Linux-kselftest Archive on lore.kernel.org
 help / color / Atom feed
WARNING: multiple messages have this Message-ID
From: linux at dominikbrodowski.net (Dominik Brodowski)
Subject: [Linux-kselftest-mirror] [PATCH] selftests/x86: clarify that there is no buffer overflow on sscanf usage
Date: Sun, 11 Feb 2018 21:59:24 +0100
Message-ID: <20180211205924.GA23210@light.dominikbrodowski.net> (raw)
In-Reply-To: <20180211182428.e7isprkt6hbuq3dk@gmail.com>


Suggested-by: Ingo Molnar <mingo at kernel.org>
CC: Andy Lutomirski <luto at kernel.org>
Signed-off-by: Dominik Brodowski <linux at dominikbrodowski.net>

---

> Yeah, probably - but still, this connection and the sscanf() guarantee is not 
> obvious at first sight, so please improve this to derive from the same value 
> (define a LINE_MAX size or such), plus maybe add a comment to the sscanf() line 
> that this is safe because strlen(name) >= strlen(line).

Sounds reasonable. Patch (which applies on top of the five patches for
selftests/x86 I sent out earlier today) is attached.

Thanks,
	Dominik

diff --git a/tools/testing/selftests/x86/test_vdso.c b/tools/testing/selftests/x86/test_vdso.c
index 558c8207e7b9..7ade625f10ed 100644
--- a/tools/testing/selftests/x86/test_vdso.c
+++ b/tools/testing/selftests/x86/test_vdso.c
@@ -26,6 +26,9 @@
 # endif
 #endif
 
+/* max length of lines in /proc/self/maps - anything longer is skipped here */
+#define MAPS_LINE_LEN 128
+
 int nerrs = 0;
 
 typedef long (*getcpu_t)(unsigned *, unsigned *, void *);
@@ -37,17 +40,19 @@ static void *vsyscall_getcpu(void)
 {
 #ifdef __x86_64__
 	FILE *maps;
-	char line[128];
+	char line[MAPS_LINE_LEN];
 	bool found = false;
 
 	maps = fopen("/proc/self/maps", "r");
 	if (!maps) /* might still be present, but ignore it here, as we test vDSO not vsyscall */
 		return NULL;
 
-	while (fgets(line, sizeof(line), maps)) {
+	while (fgets(line, MAPS_LINE_LEN, maps)) {
 		char r, x;
 		void *start, *end;
-		char name[128];
+		char name[MAPS_LINE_LEN];
+
+		/* sscanf is safe here as strlen(name) >= strlen(line) */
 		if (sscanf(line, "%p-%p %c-%cp %*x %*x:%*x %*u %s",
 			   &start, &end, &r, &x, name) != 5)
 			continue;
diff --git a/tools/testing/selftests/x86/test_vsyscall.c b/tools/testing/selftests/x86/test_vsyscall.c
index 7a744fa7b786..ee92e4727f18 100644
--- a/tools/testing/selftests/x86/test_vsyscall.c
+++ b/tools/testing/selftests/x86/test_vsyscall.c
@@ -33,6 +33,9 @@
 # endif
 #endif
 
+/* max length of lines in /proc/self/maps - anything longer is skipped here */
+#define MAPS_LINE_LEN 128
+
 static void sethandler(int sig, void (*handler)(int, siginfo_t *, void *),
 		       int flags)
 {
@@ -98,7 +101,7 @@ static int init_vsys(void)
 #ifdef __x86_64__
 	int nerrs = 0;
 	FILE *maps;
-	char line[128];
+	char line[MAPS_LINE_LEN];
 	bool found = false;
 
 	maps = fopen("/proc/self/maps", "r");
@@ -108,10 +111,12 @@ static int init_vsys(void)
 		return 0;
 	}
 
-	while (fgets(line, sizeof(line), maps)) {
+	while (fgets(line, MAPS_LINE_LEN, maps)) {
 		char r, x;
 		void *start, *end;
-		char name[128];
+		char name[MAPS_LINE_LEN];
+
+		/* sscanf is safe here as strlen(name) >= strlen(line) */
 		if (sscanf(line, "%p-%p %c-%cp %*x %*x:%*x %*u %s",
 			   &start, &end, &r, &x, name) != 5)
 			continue;
--
To unsubscribe from this list: send the line "unsubscribe linux-kselftest" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

From: linux@dominikbrodowski.net (Dominik Brodowski)
Subject: [Linux-kselftest-mirror] [PATCH] selftests/x86: clarify that there is no buffer overflow on sscanf usage
Date: Sun, 11 Feb 2018 21:59:24 +0100
Message-ID: <20180211205924.GA23210@light.dominikbrodowski.net> (raw)
Message-ID: <20180211205924._GWkVLtMs5VzuiOKEjnEvKdm-qIbzhpvdcJD6LQgvHw@z> (raw)
In-Reply-To: <20180211182428.e7isprkt6hbuq3dk@gmail.com>


Suggested-by: Ingo Molnar <mingo at kernel.org>
CC: Andy Lutomirski <luto at kernel.org>
Signed-off-by: Dominik Brodowski <linux at dominikbrodowski.net>

---

> Yeah, probably - but still, this connection and the sscanf() guarantee is not 
> obvious at first sight, so please improve this to derive from the same value 
> (define a LINE_MAX size or such), plus maybe add a comment to the sscanf() line 
> that this is safe because strlen(name) >= strlen(line).

Sounds reasonable. Patch (which applies on top of the five patches for
selftests/x86 I sent out earlier today) is attached.

Thanks,
	Dominik

diff --git a/tools/testing/selftests/x86/test_vdso.c b/tools/testing/selftests/x86/test_vdso.c
index 558c8207e7b9..7ade625f10ed 100644
--- a/tools/testing/selftests/x86/test_vdso.c
+++ b/tools/testing/selftests/x86/test_vdso.c
@@ -26,6 +26,9 @@
 # endif
 #endif
 
+/* max length of lines in /proc/self/maps - anything longer is skipped here */
+#define MAPS_LINE_LEN 128
+
 int nerrs = 0;
 
 typedef long (*getcpu_t)(unsigned *, unsigned *, void *);
@@ -37,17 +40,19 @@ static void *vsyscall_getcpu(void)
 {
 #ifdef __x86_64__
 	FILE *maps;
-	char line[128];
+	char line[MAPS_LINE_LEN];
 	bool found = false;
 
 	maps = fopen("/proc/self/maps", "r");
 	if (!maps) /* might still be present, but ignore it here, as we test vDSO not vsyscall */
 		return NULL;
 
-	while (fgets(line, sizeof(line), maps)) {
+	while (fgets(line, MAPS_LINE_LEN, maps)) {
 		char r, x;
 		void *start, *end;
-		char name[128];
+		char name[MAPS_LINE_LEN];
+
+		/* sscanf is safe here as strlen(name) >= strlen(line) */
 		if (sscanf(line, "%p-%p %c-%cp %*x %*x:%*x %*u %s",
 			   &start, &end, &r, &x, name) != 5)
 			continue;
diff --git a/tools/testing/selftests/x86/test_vsyscall.c b/tools/testing/selftests/x86/test_vsyscall.c
index 7a744fa7b786..ee92e4727f18 100644
--- a/tools/testing/selftests/x86/test_vsyscall.c
+++ b/tools/testing/selftests/x86/test_vsyscall.c
@@ -33,6 +33,9 @@
 # endif
 #endif
 
+/* max length of lines in /proc/self/maps - anything longer is skipped here */
+#define MAPS_LINE_LEN 128
+
 static void sethandler(int sig, void (*handler)(int, siginfo_t *, void *),
 		       int flags)
 {
@@ -98,7 +101,7 @@ static int init_vsys(void)
 #ifdef __x86_64__
 	int nerrs = 0;
 	FILE *maps;
-	char line[128];
+	char line[MAPS_LINE_LEN];
 	bool found = false;
 
 	maps = fopen("/proc/self/maps", "r");
@@ -108,10 +111,12 @@ static int init_vsys(void)
 		return 0;
 	}
 
-	while (fgets(line, sizeof(line), maps)) {
+	while (fgets(line, MAPS_LINE_LEN, maps)) {
 		char r, x;
 		void *start, *end;
-		char name[128];
+		char name[MAPS_LINE_LEN];
+
+		/* sscanf is safe here as strlen(name) >= strlen(line) */
 		if (sscanf(line, "%p-%p %c-%cp %*x %*x:%*x %*u %s",
 			   &start, &end, &r, &x, name) != 5)
 			continue;
--
To unsubscribe from this list: send the line "unsubscribe linux-kselftest" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

  parent reply index

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-02-11 11:10 [Linux-kselftest-mirror] [PATCH 0/5] selftests/x86: fixes for !CONFIG_IA32_EMULATION and vsyscall=none linux
2018-02-11 11:10 ` Dominik Brodowski
2018-02-11 11:10 ` [Linux-kselftest-mirror] [PATCH 1/5] selftests/x86: 5lvl test has been moved linux
2018-02-11 11:10   ` Dominik Brodowski
2018-02-11 11:10 ` [Linux-kselftest-mirror] [PATCH 2/5] selftests/x86: fix vDSO selftest segfault for vsyscall=none linux
2018-02-11 11:10   ` Dominik Brodowski
2018-02-11 11:21   ` mingo
2018-02-11 11:21     ` Ingo Molnar
2018-02-11 12:17     ` linux
2018-02-11 12:17       ` Dominik Brodowski
2018-02-11 13:00       ` linux
2018-02-11 13:00         ` Dominik Brodowski
2018-02-11 18:24         ` mingo
2018-02-11 18:24           ` Ingo Molnar
2018-02-11 20:59           ` linux [this message]
2018-02-11 20:59             ` [Linux-kselftest-mirror] [PATCH] selftests/x86: clarify that there is no buffer overflow on sscanf usage Dominik Brodowski
2018-02-12 17:58             ` shuah
2018-02-12 17:58               ` Shuah Khan
2018-02-11 11:10 ` [Linux-kselftest-mirror] [PATCH 3/5] selftests/x86: do not rely on int $0x80 in test_mremap_vdso.c linux
2018-02-11 11:10   ` Dominik Brodowski
2018-02-11 11:10 ` [Linux-kselftest-mirror] [PATCH 4/5] selftests/x86: do not rely on int $0x80 in single_step_syscall.c linux
2018-02-11 11:10   ` Dominik Brodowski
2018-02-11 11:10 ` [Linux-kselftest-mirror] [PATCH 5/5] selftests/x86: disable tests requiring 32bit support on pure 64bit systems linux
2018-02-11 11:10   ` Dominik Brodowski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180211205924.GA23210@light.dominikbrodowski.net \
    --to= \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-kselftest Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-kselftest/0 linux-kselftest/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-kselftest linux-kselftest/ https://lore.kernel.org/linux-kselftest \
		linux-kselftest@vger.kernel.org
	public-inbox-index linux-kselftest

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-kselftest


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git