Fix coverity unbounded source buffer issues #989

MarcinDigitic · 2024-05-10T07:49:27Z

Fix coverity unbound buffer issues

During coverity scan, there are reported four issues
with unbounded source buffer for each usage of input arg
directly with syslog function.

Sample coverity test report for chsh.c file:

string_size_argv: argv contains strings with unknown size.
int main (int argc, char **argv)
[...]
var_assign_var: Assigning: user = argv[optind]. Both are now tainted.
user = argv[optind];
[...]
CID 5771784: (Retiring certain usernames. #1 of 1): Unbounded source buffer (STRING_SIZE)
string_size: Passing string user of unknown size to syslog.
SYSLOG ((LOG_INFO, "changed user '%s' shell to '%s'", user, loginsh));

Similar issue is reported three times more:
File: chfn.c, function: main, variable: user
File: passwd.c, function: main, variable: name
File: newgrp.c, function: main, variable: group

The proposed commit is a try to fix the reported issues
by adding a check for a valid user or group names.

lib/alloc.c

src/chfn.c

lib/defines.h

lib/alloc.c

alejandro-colomar · 2024-05-10T23:25:31Z

During coverity scan, there is reported an issue with unbounded source buffer for each usage of input arg directly with syslog function.

Please paste such a Coverity scan report in the commit message. It would be helpful when reviewing.

It encapsulates some logic that we may want to reuse elsewhere. Link: <shadow-maint#989> Signed-off-by: Alejandro Colomar <[email protected]>

src/chsh.c

It encapsulates some logic that we may want to reuse elsewhere. Link: <#989> Signed-off-by: Alejandro Colomar <[email protected]>

alejandro-colomar · 2024-05-30T10:24:36Z

Can you please rebase the branch?

Edit: I've done it myself for you.

v1b:

Rebase

$ git range-diff md/master..md/topic/coverity/fix_unbound_input_buffer shadow/master..989 
1:  a90453e6 = 1:  bb741102 Fix coverity unbound buffer issues

alejandro-colomar · 2024-05-30T10:31:30Z

Please address the issues raised.

lib/alloc.c

lib/defines.h

alejandro-colomar · 2024-06-04T17:24:44Z

I've converted your PR to draft, since it's not ready for review. Please address the comments.

src/chfn.c

src/newgrp.c

src/chfn.c

alejandro-colomar · 2024-10-13T15:44:08Z

Hi, would you mind updating the PR?

MarcinDigitic · 2024-10-14T08:30:42Z

Hi, would you mind updating the PR?

Hi @alejandro-colomar , the PR is cleaned and rebased -> it should be ready for merging.

alejandro-colomar · 2024-10-14T09:36:01Z

Does this change remove all of the coverity reports? Which of them are still present after this change?

MarcinDigitic · 2024-10-14T09:58:52Z

Does this change remove all of the coverity reports? Which of them are still present after this change?

This will not remove the coverity reports issues. To remove the coverity report errors we would need to use xstrdup as it was in my original code. However, in this case I will prepare a separate PR after merging this one.
And also, after adding the conditions as in this PR we would be safe to ignore the coverity reports issues.

alejandro-colomar · 2024-10-14T10:25:07Z

Does this change remove all of the coverity reports? Which of them are still present after this change?

This will not remove the coverity reports issues. To remove the coverity report errors we would need to use xstrdup as it was in my original code.

Then the commit message should be updated to reflect what this commit does.

MarcinDigitic · 2024-10-14T10:32:22Z

The commit message is updated.

alejandro-colomar · 2024-10-14T10:37:24Z

The proposed changes add conditions verifing size of passed arguments
for users and groups names.

I don't understand that sentence. Could you please rephrase?

MarcinDigitic · 2024-10-14T10:45:42Z

Please, check now. The main reported issue by coverity is:

1. string_size_argv: argv contains strings with unknown size.
     int main (int argc, char **argv)
    [...]
     4. var_assign_var: Assigning: user = argv[optind]. Both are now tainted.
     user = argv[optind];
    [...]
    CID 5771784: (#1 of 1): Unbounded source buffer (STRING_SIZE)
    15. string_size: Passing string user of unknown size to syslog.
     SYSLOG ((LOG_INFO, "changed user '%s' shell to '%s'", user, loginsh));

Passing string user of unknown size to syslog
The added conditions check also the string sizes of the passed arguments.

alejandro-colomar · 2024-10-14T11:48:44Z

Please, check now.

The proposed changes add conditions, which verify
the user and group names arguments, including their sizes.

You should say lengths instead of sizes. is_valid_user_name() verifies the string length (strlen(3)).

$ grepc is_valid_user_name .
./lib/chkname.h:extern bool is_valid_user_name (const char *name);
./lib/chkname.c:bool
is_valid_user_name(const char *name)
{
	if (strlen(name) >= login_name_max_size()) {
		errno = EOVERFLOW;
		return false;
	}

	return is_valid_name(name);
}

alejandro-colomar · 2024-10-14T11:50:52Z

This will not fix the coverity reports, but the change causes
that they are irrelevant and could be ignored.

The report is actually fixed, I think. What the patch doesn't do is "silence" it. Please reword. Other than that, it more or less LGTM.

MarcinDigitic · 2024-10-14T12:08:24Z

Wording is corrected.

src/chfn.c

src/chsh.c

During coverity scan, there are reported four issues with unbounded source buffer for each usage of input arg directly with syslog function. Sample coverity test report for chsh.c file: 1. string_size_argv: argv contains strings with unknown size. int main (int argc, char **argv) [...] 4. var_assign_var: Assigning: user = argv[optind]. Both are now tainted. user = argv[optind]; [...] CID 5771784: (shadow-maint#1 of 1): Unbounded source buffer (STRING_SIZE) 15. string_size: Passing string user of unknown size to syslog. SYSLOG ((LOG_INFO, "changed user '%s' shell to '%s'", user, loginsh)); Similar issue is reported three times more: File: chfn.c, function: main, variable: user File: passwd.c, function: main, variable: name File: newgrp.c, function: main, variable: group This commit is the first approach to fix the reported issues. The proposed changes add conditions, which verify the user and group names arguments, including their lengths. This will not silence the coverity reports, but the change causes that they are irrelevant and could be ignored.

alejandro-colomar

LGTM. Thanks!

alejandro-colomar reviewed May 10, 2024

View reviewed changes

lib/alloc.c Outdated Show resolved Hide resolved

alejandro-colomar reviewed May 10, 2024

View reviewed changes

lib/alloc.c Outdated Show resolved Hide resolved

alejandro-colomar reviewed May 10, 2024

View reviewed changes

src/chfn.c Outdated Show resolved Hide resolved

alejandro-colomar reviewed May 10, 2024

View reviewed changes

lib/defines.h Outdated Show resolved Hide resolved

alejandro-colomar reviewed May 10, 2024

View reviewed changes

lib/alloc.c Outdated Show resolved Hide resolved

alejandro-colomar reviewed May 10, 2024

View reviewed changes

lib/alloc.c Outdated Show resolved Hide resolved

alejandro-colomar mentioned this pull request May 10, 2024

lib/chkname.[ch]: login_name_max_size(): Add function, and add missing error handling #990

Merged

alejandro-colomar reviewed May 13, 2024

View reviewed changes

src/chsh.c Outdated Show resolved Hide resolved

ikerexxe pushed a commit that referenced this pull request May 21, 2024

lib/chkname.[ch]: login_name_max_size(): Add function

99df9d7

It encapsulates some logic that we may want to reuse elsewhere. Link: <#989> Signed-off-by: Alejandro Colomar <[email protected]>

alejandro-colomar force-pushed the topic/coverity/fix_unbound_input_buffer branch from a90453e to bb74110 Compare May 30, 2024 10:29

alejandro-colomar reviewed May 30, 2024

View reviewed changes

lib/alloc.c Outdated Show resolved Hide resolved

alejandro-colomar reviewed May 30, 2024

View reviewed changes

lib/alloc.c Outdated Show resolved Hide resolved

alejandro-colomar reviewed May 30, 2024

View reviewed changes

lib/defines.h Outdated Show resolved Hide resolved

alejandro-colomar assigned MarcinDigitic Jun 4, 2024

alejandro-colomar marked this pull request as draft June 4, 2024 17:24

MarcinDigitic force-pushed the topic/coverity/fix_unbound_input_buffer branch from bb74110 to 7b8d2f7 Compare June 25, 2024 07:05