On Tue, Jan 15, 2019 at 02:41:17PM -0800, James Smart wrote: > > On 1/14/2019 5:15 PM, Kees Cook wrote: > > On Sat, Jan 12, 2019 at 7:29 AM Willy Tarreau<w...@1wt.eu> wrote: > > > From: Silvio Cesare<silvio.ces...@gmail.com> > > > > > > Change snprintf to scnprintf. There are generally two cases where using > > > snprintf causes problems. > > > > > > 1) Uses of size += snprintf(buf, SIZE - size, fmt, ...) > > > In this case, if snprintf would have written more characters than what the > > > buffer size (SIZE) is, then size will end up larger than SIZE. In later > > > uses of snprintf, SIZE - size will result in a negative number, leading > > > to problems. Note that size might already be too large by using > > > size = snprintf before the code reaches a case of size += snprintf. > > > > > > 2) If size is ultimately used as a length parameter for a copy back to > > > user > > > space, then it will potentially allow for a buffer overflow and > > > information > > > disclosure when size is greater than SIZE. When the size is used to index > > > the buffer directly, we can have memory corruption. This also means when > > > size = snprintf... is used, it may also cause problems since size may > > > become > > > large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel > > > configuration. > > > > > > The solution to these issues is to use scnprintf which returns the number > > > of > > > characters actually written to the buffer, so the size variable will never > > > exceed SIZE. > > > > > > Signed-off-by: Silvio Cesare<silvio.ces...@gmail.com> > > > Cc: James Smart<james.sm...@broadcom.com> > > > Cc: Dick Kennedy<dick.kenn...@broadcom.com> > > > Cc: Dan Carpenter<dan.carpen...@oracle.com> > > > Cc: Kees Cook<keesc...@chromium.org> > > > Cc: Will Deacon<will.dea...@arm.com> > > > Cc: Greg KH<g...@kroah.com> > > > Signed-off-by: Willy Tarreau<w...@1wt.eu> > > I think this needs Cc: stable. > > > > Reviewed-by: Kees Cook<keesc...@chromium.org> > > > > -Kees > > > > > Reviewed-by: James Smart <james.sm...@broadcom.com>
What ever happened to this patch? Did it get dropped somehow? thanks, greg k-h
