[PATCH 06/12] scanf: fix type range overflow

From: Alexey Dobriyan
Date: Fri May 08 2015 - 14:34:41 EST

Next message: Alexey Dobriyan: "[PATCH 07/12] parse_integer: convert lib/"
Previous message: Alexey Dobriyan: "[PATCH 05/12] parse_integer: convert scanf()"
In reply to: Alexey Dobriyan: "[PATCH 05/12] parse_integer: convert scanf()"
Next in thread: Alexey Dobriyan: "[PATCH 07/12] parse_integer: convert lib/"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Fun fact:

uint8_t val;
sscanf("256", "%hhu", &val);

will return 1 and make val=0 (clearly bogus).

Userspace sscanf() reports 1 parsed value, returns incorrect value
but sets errno to ERANGE only for "%u" conversion and higher.
%hhu and %hu are left in the cold.

Having no way to report errno=ERANGE in kernel, don't report
successful parsing.

Patch allows to remove checks and switch to proper types
in several (most?) cases:

grep -e 'scanf.*%[0-9]\+[dioux]' -n -r .

Such checks can be incorrect too -- checking for 3 digits with %3u
for parsing uint8_t is not enough.

Signed-off-by: Alexey Dobriyan <adobriyan@xxxxxxxxx>
---
lib/vsprintf.c | 45 ++++++++++++++++++++++++++++++++++-----------
1 file changed, 34 insertions(+), 11 deletions(-)

diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index 6509c54..58051b4 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -2632,44 +2632,67 @@ int vsscanf(const char *buf, const char *fmt, va_list args)

switch (qualifier) {
case 'H': /* that's 'hh' in format */
- if (is_sign)
+ if (is_sign) {
+ if (val.s != (signed char)val.s)
+ goto out;
*va_arg(args, signed char *) = val.s;
- else
+ } else {
+ if (val.u != (unsigned char)val.u)
+ goto out;
*va_arg(args, unsigned char *) = val.u;
+ }
break;
case 'h':
- if (is_sign)
+ if (is_sign) {
+ if (val.s != (short)val.s)
+ goto out;
*va_arg(args, short *) = val.s;
- else
+ } else {
+ if (val.u != (unsigned short)val.u)
+ goto out;
*va_arg(args, unsigned short *) = val.u;
+ }
break;
case 'l':
- if (is_sign)
+ if (is_sign) {
+ if (val.s != (long)val.s)
+ goto out;
*va_arg(args, long *) = val.s;
- else
+ } else {
+ if (val.u != (unsigned long)val.u)
+ goto out;
*va_arg(args, unsigned long *) = val.u;
+ }
break;
case 'L':
- if (is_sign)
+ if (is_sign) {
*va_arg(args, long long *) = val.s;
- else
+ } else {
*va_arg(args, unsigned long long *) = val.u;
+ }
break;
case 'Z':
case 'z':
+ if (val.u != (size_t)val.u)
+ goto out;
*va_arg(args, size_t *) = val.u;
break;
default:
- if (is_sign)
+ if (is_sign) {
+ if (val.s != (int)val.s)
+ goto out;
*va_arg(args, int *) = val.s;
- else
+ } else {
+ if (val.u != (unsigned int)val.u)
+ goto out;
*va_arg(args, unsigned int *) = val.u;
+ }
break;
}
num++;
str += len;
}
-
+out:
return num;
}
EXPORT_SYMBOL(vsscanf);
--
2.0.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Alexey Dobriyan: "[PATCH 07/12] parse_integer: convert lib/"
Previous message: Alexey Dobriyan: "[PATCH 05/12] parse_integer: convert scanf()"
In reply to: Alexey Dobriyan: "[PATCH 05/12] parse_integer: convert scanf()"
Next in thread: Alexey Dobriyan: "[PATCH 07/12] parse_integer: convert lib/"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]