mirror of
https://git.proxmox.com/git/mirror_zfs.git
synced 2026-05-22 02:27:36 +03:00
Introduce kmem_scnprintf()
`snprintf()` is meant to protect against buffer overflows, but operating on the buffer using its return value, possibly by calling it again, can cause a buffer overflow, because it will return how many characters it would have written if it had enough space even when it did not. In a number of places, we repeatedly call snprintf() by successively incrementing a buffer offset and decrementing a buffer length, by its return value. This is a potentially unsafe usage of `snprintf()` whenever the buffer length is reached. CodeQL complained about this. To fix this, we introduce `kmem_scnprintf()`, which will return 0 when the buffer is zero or the number of written characters, minus 1 to exclude the NULL character, when the buffer was too small. In all other cases, it behaves like snprintf(). The name is inspired by the Linux and XNU kernels' `scnprintf()`. The implementation was written before I thought to look at `scnprintf()` and had a good name for it, but it turned out to have identical semantics to the Linux kernel version. That lead to the name, `kmem_scnprintf()`. CodeQL only catches this issue in loops, so repeated use of snprintf() outside of a loop was not caught. As a result, a thorough audit of the codebase was done to examine all instances of `snprintf()` usage for potential problems and a few were caught. Fixes for them are included in this patch. Unfortunately, ZED is one of the places where `snprintf()` is potentially used incorrectly. Since using `kmem_scnprintf()` in it would require changing how it is linked, we modify its usage to make it safe, no matter what buffer length is used. In addition, there was a bug in the use of the return value where the NULL format character was not being written by pwrite(). That has been fixed. Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu> Closes #14098
This commit is contained in:
Richard Yao
committed by
Brian Behlendorf
Brian Behlendorf
parent
2e08df84d8
commit
97143b9d31
@@ -105,3 +105,33 @@ kmem_strfree(char *str)
|
||||
ASSERT3P(str, !=, NULL);
|
||||
kmem_free(str, strlen(str) + 1);
|
||||
}
|
||||
|
||||
/*
|
||||
* kmem_scnprintf() will return the number of characters that it would have
|
||||
* printed whenever it is limited by value of the size variable, rather than
|
||||
* the number of characters that it did print. This can cause misbehavior on
|
||||
* subsequent uses of the return value, so we define a safe version that will
|
||||
* return the number of characters actually printed, minus the NULL format
|
||||
* character. Subsequent use of this by the safe string functions is safe
|
||||
* whether it is snprintf(), strlcat() or strlcpy().
|
||||
*/
|
||||
|
||||
int
|
||||
kmem_scnprintf(char *restrict str, size_t size, const char *restrict fmt, ...)
|
||||
{
|
||||
int n;
|
||||
va_list ap;
|
||||
|
||||
/* Make the 0 case a no-op so that we do not return -1 */
|
||||
if (size == 0)
|
||||
return (0);
|
||||
|
||||
va_start(ap, fmt);
|
||||
n = vsnprintf(str, size, fmt, ap);
|
||||
va_end(ap);
|
||||
|
||||
if (n >= size)
|
||||
n = size - 1;
|
||||
|
||||
return (n);
|
||||
}
|
||||
|
||||
@@ -279,11 +279,11 @@ zprop_sysfs_show(const char *attr_name, const zprop_desc_t *property,
|
||||
|
||||
for (int i = 0; i < ARRAY_SIZE(type_map); i++) {
|
||||
if (type_map[i].ztm_type & property->pd_types) {
|
||||
len += snprintf(buf + len, buflen - len, "%s ",
|
||||
type_map[i].ztm_name);
|
||||
len += kmem_scnprintf(buf + len, buflen - len,
|
||||
"%s ", type_map[i].ztm_name);
|
||||
}
|
||||
}
|
||||
len += snprintf(buf + len, buflen - len, "\n");
|
||||
len += kmem_scnprintf(buf + len, buflen - len, "\n");
|
||||
return (len);
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user