hardening: negative snprintf return values by ep69 · Pull Request #182 · besser82/libxcrypt

ep69 · 2024-02-07T18:44:48Z

snprintf returns negative values in case of errors, as found out by SAST (Static Application Security Testing)

t184256 · 2024-02-13T14:13:15Z

lib/crypt-pbkdf1-sha1.c

  /* Now output... */
-  pl = (size_t)snprintf ((char *)output, out_size, "%s%lu$%.*s$",
-                         magic, iterations, (int)sl, setting);
+  dl = snprintf ((char *)output, out_size, "%s%lu$%.*s$",


there's another one above (L156)

I only looked in the ones that are casted to size_t, but you are right, it might make sense to go through all snprintf calls and make sure return value is checked for negativity.

I think the iffiness is slightly above:

sl = (size_t)(sp - setting);

Shouldn't this be bounded to a reasonable value? If I read the sources correctly, it currently isn't, although the documentation comment suggests it can be at most 64? Then the snprintf below cannot fail with EOVERFLOW (or otherwise) anymore.

@fweimer-rh thanks for looking, I'll check.

fweimer-rh · 2024-02-13T20:25:10Z

lib/crypt-pbkdf1-sha1.c

  /* Now output... */
-  pl = (size_t)snprintf ((char *)output, out_size, "%s%lu$%.*s$",
-                         magic, iterations, (int)sl, setting);
+  dl = snprintf ((char *)output, out_size, "%s%lu$%.*s$",


I think the iffiness is slightly above:

sl = (size_t)(sp - setting);

Shouldn't this be bounded to a reasonable value? If I read the sources correctly, it currently isn't, although the documentation comment suggests it can be at most 64? Then the snprintf below cannot fail with EOVERFLOW (or otherwise) anymore.

fweimer-rh · 2024-02-13T20:26:35Z

lib/crypt-sunmd5.c

-  size_t written = (size_t) snprintf ((char *)output, o_size,
-                                      "%s,rounds=%lu$", SUNMD5_PREFIX, count);
+  int written = snprintf ((char *)output, o_size,
+                          "%s,rounds=%lu$", SUNMD5_PREFIX, count);


Is there an actual snprintf implementation that can fail with these inputs? I don't think so. There are many tricky cases in for printf processing (allocations in argument list and long double processing, return value exceeding INT_MAX), but they don't seem to apply here.

@fweimer-rh might be extremely unlikely, but things may break elsewhere and it is legit for snprintf to return negative values according to documentation.

To be honest, I don't know. Is there some good practice about how paranoid and double-checking is it worth to be (vs. not complicating the code)?

@fweimer-rh I would like to hear and follow your opinion. Shall we be more paranoid and expect that snprintf might return negative values as documented, or less paranoid and rely on no libc implementation failing for some specific arguments?

fweimer-rh · 2024-02-13T20:28:09Z

lib/util-gensalt-sha.c

-                                 "$%c$rounds=%lu$", tag, count);
+    {
+      int w = snprintf ((char *)output, output_size,
+                        "$%c$rounds=%lu$", tag, count);


Likewise I believe this invocation cannot fail.

ep69 · 2024-04-11T11:42:39Z

@fweimer-rh @besser82 I am sensing reluctance to this change. Would it be easier for everybody to just close it and never look back?

fweimer-rh · 2024-04-11T17:23:35Z

lib/crypt-pbkdf1-sha1.c

    }

  sl = (size_t)(sp - setting);
+  assert (sl <= CRYPT_SHA1_SALT_LENGTH);


I wonder if this assert can be hit by crafted inputs, then this change might be problematic. Is there a way to return an error for this?

The remaining asserts look fine.

In my previous comments, I probably got carried away by our internal analysis tool discussion, sorry.

@fweimer-rh You are right, this assert could be hit if long enough input is provided. I'll remove it. The limit CRYPT_SHA1_SALT_LENGTH is actually used only when generating the salt and hashing works fine with longer salts UNTIL CRYPT_OUTPUT_SIZE (384) starts to be a problem - in that case only the salt is present in crypt_sha1crypt_rn. This is an issue in my opinion, but probably for another PR.

I'll remove this assert.

@fweimer-rh could you have a look now?

snprintf returns negative values in case of errors, as found out by SAST (Static Application Security Testing)

ep69 · 2024-05-14T11:36:08Z

@fweimer-rh could you please have another look if all your concerns are fixed?

t184256 reviewed Feb 13, 2024

View reviewed changes

fweimer-rh reviewed Feb 13, 2024

View reviewed changes

fweimer-rh reviewed Apr 11, 2024

View reviewed changes

hardening: negative snprintf return values

28432a9

snprintf returns negative values in case of errors, as found out by SAST (Static Application Security Testing)

ep69 force-pushed the snprintf branch from 1287699 to 28432a9 Compare April 24, 2024 14:58

Conversation

ep69 commented Feb 7, 2024

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

ep69 commented Apr 11, 2024

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

ep69 commented May 14, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants