diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2024-02-04 23:23:58 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-02-04 23:23:58 +0000 |
commit | db3146b501a484bf37ef23278480f4c028cfb8d7 (patch) | |
tree | de1b5963ee081e37a033960859e4499f3ad914df | |
parent | ci: add timeout limits (#6178) (diff) | |
download | firejail-db3146b501a484bf37ef23278480f4c028cfb8d7.tar.gz firejail-db3146b501a484bf37ef23278480f4c028cfb8d7.tar.zst firejail-db3146b501a484bf37ef23278480f4c028cfb8d7.zip |
security: fix sscanf rv checks (CodeQL) (#6184)
Fix the following CodeQL warning (CWE-253)[1]:
> Rule ID: cpp/incorrectly-checked-scanf
> The result of scanf is only checked against 0, but it can also return
> EOF.
> Functions in the scanf family return either EOF (a negative value) in
> case of IO failure, or the number of items successfully read from the
> input. Consequently, a simple check that the return value is nonzero
> is not enough.
>
> Recommendation
>
> Ensure that all uses of scanf check the return value against the
> expected number of arguments rather than just against zero.
Note: The affected code portions attempt to read values from /etc/passwd
and /etc/group, so invalid input seems unlikely to be the case. Either
way, the changes make the checks in question more consistent with
similar sscanf return value checks in the rest of the code.
Added on commit 4f003daec ("prevent leaking user information by
modifying /home directory, /etc/passwd and /etc/group", 2015-11-19).
[1] https://github.com/netblue30/firejail/security/code-scanning/32
-rw-r--r-- | src/firejail/restrict_users.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 741e908ed..e258f6204 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -210,9 +210,9 @@ static void sanitize_passwd(void) { | |||
210 | goto errout; | 210 | goto errout; |
211 | 211 | ||
212 | // process uid | 212 | // process uid |
213 | int uid; | 213 | int uid = -1; |
214 | int rv = sscanf(ptr, "%d:", &uid); | 214 | int rv = sscanf(ptr, "%d:", &uid); |
215 | if (rv == 0 || uid < 0) | 215 | if (rv != 1 || uid < 0) |
216 | goto errout; | 216 | goto errout; |
217 | assert(uid_min); | 217 | assert(uid_min); |
218 | if (uid < uid_min || uid == 65534) { // on Debian platforms user nobody is 65534 | 218 | if (uid < uid_min || uid == 65534) { // on Debian platforms user nobody is 65534 |
@@ -349,9 +349,9 @@ static void sanitize_group(void) { | |||
349 | goto errout; | 349 | goto errout; |
350 | 350 | ||
351 | // process uid | 351 | // process uid |
352 | int gid; | 352 | int gid = -1; |
353 | int rv = sscanf(ptr, "%d:", &gid); | 353 | int rv = sscanf(ptr, "%d:", &gid); |
354 | if (rv == 0 || gid < 0) | 354 | if (rv != 1 || gid < 0) |
355 | goto errout; | 355 | goto errout; |
356 | assert(gid_min); | 356 | assert(gid_min); |
357 | if (gid < gid_min || gid == 65534) { // on Debian platforms 65534 is group nogroup | 357 | if (gid < gid_min || gid == 65534) { // on Debian platforms 65534 is group nogroup |