Re: [PATCH 4.4 03/26] lib/cmdline.c: fix get_options() overflow while parsing ranges
> On Jun 29, 2017, at 7:24 PM, Ben Hutchings> wrote: > > On Tue, 2017-06-27 at 14:49 +0200, Greg Kroah-Hartman wrote: >> 4.4-stable review patch. If anyone has any objections, please let me know. >> >> -- >> >> From: Ilya Matveychikov >> >> commit a91e0f680bcd9e10c253ae8b62462a38bd48f09f upstream. >> >> When using get_options() it's possible to specify a range of numbers, >> like 1-100500. The problem is that it doesn't track array size while >> calling internally to get_range() which iterates over the range and >> fills the memory with numbers. > [...] >> --- a/lib/cmdline.c >> +++ b/lib/cmdline.c >> @@ -22,14 +22,14 @@ >> * the values[M, M+1, ..., N] into the ints array in get_options. >> */ >> >> -static int get_range(char **str, int *pint) >> +static int get_range(char **str, int *pint, int n) >> { >> int x, inc_counter, upper_range; >> >> (*str)++; >> upper_range = simple_strtol((*str), NULL, 0); >> inc_counter = upper_range - *pint; >> -for (x = *pint; x < upper_range; x++) >> +for (x = *pint; n && x < upper_range; x++, n--) >> *pint++ = x; >> return inc_counter; >> } > > But this still returns the number of integers in the range (minus 1)... > >> @@ -96,7 +96,7 @@ char *get_options(const char *str, int n >> break; >> if (res == 3) { >> int range_nums; >> -range_nums = get_range((char **), ints + i); >> +range_nums = get_range((char **), ints + i, nints - >> i); >> if (range_nums < 0) >> break; >> /* > > ...so that get_options() may set i > nints and ints[0] > nints - 1. > That will presumably result in out-of-bounds reads in callers. > > (This set of functions really deserves to be given a test suite and then > rewritten, because they are a *mess*.) > Please review the approach of fixing that: https://lkml.org/lkml/2017/9/19/105 > Ben. > > -- > Ben Hutchings > Software Developer, Codethink Ltd. > >
Re: [PATCH 4.4 03/26] lib/cmdline.c: fix get_options() overflow while parsing ranges
> On Jun 29, 2017, at 7:24 PM, Ben Hutchings > wrote: > > On Tue, 2017-06-27 at 14:49 +0200, Greg Kroah-Hartman wrote: >> 4.4-stable review patch. If anyone has any objections, please let me know. >> >> -- >> >> From: Ilya Matveychikov >> >> commit a91e0f680bcd9e10c253ae8b62462a38bd48f09f upstream. >> >> When using get_options() it's possible to specify a range of numbers, >> like 1-100500. The problem is that it doesn't track array size while >> calling internally to get_range() which iterates over the range and >> fills the memory with numbers. > [...] >> --- a/lib/cmdline.c >> +++ b/lib/cmdline.c >> @@ -22,14 +22,14 @@ >> * the values[M, M+1, ..., N] into the ints array in get_options. >> */ >> >> -static int get_range(char **str, int *pint) >> +static int get_range(char **str, int *pint, int n) >> { >> int x, inc_counter, upper_range; >> >> (*str)++; >> upper_range = simple_strtol((*str), NULL, 0); >> inc_counter = upper_range - *pint; >> -for (x = *pint; x < upper_range; x++) >> +for (x = *pint; n && x < upper_range; x++, n--) >> *pint++ = x; >> return inc_counter; >> } > > But this still returns the number of integers in the range (minus 1)... > >> @@ -96,7 +96,7 @@ char *get_options(const char *str, int n >> break; >> if (res == 3) { >> int range_nums; >> -range_nums = get_range((char **), ints + i); >> +range_nums = get_range((char **), ints + i, nints - >> i); >> if (range_nums < 0) >> break; >> /* > > ...so that get_options() may set i > nints and ints[0] > nints - 1. > That will presumably result in out-of-bounds reads in callers. > > (This set of functions really deserves to be given a test suite and then > rewritten, because they are a *mess*.) > Please review the approach of fixing that: https://lkml.org/lkml/2017/9/19/105 > Ben. > > -- > Ben Hutchings > Software Developer, Codethink Ltd. > >
Re: [PATCH 4.4 03/26] lib/cmdline.c: fix get_options() overflow while parsing ranges
On Tue, 2017-06-27 at 14:49 +0200, Greg Kroah-Hartman wrote: > 4.4-stable review patch. If anyone has any objections, please let me know. > > -- > > From: Ilya Matveychikov> > commit a91e0f680bcd9e10c253ae8b62462a38bd48f09f upstream. > > When using get_options() it's possible to specify a range of numbers, > like 1-100500. The problem is that it doesn't track array size while > calling internally to get_range() which iterates over the range and > fills the memory with numbers. [...] > --- a/lib/cmdline.c > +++ b/lib/cmdline.c > @@ -22,14 +22,14 @@ > * the values[M, M+1, ..., N] into the ints array in get_options. > */ > > -static int get_range(char **str, int *pint) > +static int get_range(char **str, int *pint, int n) > { > int x, inc_counter, upper_range; > > (*str)++; > upper_range = simple_strtol((*str), NULL, 0); > inc_counter = upper_range - *pint; > - for (x = *pint; x < upper_range; x++) > + for (x = *pint; n && x < upper_range; x++, n--) > *pint++ = x; > return inc_counter; > } But this still returns the number of integers in the range (minus 1)... > @@ -96,7 +96,7 @@ char *get_options(const char *str, int n > break; > if (res == 3) { > int range_nums; > - range_nums = get_range((char **), ints + i); > + range_nums = get_range((char **), ints + i, nints - > i); > if (range_nums < 0) > break; > /* ...so that get_options() may set i > nints and ints[0] > nints - 1. That will presumably result in out-of-bounds reads in callers. (This set of functions really deserves to be given a test suite and then rewritten, because they are a *mess*.) Ben. -- Ben Hutchings Software Developer, Codethink Ltd.
Re: [PATCH 4.4 03/26] lib/cmdline.c: fix get_options() overflow while parsing ranges
On Tue, 2017-06-27 at 14:49 +0200, Greg Kroah-Hartman wrote: > 4.4-stable review patch. If anyone has any objections, please let me know. > > -- > > From: Ilya Matveychikov > > commit a91e0f680bcd9e10c253ae8b62462a38bd48f09f upstream. > > When using get_options() it's possible to specify a range of numbers, > like 1-100500. The problem is that it doesn't track array size while > calling internally to get_range() which iterates over the range and > fills the memory with numbers. [...] > --- a/lib/cmdline.c > +++ b/lib/cmdline.c > @@ -22,14 +22,14 @@ > * the values[M, M+1, ..., N] into the ints array in get_options. > */ > > -static int get_range(char **str, int *pint) > +static int get_range(char **str, int *pint, int n) > { > int x, inc_counter, upper_range; > > (*str)++; > upper_range = simple_strtol((*str), NULL, 0); > inc_counter = upper_range - *pint; > - for (x = *pint; x < upper_range; x++) > + for (x = *pint; n && x < upper_range; x++, n--) > *pint++ = x; > return inc_counter; > } But this still returns the number of integers in the range (minus 1)... > @@ -96,7 +96,7 @@ char *get_options(const char *str, int n > break; > if (res == 3) { > int range_nums; > - range_nums = get_range((char **), ints + i); > + range_nums = get_range((char **), ints + i, nints - > i); > if (range_nums < 0) > break; > /* ...so that get_options() may set i > nints and ints[0] > nints - 1. That will presumably result in out-of-bounds reads in callers. (This set of functions really deserves to be given a test suite and then rewritten, because they are a *mess*.) Ben. -- Ben Hutchings Software Developer, Codethink Ltd.
[PATCH 4.4 03/26] lib/cmdline.c: fix get_options() overflow while parsing ranges
4.4-stable review patch. If anyone has any objections, please let me know. -- From: Ilya Matveychikovcommit a91e0f680bcd9e10c253ae8b62462a38bd48f09f upstream. When using get_options() it's possible to specify a range of numbers, like 1-100500. The problem is that it doesn't track array size while calling internally to get_range() which iterates over the range and fills the memory with numbers. Link: http://lkml.kernel.org/r/2613c75c-b04d-4bff-82a6-12f97ba0f...@gmail.com Signed-off-by: Ilya V. Matveychikov Cc: Jonathan Corbet Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- lib/cmdline.c |6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/lib/cmdline.c +++ b/lib/cmdline.c @@ -22,14 +22,14 @@ * the values[M, M+1, ..., N] into the ints array in get_options. */ -static int get_range(char **str, int *pint) +static int get_range(char **str, int *pint, int n) { int x, inc_counter, upper_range; (*str)++; upper_range = simple_strtol((*str), NULL, 0); inc_counter = upper_range - *pint; - for (x = *pint; x < upper_range; x++) + for (x = *pint; n && x < upper_range; x++, n--) *pint++ = x; return inc_counter; } @@ -96,7 +96,7 @@ char *get_options(const char *str, int n break; if (res == 3) { int range_nums; - range_nums = get_range((char **), ints + i); + range_nums = get_range((char **), ints + i, nints - i); if (range_nums < 0) break; /*
[PATCH 4.4 03/26] lib/cmdline.c: fix get_options() overflow while parsing ranges
4.4-stable review patch. If anyone has any objections, please let me know. -- From: Ilya Matveychikov commit a91e0f680bcd9e10c253ae8b62462a38bd48f09f upstream. When using get_options() it's possible to specify a range of numbers, like 1-100500. The problem is that it doesn't track array size while calling internally to get_range() which iterates over the range and fills the memory with numbers. Link: http://lkml.kernel.org/r/2613c75c-b04d-4bff-82a6-12f97ba0f...@gmail.com Signed-off-by: Ilya V. Matveychikov Cc: Jonathan Corbet Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- lib/cmdline.c |6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/lib/cmdline.c +++ b/lib/cmdline.c @@ -22,14 +22,14 @@ * the values[M, M+1, ..., N] into the ints array in get_options. */ -static int get_range(char **str, int *pint) +static int get_range(char **str, int *pint, int n) { int x, inc_counter, upper_range; (*str)++; upper_range = simple_strtol((*str), NULL, 0); inc_counter = upper_range - *pint; - for (x = *pint; x < upper_range; x++) + for (x = *pint; n && x < upper_range; x++, n--) *pint++ = x; return inc_counter; } @@ -96,7 +96,7 @@ char *get_options(const char *str, int n break; if (res == 3) { int range_nums; - range_nums = get_range((char **), ints + i); + range_nums = get_range((char **), ints + i, nints - i); if (range_nums < 0) break; /*