tst_assert: Fix buffer overflow in scanf

Richard Palethorpe · pevik · commit 56e9c4b86cf2 · 2023-01-25T22:37:22.000+01:00
The maximum field width of a string conversion does not include the null byte. So we can overflow the buffer by one byte. This can be triggered in ioctl_loop01 with -fsanitize=address even if the file contents are far less than the buffer size: tst_test.c:1558: TINFO: Timeout per run is 0h 00m 30s tst_device.c:93: TINFO: Found free device 1 '/dev/loop1' ioctl_loop01.c:85: TPASS: /sys/block/loop1/loop/partscan = 0 ioctl_loop01.c:86: TPASS: /sys/block/loop1/loop/autoclear = 0 ================================================================= ==293==ERROR: AddressSanitizer: stack-buffer-overflow on address 0xf5c03420 at pc 0xf7952bf8 bp 0xff9cf9f8 sp 0xff9cf5d0 WRITE of size 1025 at 0xf5c03420 thread T0 #0 0xf7952bf7 (/lib/libasan.so.8+0x89bf7) (BuildId: f8d5331e88e5c1b8a8a55eda0a8e20503ea0d2b9) #1 0xf7953879 in __isoc99_vfscanf (/lib/libasan.so.8+0x8a879) (BuildId: f8d5331e88e5c1b8a8a55eda0a8e20503ea0d2b9) #2 0x8071f85 in safe_file_scanf /home/rich/qa/ltp/lib/safe_file_ops.c:139 #3 0x80552ea in tst_assert_str /home/rich/qa/ltp/lib/tst_assert.c:60 #4 0x804f17a in verify_ioctl_loop /home/rich/qa/ltp/testcases/kernel/syscalls/ioctl/ioctl_loop01.c:87 #5 0x8061599 in run_tests /home/rich/qa/ltp/lib/tst_test.c:1380 #6 0x8061599 in testrun /home/rich/qa/ltp/lib/tst_test.c:1463 #7 0x8061599 in fork_testrun /home/rich/qa/ltp/lib/tst_test.c:1592 #8 0x806877a in tst_run_tcases /home/rich/qa/ltp/lib/tst_test.c:1686 #9 0x804e01b in main ../../../../include/tst_test.h:394 #10 0xf7188294 in __libc_start_call_main (/lib/libc.so.6+0x23294) (BuildId: 87c7a50c8792985dd164f5af2d45b8e91d9f4391) #11 0xf7188357 in __libc_start_main@@GLIBC_2.34 (/lib/libc.so.6+0x23357) (BuildId: 87c7a50c8792985dd164f5af2d45b8e91d9f4391) #12 0x804e617 in _start ../sysdeps/i386/start.S:111 Address 0xf5c03420 is located in stack of thread T0 at offset 1056 in frame #0 0x805525f in tst_assert_str /home/rich/qa/ltp/lib/tst_assert.c:57 This frame has 1 object(s): [32, 1056) 'sys_val' (line 58) <== Memory access at offset 1056 overflows this variable Fixes: f4919b1 ("lib: Add TST_ASSERT_FILE_INT and TST_ASSERT_FILE_STR") Reviewed-by: Cyril Hrubis <chrubis@suse.cz> Reviewed-by: Petr Vorel <pvorel@suse.cz> Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
diff --git a/lib/tst_assert.c b/lib/tst_assert.c
@@ -57,7 +57,7 @@ void tst_assert_str(const char *file, const int lineno, const char *path, const
 {
 	char sys_val[1024];
 
-	safe_file_scanf(file, lineno, NULL, path, "%1024s", sys_val);
+	safe_file_scanf(file, lineno, NULL, path, "%1023s", sys_val);
 	if (!strcmp(val, sys_val)) {
 		tst_res_(file, lineno, TPASS, "%s = '%s'", path, val);
 		return;
@@ -71,7 +71,7 @@ void tst_assert_file_str(const char *file, const int lineno, const char *path, c
 	char sys_val[1024];
 	char fmt[2048];
 
-	snprintf(fmt, sizeof(fmt), "%s: %%1024s", prefix);
+	snprintf(fmt, sizeof(fmt), "%s: %%1023s", prefix);
 	file_lines_scanf(file, lineno, NULL, 1, path, fmt, sys_val);
 
 	if (!strcmp(val, sys_val)) {
