Commit 34fc8b90 authored Jan 15, 2016 by Rasmus Villemoes Committed by Linus Torvalds Jan 16, 2016

lib/vsprintf.c: eliminate potential race in string()



If the string corresponding to a %s specifier can change under us, we
might end up copying a \0 byte to the output buffer.  There might be
callers who expect the output buffer to contain a genuine C string whose
length is exactly the snprintf return value (assuming truncation hasn't
happened or has been checked for).

We can avoid this by only passing over the source string once, stopping
the first time we meet a nul byte (or when we reach the given
precision), and then letting widen_string() handle left/right space
padding.  As a small bonus, this code reuse also makes the generated
code slightly smaller.

Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Joe Perches <joe@perches.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Maurizio Lombardi <mlombard@redhat.com>
Cc: Tejun Heo <tj@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent 95508cfa

lib/vsprintf.c

+9 −19

Original line number	Diff line number	Diff line
		@@ -560,32 +560,22 @@ char widen_string(char buf, int n, char *end, struct printf_spec spec)
		static noinline_for_stack
		char string(char buf, char end, const char s, struct printf_spec spec)
		{
		int len, i;
		int len = 0;
		size_t lim = spec.precision;

		if ((unsigned long)s < PAGE_SIZE)
		s = "(null)";

		len = strnlen(s, spec.precision);

		if (!(spec.flags & LEFT)) {
		while (len < spec.field_width--) {
		if (buf < end)
		*buf = ' ';
		++buf;
		}
		}
		for (i = 0; i < len; ++i) {
		if (buf < end)
		buf = s;
		++buf; ++s;
		}
		while (len < spec.field_width--) {
		while (lim--) {
		char c = *s++;
		if (!c)
		break;
		if (buf < end)
		*buf = ' ';
		*buf = c;
		++buf;
		++len;
		}

		return buf;
		return widen_string(buf, len, end, spec);
		}

		static noinline_for_stack

Admin message