From patchwork Wed Jun 7 22:37:55 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Weinberger X-Patchwork-Id: 13271431 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 95240C7EE25 for ; Wed, 7 Jun 2023 22:38:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229584AbjFGWiZ (ORCPT ); Wed, 7 Jun 2023 18:38:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47612 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231178AbjFGWiZ (ORCPT ); Wed, 7 Jun 2023 18:38:25 -0400 Received: from lithops.sigma-star.at (lithops.sigma-star.at [195.201.40.130]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 05B299E; Wed, 7 Jun 2023 15:38:18 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by lithops.sigma-star.at (Postfix) with ESMTP id 5876863CC10C; Thu, 8 Jun 2023 00:38:17 +0200 (CEST) Received: from lithops.sigma-star.at ([127.0.0.1]) by localhost (lithops.sigma-star.at [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id 2NQlVBlpCf14; Thu, 8 Jun 2023 00:38:16 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by lithops.sigma-star.at (Postfix) with ESMTP id D668963CC111; Thu, 8 Jun 2023 00:38:16 +0200 (CEST) Received: from lithops.sigma-star.at ([127.0.0.1]) by localhost (lithops.sigma-star.at [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id OnWj-RF31K1B; Thu, 8 Jun 2023 00:38:16 +0200 (CEST) Received: from foxxylove.corp.sigma-star.at (unknown [82.150.214.1]) by lithops.sigma-star.at (Postfix) with ESMTPSA id 2F98E63CC10C; Thu, 8 Jun 2023 00:38:16 +0200 (CEST) From: Richard Weinberger To: linux-hardening@vger.kernel.org Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, keescook@chromium.org, Richard Weinberger , Petr Mladek , Steven Rostedt , Sergey Senozhatsky , Andy Shevchenko , Rasmus Villemoes , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Miguel Ojeda , Alex Gaynor , Wedson Almeida Filho , Boqun Feng , Gary Guo , =?utf-8?q?Bj=C3=B6rn_Roy_Baron?= , Benno Lossin , Alexei Starovoitov , Daniel Borkmann , Jesper Dangaard Brouer , John Fastabend Subject: [RFC PATCH 1/1] vsprintf: Warn on integer scanning overflows Date: Thu, 8 Jun 2023 00:37:55 +0200 Message-Id: <20230607223755.1610-2-richard@nod.at> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20230607223755.1610-1-richard@nod.at> References: <20230607223755.1610-1-richard@nod.at> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org The scanf function family has no way to indicate overflows while scanning. As consequence users of these function have to make sure their input cannot cause an overflow. Since this is not always the case add WARN_ON_ONCE() guards to trigger a warning upon an overflow. Signed-off-by: Richard Weinberger --- lib/vsprintf.c | 33 +++++++++++++++++++++++++-------- 1 file changed, 25 insertions(+), 8 deletions(-) diff --git a/lib/vsprintf.c b/lib/vsprintf.c index 40f560959b169..3d8d751306cdc 100644 --- a/lib/vsprintf.c +++ b/lib/vsprintf.c @@ -70,6 +70,7 @@ static noinline unsigned long long simple_strntoull(const char *startp, size_t m prefix_chars = cp - startp; if (prefix_chars < max_chars) { rv = _parse_integer_limit(cp, base, &result, max_chars - prefix_chars); + WARN_ON_ONCE(rv & KSTRTOX_OVERFLOW); /* FIXME */ cp += (rv & ~KSTRTOX_OVERFLOW); } else { @@ -3657,22 +3658,34 @@ int vsscanf(const char *buf, const char *fmt, va_list args) switch (qualifier) { case 'H': /* that's 'hh' in format */ - if (is_sign) + if (is_sign) { + WARN_ON_ONCE(val.s > 127); + WARN_ON_ONCE(val.s < -128); *va_arg(args, signed char *) = val.s; - else + } else { + WARN_ON_ONCE(val.u > 255); *va_arg(args, unsigned char *) = val.u; + } break; case 'h': - if (is_sign) + if (is_sign) { + WARN_ON_ONCE(val.s > SHRT_MAX); + WARN_ON_ONCE(val.s < SHRT_MIN); *va_arg(args, short *) = val.s; - else + } else { + WARN_ON_ONCE(val.u > USHRT_MAX); *va_arg(args, unsigned short *) = val.u; + } break; case 'l': - if (is_sign) + if (is_sign) { + WARN_ON_ONCE(val.s > LONG_MAX); + WARN_ON_ONCE(val.s < LONG_MIN); *va_arg(args, long *) = val.s; - else + } else { + WARN_ON_ONCE(val.u > ULONG_MAX); *va_arg(args, unsigned long *) = val.u; + } break; case 'L': if (is_sign) @@ -3684,10 +3697,14 @@ int vsscanf(const char *buf, const char *fmt, va_list args) *va_arg(args, size_t *) = val.u; break; default: - if (is_sign) + if (is_sign) { + WARN_ON_ONCE(val.s > INT_MAX); + WARN_ON_ONCE(val.s < INT_MIN); *va_arg(args, int *) = val.s; - else + } else { + WARN_ON_ONCE(val.u > UINT_MAX); *va_arg(args, unsigned int *) = val.u; + } break; } num++;