Use r_str_scanf as a safe alternative to fix gdb reg profile parsing bugs

[Crispy-fried-chicken]

scanf("%s") uses are not safe, which may cause OOB, so we need to limit the number of characters read.

[trufae]

Dont use rizinisms please

[trufae]

^ those macros don’t really provide much goodness and their name is from rizin so it should be removed

[trufae]

Are those constants actually coming from the kernel? If not i would prefer to have no limits on any of this

[Crispy-fried-chicken]

Yes, they all come from the kernel which add in the patch of CVE-2023-27590, that is rizinorg/rizin@d619670. So maybe it should be there?

[trufae]

Precomputed values and assumptions like this are prompt to become maintainance problems for later. Comments shouldnt be needed if the code is solid

[Crispy-fried-chicken]

ok, maybe I should delete the comment?

[trufae]

The defines shouldnt exist either. Those constants are arbitrary and the value for that one can be computed from another one. Otherwise its a maintainance complication

[trufae]

Dont use rizinisms

[trufae]

Theres no need to have a define for a size that is tied to an array. Thats defined in the secure coding guidelines as a bad practice because it makes the code more xlobbered and harder to maintain and error probe

[trufae]

Sscanf is an awful function and there are actually many other issues than the size of the data stored after parsing. The return value should be checked for example

[trufae]

Better to just check for the space and use rnum to parse the string and strdup to catch the name. This way no limits in stack bounds are needed and will make it more flexible and simple

[trufae]

^ those macros don’t really provide much goodness and their name is from rizin so it should be removed

[trufae]

those extra unaligned bytes will make stack to have holes and wont optimize it properly, also as said those are arbitrary numbers. not tied to gdb definitions

[trufae]

dont use those ugly RZ_ things, and dnot hardcode the sizes here, the proper way to use that is to use sizeof(varname) instead of using a define or duplicating the value, this way the final code is much easier to maintain. this is specified in https://wiki.sei.cmu.edu/confluence/display/c if you are curious, also makes the code more readable. But again, ideally i would prefer not to use sscanf, but im fine to merge the fix when complete

[trufae]

keep the aligned values, 32 and 512

[trufae]

same, those defines are arbitrary, and duplicate the logic below making the code harder to read.

[trufae]

I had some time to check your PR in detail. and i think the only sane way to handle sscanf with dynamic string formating in a clean and maintainable way is to not use sscanf or build the format string at runtime, because %*s is not supported by sscanf (this is printf-specific), and its not possible to use sizeof() and concat that result into the formatting string. Therefor this is probably the cleanest way I can think of right now:

#include <stdio.h>
#include <r_util.h>
#include <stdlib.h>

int main() {
	char str[4];
	char str2[4];
	char buf[] = "hello world";
	r_strf_var (format, 64, "%%%ds %%%ds", (int)sizeof (str), (int)sizeof (str2));
	int ret = sscanf (buf, format, str, str2);
	printf ("FMT %s\n", format);
	printf ("RET %d == 2\n", ret);
	printf ("-> %s\n", str);
	return 0;
}

i dont like the fact that the sizeof and str are decoupled into separate statements, and that could be probably wrapped up with amacro that constructs the string and runs sscanf, also, considering modern compilers can do printf at compile time the final code should be as simple as the original, and the construction of the format string should be done outside any loop.

But again, if its possible i would prefer to avoid the use of sscanf, and just strchr or use r_str to split the string by spaces and such instead of depending on it.

Also this PR raises concern for other bad usecases of sscanf:

0$ git grep sscanf| grep '%s'
libr/debug/p/debug_gdb.c:		ret = sscanf (ptr, "%s %s %"PFMT64x" %*s %*s %[^\n]", &region1[2],
libr/debug/p/debug_io.c:			sscanf (str, "0x%"PFMT64x" - 0x%"PFMT64x" %s %s",
libr/debug/p/debug_native.c:		if (sscanf (line, "%s %s %d %d 0x%s %3s %d %d",
libr/debug/p/debug_native.c:		i = sscanf (line, "%s %s %08"PFMT64x" %*s %*s %[^\n]", &region[2], perms, &offset, name);
libr/debug/p/native/linux/linux_coredump.c:		sscanf (buff,  "%d %s %c %d %d %d %d %d %u %lu %lu %lu %lu"
libr/debug/p/native/linux/linux_coredump.c:		sscanf (buff, "%d %s %c %d %d %d %d %d %u %lu %lu %lu %lu"
libr/io/p/io_self.c:		sscanf (line, "%s %s %*s %*s %*s %[^\n]", region + 2, perms, path);
libr/reg/profile.c:		ret = sscanf (ptr, " %s %d %d %d %d %s %s", name, &number, &rel,
0$

and also:

$ git grep sscanf| grep '%\*s'
libr/debug/p/debug_gdb.c:		ret = sscanf (ptr, "%s %s %"PFMT64x" %*s %*s %[^\n]", &region1[2],
libr/debug/p/debug_native.c:		i = sscanf (line, "%s %s %08"PFMT64x" %*s %*s %[^\n]", &region[2], perms, &offset, name);
libr/io/p/io_self.c:		sscanf (line, "%s %s %*s %*s %*s %[^\n]", region + 2, perms, path);

thanks f

[trufae]

importing this https://github.com/tusharjois/bscanf is probably the best option :) ill look into that and get it as part of r_util asap

[Crispy-fried-chicken]

importing this https://github.com/tusharjois/bscanf is probably the best option :) ill look into that and get it as part of r_util asap

OK, But why I can't pass the check, I don't kown how to fix it, can you tell me the reason so that I can update :)

[trufae]

PFMT64x is a define, and needs to be defined outside the string itself, so that wont work, also the %*s is not supported in sscanf, so that wont work either because that seems to be a nonportable gnuism

Suggested change

	r_strf_var (format, 64, "%%%ds %%%ds %%PFMT64x %%*s %%*s %%%d [^\\n]", (int)sizeof (region1[2]), (int)sizeof (perms), (int)sizeof (offset), (int)sizeof (name));
	r_strf_var (format, 64, "%%%ds %%%ds %%PFMT64x %%*s %%*s %%%d [^\\n]", (int)sizeof (region1[2]), (int)sizeof (perms), (int)sizeof (offset), (int)sizeof (name));

[trufae]

wait for me to push the new sscanf implementaion, it will make things much cleaner and safe and i'll add unit tests for all that, so we wont need to use PFMT64x and such anymore and %*s will work, and %s will be banned

[trufae]

Thanks for the patience and time updating this PR. it's a good finding, but i want it to be addressed in the cleanest way as possible. Good work!

[Crispy-fried-chicken]

Thanks for the patience and time updating this PR. it's a good finding, but i want it to be addressed in the cleanest way as possible. Good work!

Thank you for your review and looking forward to your implementaion. Besides, due to the harm this vulnerability may cause, is it necessary to apply for a CVE for this vulnerability?

[trufae]

Found a couple of bugs in their bscanf implementation. fixed them in my fork and extended it to support %.s (%*s is kept for backward compat), so we cant use the attribute check sadly. added some tests that may probably be helpful for those cases :)

#22567

let me know what do you think?

i still want to cleanup this code more, and add a lot of more tests. and probably integrate it with RNum, so we can use it properly with extended math operation expressions and other useful format strings

[trufae]

The new r_str_scanf function is merged in, do you wanna give it a try to rewrite this function using the new API instead? will be good to test the patch and maybe add some more unit tests for it. thanks!

[Crispy-fried-chicken]

@trufae hi, I've seen the implementation of r_str_scanf and I can't find any implement of the %[\n], and find there is a TODO in r_str_scanf function just like:

/* TODO: '[': match a non-empty sequence of characters from a set. */
				_BSCANF_CHECK(0);

				/* String conversion requires a width. */
				_BSCANF_CHECK_STRING();
				/* '[' conversion specifiers DO NOT consume whitespace. */

so maybe the statement below can't rewrite by the api r_str_scanf?
ret = sscanf (ptr, "%s %s %"PFMT64x" %*s %*s %[^\n]", &region1[2],perms, &offset, name);
and Please tell me if my modifications are correct so that I can verify whether my understanding is accurate.
the origin statement is

r_strf_var (format, 64, "0x%%PFMT64x - 0x%%PFMT64x %%%ds %%%ds", (int)sizeof (perm), (int)sizeof (name));
			sscanf (str, format, &map_start, &map_end, perm, name);

the rewrite statement is

r_str_scanf (str, "0x%I64x - 0x%I64x %.s %.s", &map_start, &map_end, sizeof (perm), perm, sizeof (name), name);

Thank you!

[trufae]

see inline comments

[trufae]

r_util is included by r_core so its not necessary

[trufae]

uhm will be good to implement this [^\\n] part in r_str_scanf, or change the code to not make it depend on this.. for several reasons.

The code you should write to make this format string should be like this:

Suggested change

	r_strf_var (format, 64, "%%%ds %%%ds %%PFMT64x %%*s %%*s %%%d [^\\n]", (int)sizeof (region1[2]), (int)sizeof (perms), (int)sizeof (offset), (int)sizeof (name));
	r_strf_var (format, 64, "%%%ds %%%ds %%"PFMT64x" %%*s %%*s %%%d [^\\n]", (int)sizeof (region1[2]), (int)sizeof (perms), (int)sizeof (offset), (int)sizeof (name));

but still. scanf scansets introduce a bunch of issues

• output buffer is not size bounded (so it will cause overflows)
• not portable, not all libc implementations support this syntax
• even if portable, does not support wide strings and is affected by locales
• scanset size is not defined by the standard, and char ranges may vary depending on implementation

in other words, scanfs scansets are a bad idea because they introduce an unnecessary complexity to scanning strings.

After some thoughs and tries i end up implementing it in the new RStr.scanf() function you can find out the implementation+ test in here:

#22572

[trufae]

r_util already included by r_asm iirc

[trufae]

just use r_str_scanf. some notes here:

• no need to cast (int)sizeof, because our scanf handles size_t properly
• the 0x%PFMT64x thing is just 0x%Lx

please add tests for those strings before updating this, so we can be sure the formatting and parsing works well acrsoss all platforms, this is safer and cleaner than depending on libc

[trufae]

not necessary

[trufae]

use r_str_scanf instead of rstrvar

[trufae]

same here, use the new r_str_scanf

[Crispy-fried-chicken]

@trufae hi, I've modified it, but I don't know why it can't pass the linux-test, please tell me why so that I can fix it. Thank you!

[trufae]

the sizeof where wrong. i fixed them now. let's hope it passes the tests now. i may add more tests for the scanf thing to cover all those usecases

[Crispy-fried-chicken]

the sizeof where wrong. i fixed them now. let's hope it passes the tests now. i may add more tests for the scanf thing to cover all those usecases

thank you! but can you tell me why the sizeof should be sizeof (region1)-2 but not sizeof (region[2]) ?

[trufae]

sizeof (region[2]) is 1 byte, which is clearly not enough to store a string, the argument expects to take sizeof(region1) substracting the "0x" which are the first two bytes written in that string

[trufae]

let me jump into the linux machine and tryout your pr and see what else could be

[trufae]

we can get rid of all those no* variables if we use %*d in the arguments instead

[trufae]

i just tested your pr in local and i missed another wrong sizeof(region[2]). i have squahed the 32 commits into this separate PR and merged it under your name.

Thank you!

[Crispy-fried-chicken]

i just tested your pr in local and i missed another wrong sizeof(region[2]). i have squahed the 32 commits into this separate PR and merged it under your name.

Thank you!

Can you tell me what the pr id is ? and due to the harm this vulnerability may cause, is it necessary to apply for a CVE for this vulnerability?

[trufae]

This is the PR #22599