Linux-man Archive on lore.kernel.org
 help / color / Atom feed
* [patch] printf.3: Prevent signed integer overflow in example
@ 2020-05-21 12:15 Tobias Stoeckmann
  2020-05-25 14:00 ` Michael Kerrisk (man-pages)
  0 siblings, 1 reply; 2+ messages in thread
From: Tobias Stoeckmann @ 2020-05-21 12:15 UTC (permalink / raw)
  To: mtk.manpages; +Cc: linux-man

The function make_message illustrates how to use vsnprintf to determine
the required amount of memory for a specific format and its arguments.

If make_message is called with a format which will use exactly INT_MAX
characters (excluding '\0'), then the size++ calculation will overflow
the signed integer "size", which is an undefined behaviour in C.

Since malloc and vsnprintf rightfully take a size_t argument, I decided
to use a size_t variable for size calculation. Therefore, this patched
code uses variables of the same data types as expected by function
arguments.

Proof of concept (tested on Linux/glibc amd64):

int main() { make_message("%647s%2147483000s", "", ""); }

If the code is compiled with address sanitizer (gcc -fsanitize=address)
you can see the following line, assuming that a signed integer overflow
simply leads to INT_MIN:

==3094==WARNING: AddressSanitizer failed to allocate 0xffffffff80000000 bytes
---
 man3/printf.3 | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/man3/printf.3 b/man3/printf.3
index 50e136ba6..827d9cbae 100644
--- a/man3/printf.3
+++ b/man3/printf.3
@@ -1132,29 +1132,32 @@ To allocate a sufficiently large string and print into it
 char *
 make_message(const char *fmt, ...)
 {
-    int size = 0;
+    int n = 0;
+    size_t size = 0;
     char *p = NULL;
     va_list ap;
 
     /* Determine required size */
 
     va_start(ap, fmt);
-    size = vsnprintf(p, size, fmt, ap);
+    n = vsnprintf(p, size, fmt, ap);
     va_end(ap);
 
-    if (size < 0)
+    if (n < 0)
         return NULL;
 
-    size++;             /* For '\e0' */
+    /* One extra byte for '\e0' */
+
+    size = (size_t) n + 1;
     p = malloc(size);
     if (p == NULL)
         return NULL;
 
     va_start(ap, fmt);
-    size = vsnprintf(p, size, fmt, ap);
+    n = vsnprintf(p, size, fmt, ap);
     va_end(ap);
 
-    if (size < 0) {
+    if (n < 0) {
         free(p);
         return NULL;
     }
-- 
2.26.2


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [patch] printf.3: Prevent signed integer overflow in example
  2020-05-21 12:15 [patch] printf.3: Prevent signed integer overflow in example Tobias Stoeckmann
@ 2020-05-25 14:00 ` Michael Kerrisk (man-pages)
  0 siblings, 0 replies; 2+ messages in thread
From: Michael Kerrisk (man-pages) @ 2020-05-25 14:00 UTC (permalink / raw)
  To: Tobias Stoeckmann; +Cc: mtk.manpages, linux-man

Tobias,

On 5/21/20 2:15 PM, Tobias Stoeckmann wrote:
> The function make_message illustrates how to use vsnprintf to determine
> the required amount of memory for a specific format and its arguments.
> 
> If make_message is called with a format which will use exactly INT_MAX
> characters (excluding '\0'), then the size++ calculation will overflow
> the signed integer "size", which is an undefined behaviour in C.
> 
> Since malloc and vsnprintf rightfully take a size_t argument, I decided
> to use a size_t variable for size calculation. Therefore, this patched
> code uses variables of the same data types as expected by function
> arguments.
> 
> Proof of concept (tested on Linux/glibc amd64):
> 
> int main() { make_message("%647s%2147483000s", "", ""); }
> 
> If the code is compiled with address sanitizer (gcc -fsanitize=address)
> you can see the following line, assuming that a signed integer overflow
> simply leads to INT_MIN:
> 
> ==3094==WARNING: AddressSanitizer failed to allocate 0xffffffff80000000 bytes

Thanks for the nicely documented patch. Applied.

Cheers,

Michael

> ---
>  man3/printf.3 | 15 +++++++++------
>  1 file changed, 9 insertions(+), 6 deletions(-)
> 
> diff --git a/man3/printf.3 b/man3/printf.3
> index 50e136ba6..827d9cbae 100644
> --- a/man3/printf.3
> +++ b/man3/printf.3
> @@ -1132,29 +1132,32 @@ To allocate a sufficiently large string and print into it
>  char *
>  make_message(const char *fmt, ...)
>  {
> -    int size = 0;
> +    int n = 0;
> +    size_t size = 0;
>      char *p = NULL;
>      va_list ap;
>  
>      /* Determine required size */
>  
>      va_start(ap, fmt);
> -    size = vsnprintf(p, size, fmt, ap);
> +    n = vsnprintf(p, size, fmt, ap);
>      va_end(ap);
>  
> -    if (size < 0)
> +    if (n < 0)
>          return NULL;
>  
> -    size++;             /* For '\e0' */
> +    /* One extra byte for '\e0' */
> +
> +    size = (size_t) n + 1;
>      p = malloc(size);
>      if (p == NULL)
>          return NULL;
>  
>      va_start(ap, fmt);
> -    size = vsnprintf(p, size, fmt, ap);
> +    n = vsnprintf(p, size, fmt, ap);
>      va_end(ap);
>  
> -    if (size < 0) {
> +    if (n < 0) {
>          free(p);
>          return NULL;
>      }
> 


-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-21 12:15 [patch] printf.3: Prevent signed integer overflow in example Tobias Stoeckmann
2020-05-25 14:00 ` Michael Kerrisk (man-pages)

Linux-man Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-man/0 linux-man/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-man linux-man/ https://lore.kernel.org/linux-man \
		linux-man@vger.kernel.org
	public-inbox-index linux-man

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-man


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git