[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 1/3] vsscanf(): Integer overflow is a conversion failure

To: Demi Marie Obenour <demi@xxxxxxxxxxxxxxxxxxxxxx>
From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Date: Sat, 10 Jun 2023 22:59:17 +0300
Cc: Hans de Goede <hdegoede@xxxxxxxxxx>, Mauro Carvalho Chehab <mchehab@xxxxxxxxxx>, Sakari Ailus <sakari.ailus@xxxxxxxxxxxxxxx>, Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Oleksandr Tyshchenko <oleksandr_tyshchenko@xxxxxxxx>, Lee Jones <lee@xxxxxxxxxx>, Andy Lutomirski <luto@xxxxxxxxxx>, Thomas Gleixner <tglx@xxxxxxxxxxxxx>, Vincenzo Frascino <vincenzo.frascino@xxxxxxx>, Petr Mladek <pmladek@xxxxxxxx>, Steven Rostedt <rostedt@xxxxxxxxxxx>, Sergey Senozhatsky <senozhatsky@xxxxxxxxxxxx>, Andy Shevchenko <andriy.shevchenko@xxxxxxxxxxxxxxx>, Rasmus Villemoes <linux@xxxxxxxxxxxxxxxxxx>, linux-media@xxxxxxxxxxxxxxx, linux-staging@xxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxxx, Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
Delivery-date: Sat, 10 Jun 2023 19:59:42 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Sat, Jun 10, 2023 at 01:07:41PM -0400, Demi Marie Obenour wrote:
> ---
>  .../hive_isp_css_include/platform_support.h   |  1 -
>  include/linux/limits.h                        |  1 +
>  include/linux/mfd/wl1273-core.h               |  3 -
>  include/vdso/limits.h                         |  3 +
>  lib/vsprintf.c                                | 82 ++++++++++++++-----
>  5 files changed, 67 insertions(+), 23 deletions(-)
> 
> diff --git 
> a/drivers/staging/media/atomisp/pci/hive_isp_css_include/platform_support.h 
> b/drivers/staging/media/atomisp/pci/hive_isp_css_include/platform_support.h
> index 
> 0cdef4a5e8b1bed9884133f1a0b9d853d59d43a4..e29b96d8bebf14839f6dd48fdc6c0f8b029ef31d
>  100644
> --- 
> a/drivers/staging/media/atomisp/pci/hive_isp_css_include/platform_support.h
> +++ 
> b/drivers/staging/media/atomisp/pci/hive_isp_css_include/platform_support.h
> @@ -27,7 +27,6 @@
>  
>  #define UINT16_MAX USHRT_MAX
>  #define UINT32_MAX UINT_MAX
> -#define UCHAR_MAX  (255)
>  
>  #define CSS_ALIGN(d, a) d __attribute__((aligned(a)))
>  
> diff --git a/include/linux/limits.h b/include/linux/limits.h
> index 
> f6bcc936901071f496e3e85bb6e1d93905b12e32..8f7fd85b41fb46e6992d9e5912da00424119227a
>  100644
> --- a/include/linux/limits.h
> +++ b/include/linux/limits.h
> @@ -8,6 +8,7 @@
>  
>  #define SIZE_MAX     (~(size_t)0)
>  #define SSIZE_MAX    ((ssize_t)(SIZE_MAX >> 1))
> +#define SSIZE_MIN    (-SSIZE_MAX - 1)
>  #define PHYS_ADDR_MAX        (~(phys_addr_t)0)
>  
>  #define U8_MAX               ((u8)~0U)
> diff --git a/include/linux/mfd/wl1273-core.h b/include/linux/mfd/wl1273-core.h
> index 
> c28cf76d5c31ee1c94a9319a2e2d318bf00283a6..b81a229135ed9f756c749122a8341816031c8311
>  100644
> --- a/include/linux/mfd/wl1273-core.h
> +++ b/include/linux/mfd/wl1273-core.h
> @@ -204,9 +204,6 @@
>                                WL1273_IS2_TRI_OPT | \
>                                WL1273_IS2_RATE_48K)
>  
> -#define SCHAR_MIN (-128)
> -#define SCHAR_MAX 127
> -
>  #define WL1273_FR_EVENT                      BIT(0)
>  #define WL1273_BL_EVENT                      BIT(1)
>  #define WL1273_RDS_EVENT             BIT(2)
> diff --git a/include/vdso/limits.h b/include/vdso/limits.h
> index 
> 0197888ad0e00b2f853d3f25ffa764f61cca7385..0cad0a2490e5efc194d874025eb3e3b846a5c7b4
>  100644
> --- a/include/vdso/limits.h
> +++ b/include/vdso/limits.h
> @@ -2,6 +2,9 @@
>  #ifndef __VDSO_LIMITS_H
>  #define __VDSO_LIMITS_H
>  
> +#define UCHAR_MAX    ((unsigned char)~0U)
> +#define SCHAR_MAX    ((signed char)(UCHAR_MAX >> 1))
> +#define SCHAR_MIN    ((signed char)(-SCHAR_MAX - 1))
>  #define USHRT_MAX    ((unsigned short)~0U)
>  #define SHRT_MAX     ((short)(USHRT_MAX >> 1))
>  #define SHRT_MIN     ((short)(-SHRT_MAX - 1))

It looks like you're going to have to redo these patches anyway for
various reasons.  Could you pull the U/SCHAR_MAX changes out into a
separate patch?

> diff --git a/lib/vsprintf.c b/lib/vsprintf.c
> index 
> 40f560959b169b4c4ac6154d658cfe76cfd0c5a6..8caccdcda0a2b470cda70c9b3837de37207eb512
>  100644
> --- a/lib/vsprintf.c
> +++ b/lib/vsprintf.c
> @@ -59,7 +59,7 @@
>  bool no_hash_pointers __ro_after_init;
>  EXPORT_SYMBOL_GPL(no_hash_pointers);
>  
> -static noinline unsigned long long simple_strntoull(const char *startp, 
> size_t max_chars, char **endp, unsigned int base)
> +static noinline unsigned long long simple_strntoull(const char *startp, 
> size_t max_chars, char **endp, unsigned int base, bool *overflow)
>  {
>       const char *cp;
>       unsigned long long result = 0ULL;
> @@ -71,6 +71,8 @@ static noinline unsigned long long simple_strntoull(const 
> char *startp, size_t m
>       if (prefix_chars < max_chars) {
>               rv = _parse_integer_limit(cp, base, &result, max_chars - 
> prefix_chars);
>               /* FIXME */

It's not clear what this FIXME is for, but probably it should go next to
the cp += (rv & ~KSTRTOX_OVERFLOW); line?  Does anyone know what it
means?  Maybe just delete it.

> +             if (overflow)
> +                     *overflow = !!(rv & KSTRTOX_OVERFLOW);
>               cp += (rv & ~KSTRTOX_OVERFLOW);
>       } else {

*overflow isn't initialized on the else path.

>               /* Field too short for prefix + digit, skip over without 
> converting */
> @@ -94,7 +96,7 @@ static noinline unsigned long long simple_strntoull(const 
> char *startp, size_t m
>  noinline
>  unsigned long long simple_strtoull(const char *cp, char **endp, unsigned int 
> base)
>  {
> -     return simple_strntoull(cp, INT_MAX, endp, base);
> +     return simple_strntoull(cp, INT_MAX, endp, base, NULL);
>  }
>  EXPORT_SYMBOL(simple_strtoull);
>  
> @@ -130,18 +132,22 @@ long simple_strtol(const char *cp, char **endp, 
> unsigned int base)
>  EXPORT_SYMBOL(simple_strtol);
>  
>  static long long simple_strntoll(const char *cp, size_t max_chars, char 
> **endp,
> -                              unsigned int base)
> +                              unsigned int base, bool *overflow)
>  {
> +     unsigned long long minand;
> +     bool negate;
> +
>       /*
>        * simple_strntoull() safely handles receiving max_chars==0 in the
>        * case cp[0] == '-' && max_chars == 1.
>        * If max_chars == 0 we can drop through and pass it to 
> simple_strntoull()
>        * and the content of *cp is irrelevant.
>        */
> -     if (*cp == '-' && max_chars > 0)
> -             return -simple_strntoull(cp + 1, max_chars - 1, endp, base);
> -
> -     return simple_strntoull(cp, max_chars, endp, base);
> +     negate = *cp == '-' && max_chars > 0;
> +     minand = simple_strntoull(cp + negate, max_chars - negate, endp, base, 
> overflow);
> +     if (minand > (unsigned long long)LONG_MAX + negate)
> +             *overflow = true;
> +     return negate ? -minand : minand;
>  }
>  
>  /**
> @@ -3441,7 +3447,7 @@ int vsscanf(const char *buf, const char *fmt, va_list 
> args)
>               unsigned long long u;
>       } val;
>       s16 field_width;
> -     bool is_sign;
> +     bool is_sign, overflow, allow_overflow;
>  
>       while (*fmt) {
>               /* skip any white space in format */
> @@ -3464,6 +3470,9 @@ int vsscanf(const char *buf, const char *fmt, va_list 
> args)
>                       break;
>               ++fmt;
>  
> +             allow_overflow = *fmt == '!';
> +             fmt += (int)allow_overflow;
> +
>               /* skip this conversion.
>                * advance both strings to next white space
>                */
> @@ -3649,45 +3658,80 @@ int vsscanf(const char *buf, const char *fmt, va_list 
> args)
>               if (is_sign)
>                       val.s = simple_strntoll(str,
>                                               field_width >= 0 ? field_width 
> : INT_MAX,
> -                                             &next, base);
> +                                             &next, base, &overflow);
>               else
>                       val.u = simple_strntoull(str,
>                                                field_width >= 0 ? field_width 
> : INT_MAX,
> -                                              &next, base);
> +                                              &next, base, &overflow);
> +             if (unlikely(overflow && !allow_overflow))

So that means that *overflow can be uninitialized here.

> +                     break;
>  
>               switch (qualifier) {

regards,
dan carpenter

References:
- [PATCH v2 0/3] Make sscanf() stricter
  - From: Demi Marie Obenour
- [PATCH v2 1/3] vsscanf(): Integer overflow is a conversion failure
  - From: Demi Marie Obenour

Prev by Date: RE: [patch] x86/realmode: Make stack lock work in trampoline_compat()
Next by Date: [linux-linus test] 181359: regressions - FAIL
Previous by thread: Re: [PATCH v2 1/3] vsscanf(): Integer overflow is a conversion failure
Next by thread: [PATCH v2 2/3] vsscanf(): do not skip spaces
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.