From: Steven Rostedt <rostedt@goodmis.org>
To: Petr Mladek <pmladek@suse.com>
Cc: Sergey Shtylyov <s.shtylyov@omp.ru>,
Sergey Senozhatsky <senozhatsky@chromium.org>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Rasmus Villemoes <linux@rasmusvillemoes.dk>,
Kees Cook <keescook@chromium.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] vsprintf: fix possible NULL pointer deref in vsnprintf()
Date: Fri, 6 Jan 2023 12:14:57 -0500 [thread overview]
Message-ID: <20230106121457.05edbbdf@gandalf.local.home> (raw)
In-Reply-To: <Y7hDGoCbWG2ZYdlV@alley>
On Fri, 6 Jan 2023 16:49:46 +0100
Petr Mladek <pmladek@suse.com> wrote:
> > Index: linux/lib/vsprintf.c
> > ===================================================================
> > --- linux.orig/lib/vsprintf.c
> > +++ linux/lib/vsprintf.c
> > @@ -2738,6 +2738,15 @@ int vsnprintf(char *buf, size_t size, co
> > if (WARN_ON_ONCE(size > INT_MAX))
> > return 0;
> >
> > + /*
> > + * C99 allows @buf to be NULL when @size is 0. We treat such NULL as if
> > + * @buf pointed to 0-sized buffer, so we can both avoid a NULL pointer
> > + * dereference and still return # of characters that would be written
> > + * if @buf pointed to a valid buffer...
> > + */
> > + if (!buf)
> > + size = 0;
>
> It makes sense except that it would hide bugs. It should print a
> warning, for example:
I agree. This is a bug, and should not be quietly ignored.
>
> char *err_msg;
>
> err_msg = check_pointer_msg(buf);
> if (err_msg) {
> WARN_ONCE(1, "Invalid buffer passed to vsnprintf(). Trying to continue with 0 length limit\n");
> size = 0;
> }
if (WARN_ONCE(err_msg, "Invalid buffer passed to vsnprintf(). Trying to continue with 0 length limit\n"))
size = 0;
;-)
-- Steve
>
> check_pointer_msg() allows to catch even more buggy pointers. WARN()
> helps to locate the caller. WARN_ONCE() variant is used to prevent
> a potential infinite loop.
>
> > +
> > str = buf;
> > end = buf + size;
> >
next prev parent reply other threads:[~2023-01-06 17:15 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-05 21:16 [PATCH] vsprintf: fix possible NULL pointer deref in vsnprintf() Sergey Shtylyov
2023-01-06 15:49 ` Petr Mladek
2023-01-06 17:14 ` Steven Rostedt [this message]
2023-01-06 19:11 ` Kees Cook
2023-01-06 19:07 ` Linus Torvalds
2023-01-09 11:23 ` Andy Shevchenko
2023-01-09 11:26 ` Andy Shevchenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230106121457.05edbbdf@gandalf.local.home \
--to=rostedt@goodmis.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@rasmusvillemoes.dk \
--cc=pmladek@suse.com \
--cc=s.shtylyov@omp.ru \
--cc=senozhatsky@chromium.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).