[CRIU] [PATCH] proc_parse: check that scanf fill the offset var
Cyrill Gorcunov
gorcunov at gmail.com
Wed Aug 6 07:33:25 PDT 2014
On Wed, Aug 06, 2014 at 06:03:51PM +0400, Andrey Vagin wrote:
> CID 1168165 (#2 of 2): Untrusted array index read (TAINTED_SCALAR)
> 40. tainted_data: Using tainted variable "hoff" as an index into an
> array "str"
>
> $ man 3 scanf
> n Nothing is expected; instead, the number of characters consumed
> thus far from the input is stored through the next pointer,
> which must be a pointer to int. This is not a conversion,
> although it can be suppressed with the * assignment-suppression
> character. The C standard says: "Execution of a %n directive
> does not increment the assignment count returned at the comple‐
> tion of execution" but the Corrigendum seems to contradict this.
> Probably it is wise not to make any assumptions on the effect of
> %n conversions on the return value.
>
> So it isn't not enough to check a return code from scanf().
>
> Cc: Cyrill Gorcunov <gorcunov at openvz.org>
> Signed-off-by: Andrey Vagin <avagin at openvz.org>
Acked-by: Cyrill Gorcunov <gorcunov at openvz.org>
More information about the CRIU
mailing list