Re: [PATCH v6 2/4] lib: vsprintf: Fix handling of number field widths in vsscanf

2021-02-11 Thread Petr Mladek 
On Tue 2021-02-09 15:56:02, Richard Fitzgerald wrote:
> The existing code attempted to handle numbers by doing a strto[u]l(),
> ignoring the field width, and then repeatedly dividing to extract the
> field out of the full converted value. If the string contains a run of
> valid digits longer than will fit in a long or long long, this would
> overflow and no amount of dividing can recover the correct value.
> 
> This patch fixes vsscanf() to obey number field widths when parsing
> the number.
> 
> A new _parse_integer_limit() is added that takes a limit for the number
> of characters to parse. The number field conversion in vsscanf is changed
> to use this new function.
> 
> If a number starts with a radix prefix, the field width  must be long
> enough for at last one digit after the prefix. If not, it will be handled
> like this:
> 
>  sscanf("0x4", "%1i", ): i=0, scanning continues with the 'x'
>  sscanf("0x4", "%2i", ): i=0, scanning continues with the '4'
> 
> This is consistent with the observed behaviour of userland sscanf.
> 
> Note that this patch does NOT fix the problem of a single field value
> overflowing the target type. So for example:
> 
>   sscanf("123456789abcdef", "%x", );
> 
> Will not produce the correct result because the value obviously overflows
> INT_MAX. But sscanf will report a successful conversion.
> 
> Note that where a very large number is used to mean "unlimited", the value
> INT_MAX is used for consistency with the behaviour of vsnprintf().
> 
> Signed-off-by: Richard Fitzgerald 

Reviewed-by: Petr Mladek 

The patchset looks ready for upstream from my POV.

Best Regards,
Petr

[PATCH v6 2/4] lib: vsprintf: Fix handling of number field widths in vsscanf

2021-02-09 Thread Richard Fitzgerald 
The existing code attempted to handle numbers by doing a strto[u]l(),
ignoring the field width, and then repeatedly dividing to extract the
field out of the full converted value. If the string contains a run of
valid digits longer than will fit in a long or long long, this would
overflow and no amount of dividing can recover the correct value.

This patch fixes vsscanf() to obey number field widths when parsing
the number.

A new _parse_integer_limit() is added that takes a limit for the number
of characters to parse. The number field conversion in vsscanf is changed
to use this new function.

If a number starts with a radix prefix, the field width  must be long
enough for at last one digit after the prefix. If not, it will be handled
like this:

 sscanf("0x4", "%1i", ): i=0, scanning continues with the 'x'
 sscanf("0x4", "%2i", ): i=0, scanning continues with the '4'

This is consistent with the observed behaviour of userland sscanf.

Note that this patch does NOT fix the problem of a single field value
overflowing the target type. So for example:

  sscanf("123456789abcdef", "%x", );

Will not produce the correct result because the value obviously overflows
INT_MAX. But sscanf will report a successful conversion.

Note that where a very large number is used to mean "unlimited", the value
INT_MAX is used for consistency with the behaviour of vsnprintf().

Signed-off-by: Richard Fitzgerald 
---
Changed since v5:
- Use INT_MAX to mean "unlimited length".
- Rework simple_strntoull() to avoid the goto
- Rewrite the comment in simple_strntoll()
- In vsscanf() change the calls to simple_strnto[u]ll() so that a field_width
  of 0 is not treated as unlimited.

Changed since v3:
- Use INT_MAX to mean "unlimited length".
- Use while-loop instead of for-loop in _parse_integer_limit().
- Keep the existing arguments for _parse_integer() on their original line.
  And the corresponding arguments to _parse_integer_limit() formatted/wrapped
  the same way as _parse_integer().
- Remove redundant check for (max_chars == 0) in simple_strntoull().
- Fixed "vsscanf" -> "vsscanf()" in commit message.
---
 lib/kstrtox.c  | 13 ++--
 lib/kstrtox.h  |  2 ++
 lib/vsprintf.c | 88 +-
 3 files changed, 63 insertions(+), 40 deletions(-)

diff --git a/lib/kstrtox.c b/lib/kstrtox.c
index a118b0b1e9b2..0b5fe8b41173 100644
--- a/lib/kstrtox.c
+++ b/lib/kstrtox.c
@@ -39,20 +39,22 @@ const char *_parse_integer_fixup_radix(const char *s, 
unsigned int *base)
 
 /*
  * Convert non-negative integer string representation in explicitly given radix
- * to an integer.
+ * to an integer. A maximum of max_chars characters will be converted.
+ *
  * Return number of characters consumed maybe or-ed with overflow bit.
  * If overflow occurs, result integer (incorrect) is still returned.
  *
  * Don't you dare use this function.
  */
-unsigned int _parse_integer(const char *s, unsigned int base, unsigned long 
long *p)
+unsigned int _parse_integer_limit(const char *s, unsigned int base, unsigned 
long long *p,
+ size_t max_chars)
 {
unsigned long long res;
unsigned int rv;
 
res = 0;
rv = 0;
-   while (1) {
+   while (max_chars--) {
unsigned int c = *s;
unsigned int lc = c | 0x20; /* don't tolower() this line */
unsigned int val;
@@ -82,6 +84,11 @@ unsigned int _parse_integer(const char *s, unsigned int 
base, unsigned long long
return rv;
 }
 
+unsigned int _parse_integer(const char *s, unsigned int base, unsigned long 
long *p)
+{
+   return _parse_integer_limit(s, base, p, INT_MAX);
+}
+
 static int _kstrtoull(const char *s, unsigned int base, unsigned long long 
*res)
 {
unsigned long long _res;
diff --git a/lib/kstrtox.h b/lib/kstrtox.h
index 3b4637bcd254..158c400ca865 100644
--- a/lib/kstrtox.h
+++ b/lib/kstrtox.h
@@ -4,6 +4,8 @@
 
 #define KSTRTOX_OVERFLOW   (1U << 31)
 const char *_parse_integer_fixup_radix(const char *s, unsigned int *base);
+unsigned int _parse_integer_limit(const char *s, unsigned int base, unsigned 
long long *res,
+ size_t max_chars);
 unsigned int _parse_integer(const char *s, unsigned int base, unsigned long 
long *res);
 
 #endif
diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index 28bb26cd1f67..794ecc373bf9 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -53,29 +53,43 @@
 #include 
 #include "kstrtox.h"
 
-/**
- * simple_strtoull - convert a string to an unsigned long long
- * @cp: The start of the string
- * @endp: A pointer to the end of the parsed string will be placed here
- * @base: The number base to use
- *
- * This function has caveats. Please use kstrtoull instead.
- */
-unsigned long long simple_strtoull(const char *cp, char **endp, unsigned int 
base)
+static unsigned long long simple_strntoull(const char *startp, size_t 
max_chars,
+  char