[CRIU] [PATCH] proc_parse: check that scanf fill the offset var
Andrew Vagin
avagin at parallels.com
Wed Aug 6 07:02:44 PDT 2014
Sorry, pls ignore this patch.
On Wed, Aug 06, 2014 at 06:00:30PM +0400, Andrey Vagin wrote:
> CID 1168165 (#2 of 2): Untrusted array index read (TAINTED_SCALAR)
> 40. tainted_data: Using tainted variable "hoff" as an index into an
> array "str"
>
> $ man 3 scanf
> n Nothing is expected; instead, the number of characters consumed
> thus far from the input is stored through the next pointer,
> which must be a pointer to int. This is not a conversion,
> although it can be suppressed with the * assignment-suppression
> character. The C standard says: "Execution of a %n directive
> does not increment the assignment count returned at the comple‐
> tion of execution" but the Corrigendum seems to contradict this.
> Probably it is wise not to make any assumptions on the effect of
> %n conversions on the return value.
>
> So it isn't not enough to check a return code from scanf().
>
> Cc: Cyrill Gorcunov <gorcunov at openvz.org>
> Signed-off-by: Andrey Vagin <avagin at openvz.org>
> ---
> proc_parse.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/proc_parse.c b/proc_parse.c
> index b0333be..1399fe7 100644
> --- a/proc_parse.c
> +++ b/proc_parse.c
> @@ -1153,7 +1153,7 @@ static int parse_fdinfo_pid_s(char *pid, int fd, int type,
> if (fdinfo_field(str, "fanotify ino")) {
> FanotifyInodeMarkEntry ie = FANOTIFY_INODE_MARK_ENTRY__INIT;
> FhEntry f_handle = FH_ENTRY__INIT;
> - int hoff;
> + int hoff = 0;
>
> if (type != FD_TYPES__FANOTIFY)
> goto parse_err;
> @@ -1169,7 +1169,7 @@ static int parse_fdinfo_pid_s(char *pid, int fd, int type,
> &entry.ffy.mflags, &entry.ffy.mask, &entry.ffy.ignored_mask,
> &f_handle.bytes, &f_handle.type,
> &hoff);
> - if (ret != 7)
> + if (ret != 7 && hoff != 0)
> goto parse_err;
>
> if (alloc_fhandle(&f_handle)) {
> --
> 1.8.5.3
>
More information about the CRIU
mailing list