From: Richard Weinberger <richard@nod.at>
To: Christoph Hellwig <hch@infradead.org>
Cc: Demi Marie Obenour <demi@invisiblethingslab.com>,
torvalds <torvalds@linux-foundation.org>,
Dwaipayan Ray <dwaipayanray1@gmail.com>,
Lukas Bulwahn <lukas.bulwahn@gmail.com>,
Joe Perches <joe@perches.com>, Jonathan Corbet <corbet@lwn.net>,
Federico Vaga <federico.vaga@vaga.pv.it>,
jgross <jgross@suse.com>,
Stefano Stabellini <sstabellini@kernel.org>,
Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>,
Lee Jones <lee@kernel.org>, Andy Lutomirski <luto@kernel.org>,
tglx <tglx@linutronix.de>,
Vincenzo Frascino <vincenzo.frascino@arm.com>,
Petr Mladek <pmladek@suse.com>,
Steven Rostedt <rostedt@goodmis.org>,
senozhatsky <senozhatsky@chromium.org>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Rasmus Villemoes <linux@rasmusvillemoes.dk>,
Linux Doc Mailing List <linux-doc@vger.kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>,
xen-devel@lists.xenproject.org
Subject: Re: [PATCH 2/4] vsscanf(): Return -ERANGE on integer overflow
Date: Sat, 10 Jun 2023 10:10:26 +0200 (CEST) [thread overview]
Message-ID: <880576435.3707190.1686384626249.JavaMail.zimbra@nod.at> (raw)
In-Reply-To: <ZIQrevjNjMn9cBRM@infradead.org>
----- Ursprüngliche Mail -----
> Von: "Christoph Hellwig" <hch@infradead.org>
> [Adding Richard and Linus as they're having another overflow checking
> discussion and we should probably merge those]
Thx for letting me know!
> On Fri, Jun 09, 2023 at 10:57:57PM -0400, Demi Marie Obenour wrote:
>> Userspace sets errno to ERANGE, but the kernel can't do that.
>
> That seems like a very parse commit log, and also kinda besides
> the point - the kernel always returns error in-line and not through
> errno. I think you need to document here why we want to do the
> overflow checking (not that I doubt it, but it really needs to be
> in the commit message).
>
> Leaving the rest of the quote here for the new arrivals.
>
>>
>> Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
>> ---
>> include/linux/limits.h | 1 +
>> include/linux/mfd/wl1273-core.h | 3 --
>> include/vdso/limits.h | 3 ++
>> lib/vsprintf.c | 80 ++++++++++++++++++++++++---------
>> 4 files changed, 63 insertions(+), 24 deletions(-)
>>
>> diff --git a/include/linux/limits.h b/include/linux/limits.h
>> index
>> f6bcc936901071f496e3e85bb6e1d93905b12e32..8f7fd85b41fb46e6992d9e5912da00424119227a
>> 100644
>> --- a/include/linux/limits.h
>> +++ b/include/linux/limits.h
>> @@ -8,6 +8,7 @@
>>
>> #define SIZE_MAX (~(size_t)0)
>> #define SSIZE_MAX ((ssize_t)(SIZE_MAX >> 1))
>> +#define SSIZE_MIN (-SSIZE_MAX - 1)
>> #define PHYS_ADDR_MAX (~(phys_addr_t)0)
>>
>> #define U8_MAX ((u8)~0U)
>> diff --git a/include/linux/mfd/wl1273-core.h b/include/linux/mfd/wl1273-core.h
>> index
>> c28cf76d5c31ee1c94a9319a2e2d318bf00283a6..b81a229135ed9f756c749122a8341816031c8311
>> 100644
>> --- a/include/linux/mfd/wl1273-core.h
>> +++ b/include/linux/mfd/wl1273-core.h
>> @@ -204,9 +204,6 @@
>> WL1273_IS2_TRI_OPT | \
>> WL1273_IS2_RATE_48K)
>>
>> -#define SCHAR_MIN (-128)
>> -#define SCHAR_MAX 127
>> -
>> #define WL1273_FR_EVENT BIT(0)
>> #define WL1273_BL_EVENT BIT(1)
>> #define WL1273_RDS_EVENT BIT(2)
>> diff --git a/include/vdso/limits.h b/include/vdso/limits.h
>> index
>> 0197888ad0e00b2f853d3f25ffa764f61cca7385..0cad0a2490e5efc194d874025eb3e3b846a5c7b4
>> 100644
>> --- a/include/vdso/limits.h
>> +++ b/include/vdso/limits.h
>> @@ -2,6 +2,9 @@
>> #ifndef __VDSO_LIMITS_H
>> #define __VDSO_LIMITS_H
>>
>> +#define UCHAR_MAX ((unsigned char)~0U)
>> +#define SCHAR_MAX ((signed char)(UCHAR_MAX >> 1))
>> +#define SCHAR_MIN ((signed char)(-SCHAR_MAX - 1))
>> #define USHRT_MAX ((unsigned short)~0U)
>> #define SHRT_MAX ((short)(USHRT_MAX >> 1))
>> #define SHRT_MIN ((short)(-SHRT_MAX - 1))
>> diff --git a/lib/vsprintf.c b/lib/vsprintf.c
>> index
>> a60d348efb276d66ca07fe464883408df7fdab97..9846d2385f5b9e8f3945a5664d81047e97cf10d5
>> 100644
>> --- a/lib/vsprintf.c
>> +++ b/lib/vsprintf.c
>> @@ -59,7 +59,7 @@
>> bool no_hash_pointers __ro_after_init;
>> EXPORT_SYMBOL_GPL(no_hash_pointers);
>>
>> -static noinline unsigned long long simple_strntoull(const char *startp, size_t
>> max_chars, char **endp, unsigned int base)
>> +static noinline unsigned long long simple_strntoull(const char *startp, size_t
>> max_chars, char **endp, unsigned int base, bool *overflow)
>> {
>> const char *cp;
>> unsigned long long result = 0ULL;
>> @@ -71,6 +71,8 @@ static noinline unsigned long long simple_strntoull(const char
>> *startp, size_t m
>> if (prefix_chars < max_chars) {
>> rv = _parse_integer_limit(cp, base, &result, max_chars - prefix_chars);
>> /* FIXME */
>> + if (overflow)
>> + *overflow = !!(rv & KSTRTOX_OVERFLOW);
>> cp += (rv & ~KSTRTOX_OVERFLOW);
>> } else {
>> /* Field too short for prefix + digit, skip over without converting */
>> @@ -94,7 +96,7 @@ static noinline unsigned long long simple_strntoull(const char
>> *startp, size_t m
>> noinline
>> unsigned long long simple_strtoull(const char *cp, char **endp, unsigned int
>> base)
>> {
>> - return simple_strntoull(cp, INT_MAX, endp, base);
>> + return simple_strntoull(cp, INT_MAX, endp, base, NULL);
>> }
>> EXPORT_SYMBOL(simple_strtoull);
>>
>> @@ -130,18 +132,22 @@ long simple_strtol(const char *cp, char **endp, unsigned
>> int base)
>> EXPORT_SYMBOL(simple_strtol);
>>
>> static long long simple_strntoll(const char *cp, size_t max_chars, char **endp,
>> - unsigned int base)
>> + unsigned int base, bool *overflow)
>> {
>> + unsigned long long minand;
>> + bool negate;
>> +
>> /*
>> * simple_strntoull() safely handles receiving max_chars==0 in the
>> * case cp[0] == '-' && max_chars == 1.
>> * If max_chars == 0 we can drop through and pass it to simple_strntoull()
>> * and the content of *cp is irrelevant.
>> */
>> - if (*cp == '-' && max_chars > 0)
>> - return -simple_strntoull(cp + 1, max_chars - 1, endp, base);
>> -
>> - return simple_strntoull(cp, max_chars, endp, base);
>> + negate = *cp == '-' && max_chars > 0;
>> + minand = simple_strntoull(cp + negate, max_chars - negate, endp, base,
>> overflow);
>> + if (minand > (unsigned long long)LONG_MAX + negate)
>> + *overflow = true;
>> + return negate ? -minand : minand;
>> }
>>
>> static noinline_for_stack
>> @@ -3427,7 +3433,7 @@ int vsscanf(const char *buf, const char *fmt, va_list
>> args)
>> unsigned long long u;
>> } val;
>> s16 field_width;
>> - bool is_sign;
>> + bool is_sign, overflow;
>>
>> while (*fmt) {
>> /* skip any white space in format */
>> @@ -3635,45 +3641,77 @@ int vsscanf(const char *buf, const char *fmt, va_list
>> args)
>> if (is_sign)
>> val.s = simple_strntoll(str,
>> field_width >= 0 ? field_width : INT_MAX,
>> - &next, base);
>> + &next, base, &overflow);
>> else
>> val.u = simple_strntoull(str,
>> field_width >= 0 ? field_width : INT_MAX,
>> - &next, base);
>> + &next, base, &overflow);
>> + if (unlikely(overflow))
>> + return -ERANGE;
>>
>> switch (qualifier) {
>> case 'H': /* that's 'hh' in format */
>> - if (is_sign)
>> + if (is_sign) {
>> + if (unlikely(val.s < SCHAR_MIN || val.s > SCHAR_MAX))
>> + return -ERANGE;
>> *va_arg(args, signed char *) = val.s;
>> - else
>> + } else {
>> + if (unlikely(val.u > UCHAR_MAX))
>> + return -ERANGE;
>> *va_arg(args, unsigned char *) = val.u;
>> + }
>> break;
>> case 'h':
>> - if (is_sign)
>> + if (is_sign) {
>> + if (unlikely(val.s < SHRT_MIN || val.s > SHRT_MAX))
>> + return -ERANGE;
Returning a negative value here will break many existing in-kernel users.
Most users just check for the number of matched elements.
Linus' idea was returning 0 upon overflow (nothing matched) and allowing
overflows (if really needed) by adding a new format string qualifier "!".
e.g. "%!d".
Thanks,
//richard
next prev parent reply other threads:[~2023-06-10 8:10 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-10 2:57 [PATCH 1/4] Rip out simple_strtoll() Demi Marie Obenour
2023-06-10 2:57 ` [PATCH 2/4] vsscanf(): Return -ERANGE on integer overflow Demi Marie Obenour
2023-06-10 7:51 ` Christoph Hellwig
2023-06-10 8:10 ` Richard Weinberger [this message]
2023-06-10 12:59 ` kernel test robot
2023-06-10 2:57 ` [PATCH 3/4] Add strict version of vsscanf() Demi Marie Obenour
2023-06-10 7:52 ` Christoph Hellwig
2023-06-10 2:57 ` [PATCH 4/4] Strict XenStore entry parsing Demi Marie Obenour
2023-06-10 3:26 ` Matthew Wilcox
2023-06-10 5:42 ` [PATCH 1/4] Rip out simple_strtoll() kernel test robot
2023-06-10 5:42 ` kernel test robot
2023-06-10 7:49 ` Christoph Hellwig
2023-06-13 10:14 ` Federico Vaga
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=880576435.3707190.1686384626249.JavaMail.zimbra@nod.at \
--to=richard@nod.at \
--cc=andriy.shevchenko@linux.intel.com \
--cc=corbet@lwn.net \
--cc=demi@invisiblethingslab.com \
--cc=dwaipayanray1@gmail.com \
--cc=federico.vaga@vaga.pv.it \
--cc=hch@infradead.org \
--cc=jgross@suse.com \
--cc=joe@perches.com \
--cc=lee@kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@rasmusvillemoes.dk \
--cc=lukas.bulwahn@gmail.com \
--cc=luto@kernel.org \
--cc=oleksandr_tyshchenko@epam.com \
--cc=pmladek@suse.com \
--cc=rostedt@goodmis.org \
--cc=senozhatsky@chromium.org \
--cc=sstabellini@kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=vincenzo.frascino@arm.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.