[PATCH v1 0/6] Make sscanf safer
From: Konstantin Khlebnikov
Date: Sun Mar 10 2019 - 12:56:36 EST
Standard sscanf isn't well designed for input validation:
* no way to detect interger overflow
* unmached tail text is ignored
* no mandatory buffer overflow checks
All these problems were found in the wild in cgroup interfaces:
https://patchwork.kernel.org/patch/10831387/
https://lore.kernel.org/patchwork/patch/1046130/
This patchset has patches for first two issues.
Unbounded "%s" is out of scope for now.
Second patch handles integer overlow as parse error:
sscanf exits without touching related argument.
Third patch adds convenient way for checking that
whole text was matched and nothing left.
Fourth adds missing standard features for %[...],
this might be useful for input validation.
Fifth adds __must_check and will generate some new warnings.
The last is a simple test module for chechking some basic and
new corner-cases added by this patchset.
Code haven't chaneged much:
$ ./scripts/bloat-o-meter lib/vsprintf.o.old lib/vsprintf.o.new
add/remove: 0/0 grow/shrink: 1/0 up/down: 60/0 (60)
Function old new delta
vsscanf 2270 2330 +60
Total: Before=16904, After=16964, chg +0.35%
Unbounded "%s" could be fixed only by making field width mandatory.
There are only few users and in most cases sscanf could be eliminated.
---
Konstantin Khlebnikov (6):
lib: scanf: document features of scanf format string
lib: scanf: handle integer overflows in vsscanf
lib: scanf: add vsscanf feature for matching end of text
lib: scanf: handle character ranges in %[...]
lib: scanf: mark sscanf and vsscanf as __must_check
lib: scanf: add test module
include/linux/kernel.h | 10 ++
lib/Kconfig.debug | 3 +
lib/Makefile | 1
lib/test_scanf.c | 252 ++++++++++++++++++++++++++++++++++++++++++++++++
lib/vsprintf.c | 153 +++++++++++++++++++++--------
5 files changed, 376 insertions(+), 43 deletions(-)
create mode 100644 lib/test_scanf.c
--
Signature