mirror_zfs/lib/libzfs
Richard Yao 97143b9d31 Introduce kmem_scnprintf()
`snprintf()` is meant to protect against buffer overflows, but operating
on the buffer using its return value, possibly by calling it again, can
cause a buffer overflow, because it will return how many characters it
would have written if it had enough space even when it did not. In a
number of places, we repeatedly call snprintf() by successively
incrementing a buffer offset and decrementing a buffer length, by its
return value. This is a potentially unsafe usage of `snprintf()`
whenever the buffer length is reached. CodeQL complained about this.

To fix this, we introduce `kmem_scnprintf()`, which will return 0 when
the buffer is zero or the number of written characters, minus 1 to
exclude the NULL character, when the buffer was too small. In all other
cases, it behaves like snprintf(). The name is inspired by the Linux and
XNU kernels' `scnprintf()`. The implementation was written before I
thought to look at `scnprintf()` and had a good name for it, but it
turned out to have identical semantics to the Linux kernel version.
That lead to the name, `kmem_scnprintf()`.

CodeQL only catches this issue in loops, so repeated use of snprintf()
outside of a loop was not caught. As a result, a thorough audit of the
codebase was done to examine all instances of `snprintf()` usage for
potential problems and a few were caught. Fixes for them are included in
this patch.

Unfortunately, ZED is one of the places where `snprintf()` is
potentially used incorrectly. Since using `kmem_scnprintf()` in it would
require changing how it is linked, we modify its usage to make it safe,
no matter what buffer length is used. In addition, there was a bug in
the use of the return value where the NULL format character was not
being written by pwrite(). That has been fixed.

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu>
Closes #14098
2022-10-29 13:05:11 -07:00
..
os Introduce kmem_scnprintf() 2022-10-29 13:05:11 -07:00
.gitignore Clean up lib dependencies 2020-07-10 14:26:00 -07:00
libzfs_changelist.c Replace dead opensolaris.org license link 2022-07-11 14:16:13 -07:00
libzfs_config.c Replace dead opensolaris.org license link 2022-07-11 14:16:13 -07:00
libzfs_crypto.c Enable -Wwrite-strings 2022-06-29 14:08:54 -07:00
libzfs_dataset.c Cleanup: Address Clang's static analyzer's unused code complaints 2022-10-14 13:37:54 -07:00
libzfs_diff.c Cleanup: Address Clang's static analyzer's unused code complaints 2022-10-14 13:37:54 -07:00
libzfs_impl.h Replace dead opensolaris.org license link 2022-07-11 14:16:13 -07:00
libzfs_import.c Replace dead opensolaris.org license link 2022-07-11 14:16:13 -07:00
libzfs_iter.c Replace dead opensolaris.org license link 2022-07-11 14:16:13 -07:00
libzfs_mount.c Make zfs-share service resilient to stale exports 2022-09-09 10:54:16 -07:00
libzfs_pool.c Cleanup: Delete unnecessary pointer check from vdev_to_nvlist_iter() 2022-10-18 15:39:32 -07:00
libzfs_sendrecv.c Cleanup: Address Clang's static analyzer's unused code complaints 2022-10-14 13:37:54 -07:00
libzfs_status.c Replace dead opensolaris.org license link 2022-07-11 14:16:13 -07:00
libzfs_util.c Cleanup: Address Clang's static analyzer's unused code complaints 2022-10-14 13:37:54 -07:00
libzfs.abi Add membar_sync abi change 2022-10-04 09:54:58 -07:00
libzfs.pc.in Spruce up pkg-config files for libzfs/libzfs_core 2020-09-04 11:11:18 -07:00
libzfs.suppr Library ABI tracking with abigail 2020-11-17 09:18:52 -08:00
Makefile.am Replace EXTRA_DIST with dist_noinst_DATA 2022-05-26 09:24:50 -07:00
THIRDPARTYLICENSE.openssl Fix typos in lib/ 2019-09-02 17:53:27 -07:00
THIRDPARTYLICENSE.openssl.descrip Encryption patch follow-up 2017-10-11 16:54:48 -04:00