lldb/source/Host/linux/Host.cpp:94: Possible missing field width in scanf %s ? #89710
Comments
|
@llvm/issue-subscribers-lldb Author: None (dcb314)
Static analyser cppcheck says:
lldb/source/Host/linux/Host.cpp:94:7: warning: sscanf() without field width limits can crash with huge input data. [invalidscanf] Source code is if (sscanf(Rest.data(), but char comm[task_comm_len]; and constexpr int task_comm_len = 16; Might there be some value in adding the string maximum length to the %s ? |
As reported in llvm#89710, the %s code used for `comm` could and probably does, overflow the buffer. Likely we haven't seen it cause problems because the following data is overwritten right afterwards. Also scanf isn't a great choice here as this `comm` can include many characters that might trip up %s. We don't actually use `comm`, so parse but don't store it so we're not overflowing anything.
…0387) As reported in #89710, the %s code used for `comm` could and probably does, overflow the buffer. Likely we haven't seen it cause problems because the following data is overwritten right afterwards. Also scanf isn't a great choice here as this `comm` can include many characters that might trip up %s. We don't actually use `comm`, so parse but don't store it so we're not overflowing anything.
|
Fixed by #100387, and we will rework the code so that we are not using scanf on a field that can potentially include spaces and special characters. |
…0387) Summary: As reported in #89710, the %s code used for `comm` could and probably does, overflow the buffer. Likely we haven't seen it cause problems because the following data is overwritten right afterwards. Also scanf isn't a great choice here as this `comm` can include many characters that might trip up %s. We don't actually use `comm`, so parse but don't store it so we're not overflowing anything. Test Plan: Reviewers: Subscribers: Tasks: Tags: Differential Revision: https://phabricator.intern.facebook.com/D60250556
Static analyser cppcheck says:
lldb/source/Host/linux/Host.cpp:94:7: warning: sscanf() without field width limits can crash with huge input data. [invalidscanf]
Source code is
if (sscanf(Rest.data(),
"%d %s %c %d %d %d %d %d %u %lu %lu %lu %lu %lu %lu %ld %ld",
&stat_fields.pid, stat_fields.comm, &stat_fields.state,
&stat_fields.ppid, &stat_fields.pgrp, &stat_fields.session,
&stat_fields.tty_nr, &stat_fields.tpgid, &stat_fields.flags,
&stat_fields.minflt, &stat_fields.cminflt, &stat_fields.majflt,
&stat_fields.cmajflt, &stat_fields.utime, &stat_fields.stime,
&stat_fields.cutime, &stat_fields.cstime) < 0) {
but
char comm[task_comm_len];
and
constexpr int task_comm_len = 16;
Might there be some value in adding the string maximum length to the %s ?
The text was updated successfully, but these errors were encountered: