard Weinberger To: Petr Mladek Cc: Kees Cook , linux-hardening , netdev , linux-kernel , Steven Rostedt , senozhatsky , Andy Shevchenko , Rasmus Villemoes , davem , edumazet , kuba , pabeni , Miguel Ojeda , Alex Gaynor , Wedson Almeida Filho , Boqun Feng , Gary Guo , =?utf-8?Q?Bj=C3=B6rn?= Roy Baron , Benno Lossin , Alexei Starovoitov , Daniel Borkmann , Jesper Dangaard Brouer , John Fastabend Message-ID: <520885538.3699431.1686240731083.JavaMail.zimbra@nod.at> In-Reply-To: References: <20230607223755.1610-1-richard@nod.at> <202306071634.51BBAFD14@keescook> Subject: Re: [RFC PATCH 0/1] Integer overflows while scanning for integers MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT X-Originating-IP: [195.201.40.130] X-Mailer: Zimbra 8.8.12_GA_3807 (ZimbraWebClient - FF97 (Linux)/8.8.12_GA_3809) Thread-Topic: Integer overflows while scanning for integers Thread-Index: eRz4qdIczSWHayESvWhfMkCVWHkibA== X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, T_SCC_BODY_TEXT_LINE,T_SPF_PERMERROR autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org ----- Ursprüngliche Mail ----- > Von: "Petr Mladek" > On Wed 2023-06-07 16:36:12, Kees Cook wrote: >> On Thu, Jun 08, 2023 at 12:37:54AM +0200, Richard Weinberger wrote: >> > Hi! >> > >> > Lately I wondered whether users of integer scanning functions check >> > for overflows. >> > To detect such overflows around scanf I came up with the following >> > patch. It simply triggers a WARN_ON_ONCE() upon an overflow. >> > >> > After digging into various scanf users I found that the network device >> > naming code can trigger an overflow. >> > >> > e.g: >> > $ ip link add 1 type veth peer name 9999999999 >> > $ ip link set name "%d" dev 1 >> > >> > It will trigger the following WARN_ON_ONCE(): >> > ------------[ cut here ]------------ >> > WARNING: CPU: 2 PID: 433 at lib/vsprintf.c:3701 vsscanf+0x6ce/0x990 >> >> Hm, it's considered a bug if a WARN or BUG can be reached from >> userspace, > > Good point. WARN() does not look like the right way in this case. Well, the whole point of my RFC(!) patch is showing the issue and providing a way to actually find such call sites, like the netdev code. > Another problem is that some users use panic_on_warn. In this case, > the above "ip" command calls would trigger panic(). And it does not > look like an optimal behavior. Only if we don't fix netdev code. > I know there already are some WARN_ONs for similar situations, e.g. > set_field_width() or set_precision(). But these do not get random > values. And it would actually be nice to introduce something like > INFO() that would be usable for these less serious problems where > the backtrace is useful but they should never trigger panic(). > >> so this probably needs to be rearranged (or callers fixed). >> Do we need to change the scanf API for sane use inside the kernel? > > It seems that userspace implementation of sscanf() and vsscanf() > returns -ERANGE in this case. It might be a reasonable solution. > > Well, there is a risk of introducing security problems. The error > value might cause an underflow/overflow when the caller does not expect > a negative value. Agreed. Without inspecting all users of scanf we cannot change the API. > Alternative solution would be to update the "ip" code so that it > reads the number separately and treat zero return value as > -EINVAL. The kernel needs fixing, not userspace. Thanks, //richard