[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 2/4] vsscanf(): Return -ERANGE on integer overflow

To: Christoph Hellwig <hch@xxxxxxxxxxxxx>
From: Richard Weinberger <richard@xxxxxx>
Date: Sat, 10 Jun 2023 10:10:26 +0200 (CEST)
Cc: Demi Marie Obenour <demi@xxxxxxxxxxxxxxxxxxxxxx>, torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>, Dwaipayan Ray <dwaipayanray1@xxxxxxxxx>, Lukas Bulwahn <lukas.bulwahn@xxxxxxxxx>, Joe Perches <joe@xxxxxxxxxxx>, Jonathan Corbet <corbet@xxxxxxx>, Federico Vaga <federico.vaga@xxxxxxxxxx>, jgross <jgross@xxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Oleksandr Tyshchenko <oleksandr_tyshchenko@xxxxxxxx>, Lee Jones <lee@xxxxxxxxxx>, Andy Lutomirski <luto@xxxxxxxxxx>, tglx <tglx@xxxxxxxxxxxxx>, Vincenzo Frascino <vincenzo.frascino@xxxxxxx>, Petr Mladek <pmladek@xxxxxxxx>, Steven Rostedt <rostedt@xxxxxxxxxxx>, senozhatsky <senozhatsky@xxxxxxxxxxxx>, Andy Shevchenko <andriy.shevchenko@xxxxxxxxxxxxxxx>, Rasmus Villemoes <linux@xxxxxxxxxxxxxxxxxx>, Linux Doc Mailing List <linux-doc@xxxxxxxxxxxxxxx>, linux-kernel <linux-kernel@xxxxxxxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
Delivery-date: Sat, 10 Jun 2023 08:10:38 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
Thread-index: p4ts5uhOrcG+8Y8hROgACAR25NuqQA==
Thread-topic: vsscanf(): Return -ERANGE on integer overflow

----- Ursprüngliche Mail -----
> Von: "Christoph Hellwig" <hch@xxxxxxxxxxxxx>
> [Adding Richard and Linus as they're having another overflow checking
> discussion and we should probably merge those]

Thx for letting me know!
 
> On Fri, Jun 09, 2023 at 10:57:57PM -0400, Demi Marie Obenour wrote:
>> Userspace sets errno to ERANGE, but the kernel can't do that.
> 
> That seems like a very parse commit log, and also kinda besides
> the point - the kernel always returns error in-line and not through
> errno.  I think you need to document here why we want to do the
> overflow checking (not that I doubt it, but it really needs to be
> in the commit message).
> 
> Leaving the rest of the quote here for the new arrivals.
> 
>> 
>> Signed-off-by: Demi Marie Obenour <demi@xxxxxxxxxxxxxxxxxxxxxx>
>> ---
>>  include/linux/limits.h          |  1 +
>>  include/linux/mfd/wl1273-core.h |  3 --
>>  include/vdso/limits.h           |  3 ++
>>  lib/vsprintf.c                  | 80 ++++++++++++++++++++++++---------
>>  4 files changed, 63 insertions(+), 24 deletions(-)
>> 
>> diff --git a/include/linux/limits.h b/include/linux/limits.h
>> index
>> f6bcc936901071f496e3e85bb6e1d93905b12e32..8f7fd85b41fb46e6992d9e5912da00424119227a
>> 100644
>> --- a/include/linux/limits.h
>> +++ b/include/linux/limits.h
>> @@ -8,6 +8,7 @@
>>  
>>  #define SIZE_MAX    (~(size_t)0)
>>  #define SSIZE_MAX   ((ssize_t)(SIZE_MAX >> 1))
>> +#define SSIZE_MIN   (-SSIZE_MAX - 1)
>>  #define PHYS_ADDR_MAX       (~(phys_addr_t)0)
>>  
>>  #define U8_MAX              ((u8)~0U)
>> diff --git a/include/linux/mfd/wl1273-core.h 
>> b/include/linux/mfd/wl1273-core.h
>> index
>> c28cf76d5c31ee1c94a9319a2e2d318bf00283a6..b81a229135ed9f756c749122a8341816031c8311
>> 100644
>> --- a/include/linux/mfd/wl1273-core.h
>> +++ b/include/linux/mfd/wl1273-core.h
>> @@ -204,9 +204,6 @@
>>                               WL1273_IS2_TRI_OPT | \
>>                               WL1273_IS2_RATE_48K)
>>  
>> -#define SCHAR_MIN (-128)
>> -#define SCHAR_MAX 127
>> -
>>  #define WL1273_FR_EVENT                     BIT(0)
>>  #define WL1273_BL_EVENT                     BIT(1)
>>  #define WL1273_RDS_EVENT            BIT(2)
>> diff --git a/include/vdso/limits.h b/include/vdso/limits.h
>> index
>> 0197888ad0e00b2f853d3f25ffa764f61cca7385..0cad0a2490e5efc194d874025eb3e3b846a5c7b4
>> 100644
>> --- a/include/vdso/limits.h
>> +++ b/include/vdso/limits.h
>> @@ -2,6 +2,9 @@
>>  #ifndef __VDSO_LIMITS_H
>>  #define __VDSO_LIMITS_H
>>  
>> +#define UCHAR_MAX   ((unsigned char)~0U)
>> +#define SCHAR_MAX   ((signed char)(UCHAR_MAX >> 1))
>> +#define SCHAR_MIN   ((signed char)(-SCHAR_MAX - 1))
>>  #define USHRT_MAX   ((unsigned short)~0U)
>>  #define SHRT_MAX    ((short)(USHRT_MAX >> 1))
>>  #define SHRT_MIN    ((short)(-SHRT_MAX - 1))
>> diff --git a/lib/vsprintf.c b/lib/vsprintf.c
>> index
>> a60d348efb276d66ca07fe464883408df7fdab97..9846d2385f5b9e8f3945a5664d81047e97cf10d5
>> 100644
>> --- a/lib/vsprintf.c
>> +++ b/lib/vsprintf.c
>> @@ -59,7 +59,7 @@
>>  bool no_hash_pointers __ro_after_init;
>>  EXPORT_SYMBOL_GPL(no_hash_pointers);
>>  
>> -static noinline unsigned long long simple_strntoull(const char *startp, 
>> size_t
>> max_chars, char **endp, unsigned int base)
>> +static noinline unsigned long long simple_strntoull(const char *startp, 
>> size_t
>> max_chars, char **endp, unsigned int base, bool *overflow)
>>  {
>>      const char *cp;
>>      unsigned long long result = 0ULL;
>> @@ -71,6 +71,8 @@ static noinline unsigned long long simple_strntoull(const 
>> char
>> *startp, size_t m
>>      if (prefix_chars < max_chars) {
>>              rv = _parse_integer_limit(cp, base, &result, max_chars - 
>> prefix_chars);
>>              /* FIXME */
>> +            if (overflow)
>> +                    *overflow = !!(rv & KSTRTOX_OVERFLOW);
>>              cp += (rv & ~KSTRTOX_OVERFLOW);
>>      } else {
>>              /* Field too short for prefix + digit, skip over without 
>> converting */
>> @@ -94,7 +96,7 @@ static noinline unsigned long long simple_strntoull(const 
>> char
>> *startp, size_t m
>>  noinline
>>  unsigned long long simple_strtoull(const char *cp, char **endp, unsigned int
>>  base)
>>  {
>> -    return simple_strntoull(cp, INT_MAX, endp, base);
>> +    return simple_strntoull(cp, INT_MAX, endp, base, NULL);
>>  }
>>  EXPORT_SYMBOL(simple_strtoull);
>>  
>> @@ -130,18 +132,22 @@ long simple_strtol(const char *cp, char **endp, 
>> unsigned
>> int base)
>>  EXPORT_SYMBOL(simple_strtol);
>>  
>>  static long long simple_strntoll(const char *cp, size_t max_chars, char 
>> **endp,
>> -                             unsigned int base)
>> +                             unsigned int base, bool *overflow)
>>  {
>> +    unsigned long long minand;
>> +    bool negate;
>> +
>>      /*
>>       * simple_strntoull() safely handles receiving max_chars==0 in the
>>       * case cp[0] == '-' && max_chars == 1.
>>       * If max_chars == 0 we can drop through and pass it to 
>> simple_strntoull()
>>       * and the content of *cp is irrelevant.
>>       */
>> -    if (*cp == '-' && max_chars > 0)
>> -            return -simple_strntoull(cp + 1, max_chars - 1, endp, base);
>> -
>> -    return simple_strntoull(cp, max_chars, endp, base);
>> +    negate = *cp == '-' && max_chars > 0;
>> +    minand = simple_strntoull(cp + negate, max_chars - negate, endp, base,
>> overflow);
>> +    if (minand > (unsigned long long)LONG_MAX + negate)
>> +            *overflow = true;
>> +    return negate ? -minand : minand;
>>  }
>>  
>>  static noinline_for_stack
>> @@ -3427,7 +3433,7 @@ int vsscanf(const char *buf, const char *fmt, va_list
>> args)
>>              unsigned long long u;
>>      } val;
>>      s16 field_width;
>> -    bool is_sign;
>> +    bool is_sign, overflow;
>>  
>>      while (*fmt) {
>>              /* skip any white space in format */
>> @@ -3635,45 +3641,77 @@ int vsscanf(const char *buf, const char *fmt, va_list
>> args)
>>              if (is_sign)
>>                      val.s = simple_strntoll(str,
>>                                              field_width >= 0 ? field_width 
>> : INT_MAX,
>> -                                            &next, base);
>> +                                            &next, base, &overflow);
>>              else
>>                      val.u = simple_strntoull(str,
>>                                               field_width >= 0 ? field_width 
>> : INT_MAX,
>> -                                             &next, base);
>> +                                             &next, base, &overflow);
>> +            if (unlikely(overflow))
>> +                    return -ERANGE;
>>  
>>              switch (qualifier) {
>>              case 'H':       /* that's 'hh' in format */
>> -                    if (is_sign)
>> +                    if (is_sign) {
>> +                            if (unlikely(val.s < SCHAR_MIN || val.s > 
>> SCHAR_MAX))
>> +                                    return -ERANGE;
>>                              *va_arg(args, signed char *) = val.s;
>> -                    else
>> +                    } else {
>> +                            if (unlikely(val.u > UCHAR_MAX))
>> +                                    return -ERANGE;
>>                              *va_arg(args, unsigned char *) = val.u;
>> +                    }
>>                      break;
>>              case 'h':
>> -                    if (is_sign)
>> +                    if (is_sign) {
>> +                            if (unlikely(val.s < SHRT_MIN || val.s > 
>> SHRT_MAX))
>> +                                    return -ERANGE;

Returning a negative value here will break many existing in-kernel users.
Most users just check for the number of matched elements.

Linus' idea was returning 0 upon overflow (nothing matched) and allowing
overflows (if really needed) by adding a new format string qualifier "!".
e.g. "%!d".

Thanks,
//richard

References:
- [PATCH 1/4] Rip out simple_strtoll()
  - From: Demi Marie Obenour
- [PATCH 2/4] vsscanf(): Return -ERANGE on integer overflow
  - From: Demi Marie Obenour
- Re: [PATCH 2/4] vsscanf(): Return -ERANGE on integer overflow
  - From: Christoph Hellwig

Prev by Date: [xen-unstable test] 181352: tolerable FAIL - PUSHED
Next by Date: [qemu-mainline test] 181356: regressions - FAIL
Previous by thread: Re: [PATCH 2/4] vsscanf(): Return -ERANGE on integer overflow
Next by thread: Re: [PATCH 2/4] vsscanf(): Return -ERANGE on integer overflow
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.