[CRIU] [PATCH] proc_parse: check that scanf fill the offset var

Andrey Vagin avagin at openvz.org
Wed Aug 6 07:00:30 PDT 2014


CID 1168165 (#2 of 2): Untrusted array index read (TAINTED_SCALAR)
40. tainted_data: Using tainted variable "hoff" as an index into an
array "str"

$ man 3 scanf
n      Nothing  is expected; instead, the number of characters consumed
      thus far from the input is  stored  through  the  next  pointer,
      which  must  be  a  pointer  to  int.  This is not a conversion,
      although it can be suppressed with the *  assignment-suppression
      character.   The  C  standard says: "Execution of a %n directive
      does not increment the assignment count returned at the  comple‐
      tion of execution" but the Corrigendum seems to contradict this.
      Probably it is wise not to make any assumptions on the effect of
      %n conversions on the return value.

So it isn't not enough to check a return code from scanf().

Cc: Cyrill Gorcunov <gorcunov at openvz.org>
Signed-off-by: Andrey Vagin <avagin at openvz.org>
---
 proc_parse.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/proc_parse.c b/proc_parse.c
index b0333be..1399fe7 100644
--- a/proc_parse.c
+++ b/proc_parse.c
@@ -1153,7 +1153,7 @@ static int parse_fdinfo_pid_s(char *pid, int fd, int type,
 		if (fdinfo_field(str, "fanotify ino")) {
 			FanotifyInodeMarkEntry ie = FANOTIFY_INODE_MARK_ENTRY__INIT;
 			FhEntry f_handle = FH_ENTRY__INIT;
-			int hoff;
+			int hoff = 0;
 
 			if (type != FD_TYPES__FANOTIFY)
 				goto parse_err;
@@ -1169,7 +1169,7 @@ static int parse_fdinfo_pid_s(char *pid, int fd, int type,
 				     &entry.ffy.mflags, &entry.ffy.mask, &entry.ffy.ignored_mask,
 				     &f_handle.bytes, &f_handle.type,
 				     &hoff);
-			if (ret != 7)
+			if (ret != 7 && hoff != 0)
 				goto parse_err;
 
 			if (alloc_fhandle(&f_handle)) {
-- 
1.8.5.3



More information about the CRIU mailing list