| Message ID | 20200311073540.7108-1-tiwai@suse.de (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | drm: sysfs: Use scnprintf() for avoiding potential buffer overflow | expand |
Hi Takashi Am 11.03.20 um 08:35 schrieb Takashi Iwai: > Since snprintf() returns the would-be-output size instead of the > actual output size, the succeeding calls may go beyond the given > buffer limit. Fix it by replacing with scnprintf(). > > Signed-off-by: Takashi Iwai <tiwai@suse.de> > --- > drivers/gpu/drm/drm_sysfs.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/drm_sysfs.c b/drivers/gpu/drm/drm_sysfs.c > index dd2bc85f43cc..9b3180e8c12f 100644 > --- a/drivers/gpu/drm/drm_sysfs.c > +++ b/drivers/gpu/drm/drm_sysfs.c > @@ -230,7 +230,7 @@ static ssize_t modes_show(struct device *device, > > mutex_lock(&connector->dev->mode_config.mutex); > list_for_each_entry(mode, &connector->modes, head) { > - written += snprintf(buf + written, PAGE_SIZE - written, "%s\n", > + written += scnprintf(buf + written, PAGE_SIZE - written, "%s\n", > mode->name); > } > mutex_unlock(&connector->dev->mode_config.mutex); > In drm_sysfs.c, there are more _show functions with calls to snprintf() that could be replaced by scnprintf(). ATM they don't return the correct length for output that exceeds PAGE_SIZE. since you're at it, you may replace them as well. But in any case Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de> for this patch. Do you want me to merge the patch into drm-misc-next? Best regards Thomas
On Wed, 11 Mar 2020 09:10:56 +0100, Thomas Zimmermann wrote: > > Hi Takashi > > Am 11.03.20 um 08:35 schrieb Takashi Iwai: > > Since snprintf() returns the would-be-output size instead of the > > actual output size, the succeeding calls may go beyond the given > > buffer limit. Fix it by replacing with scnprintf(). > > > > Signed-off-by: Takashi Iwai <tiwai@suse.de> > > --- > > drivers/gpu/drm/drm_sysfs.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/drivers/gpu/drm/drm_sysfs.c b/drivers/gpu/drm/drm_sysfs.c > > index dd2bc85f43cc..9b3180e8c12f 100644 > > --- a/drivers/gpu/drm/drm_sysfs.c > > +++ b/drivers/gpu/drm/drm_sysfs.c > > @@ -230,7 +230,7 @@ static ssize_t modes_show(struct device *device, > > > > mutex_lock(&connector->dev->mode_config.mutex); > > list_for_each_entry(mode, &connector->modes, head) { > > - written += snprintf(buf + written, PAGE_SIZE - written, "%s\n", > > + written += scnprintf(buf + written, PAGE_SIZE - written, "%s\n", > > mode->name); > > } > > mutex_unlock(&connector->dev->mode_config.mutex); > > > > In drm_sysfs.c, there are more _show functions with calls to snprintf() > that could be replaced by scnprintf(). ATM they don't return the correct > length for output that exceeds PAGE_SIZE. since you're at it, you may > replace them as well. Well, the rest snprintf() calls are single calls and can't be over PAGE_SIZE obviously. IOW, they could be rather replaced with sprintf() instead, for a sake of simplicity. > But in any case > > Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de> > > for this patch. > > Do you want me to merge the patch into drm-misc-next? Yes, please. thanks, Takashi
Hi Am 11.03.20 um 09:24 schrieb Takashi Iwai: > On Wed, 11 Mar 2020 09:10:56 +0100, > Thomas Zimmermann wrote: >> >> Hi Takashi >> >> Am 11.03.20 um 08:35 schrieb Takashi Iwai: >>> Since snprintf() returns the would-be-output size instead of the >>> actual output size, the succeeding calls may go beyond the given >>> buffer limit. Fix it by replacing with scnprintf(). >>> >>> Signed-off-by: Takashi Iwai <tiwai@suse.de> >>> --- >>> drivers/gpu/drm/drm_sysfs.c | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/drivers/gpu/drm/drm_sysfs.c b/drivers/gpu/drm/drm_sysfs.c >>> index dd2bc85f43cc..9b3180e8c12f 100644 >>> --- a/drivers/gpu/drm/drm_sysfs.c >>> +++ b/drivers/gpu/drm/drm_sysfs.c >>> @@ -230,7 +230,7 @@ static ssize_t modes_show(struct device *device, >>> >>> mutex_lock(&connector->dev->mode_config.mutex); >>> list_for_each_entry(mode, &connector->modes, head) { >>> - written += snprintf(buf + written, PAGE_SIZE - written, "%s\n", >>> + written += scnprintf(buf + written, PAGE_SIZE - written, "%s\n", >>> mode->name); >>> } >>> mutex_unlock(&connector->dev->mode_config.mutex); >>> >> >> In drm_sysfs.c, there are more _show functions with calls to snprintf() >> that could be replaced by scnprintf(). ATM they don't return the correct >> length for output that exceeds PAGE_SIZE. since you're at it, you may >> replace them as well. > > Well, the rest snprintf() calls are single calls and can't be over > PAGE_SIZE obviously. IOW, they could be rather replaced with > sprintf() instead, for a sake of simplicity. Admittedly, none of these strings look as if they ever go beyond PAGE_SIZE, but sncprintf() is still a simple way of defensive programming here (and returns the correct value). > >> But in any case >> >> Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de> >> >> for this patch. >> >> Do you want me to merge the patch into drm-misc-next? > > Yes, please. OK, will do later today. Best regards Thomas > > > thanks, > > Takashi >
Am 11.03.20 um 09:24 schrieb Takashi Iwai: > On Wed, 11 Mar 2020 09:10:56 +0100, > Thomas Zimmermann wrote: >> >> Hi Takashi >> >> Am 11.03.20 um 08:35 schrieb Takashi Iwai: >>> Since snprintf() returns the would-be-output size instead of the >>> actual output size, the succeeding calls may go beyond the given >>> buffer limit. Fix it by replacing with scnprintf(). >>> >>> Signed-off-by: Takashi Iwai <tiwai@suse.de> >>> --- >>> drivers/gpu/drm/drm_sysfs.c | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/drivers/gpu/drm/drm_sysfs.c b/drivers/gpu/drm/drm_sysfs.c >>> index dd2bc85f43cc..9b3180e8c12f 100644 >>> --- a/drivers/gpu/drm/drm_sysfs.c >>> +++ b/drivers/gpu/drm/drm_sysfs.c >>> @@ -230,7 +230,7 @@ static ssize_t modes_show(struct device *device, >>> >>> mutex_lock(&connector->dev->mode_config.mutex); >>> list_for_each_entry(mode, &connector->modes, head) { >>> - written += snprintf(buf + written, PAGE_SIZE - written, "%s\n", >>> + written += scnprintf(buf + written, PAGE_SIZE - written, "%s\n", >>> mode->name); >>> } >>> mutex_unlock(&connector->dev->mode_config.mutex); >>> >> >> In drm_sysfs.c, there are more _show functions with calls to snprintf() >> that could be replaced by scnprintf(). ATM they don't return the correct >> length for output that exceeds PAGE_SIZE. since you're at it, you may >> replace them as well. > > Well, the rest snprintf() calls are single calls and can't be over > PAGE_SIZE obviously. IOW, they could be rather replaced with > sprintf() instead, for a sake of simplicity. > >> But in any case >> >> Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de> >> >> for this patch. >> >> Do you want me to merge the patch into drm-misc-next? > > Yes, please. https://cgit.freedesktop.org/drm/drm-misc/commit/?id=9b9f2219b2c4fa3d1a41245cdc263d09a4c9ad92 Best regards Thomas > > > thanks, > > Takashi >
diff --git a/drivers/gpu/drm/drm_sysfs.c b/drivers/gpu/drm/drm_sysfs.c index dd2bc85f43cc..9b3180e8c12f 100644 --- a/drivers/gpu/drm/drm_sysfs.c +++ b/drivers/gpu/drm/drm_sysfs.c @@ -230,7 +230,7 @@ static ssize_t modes_show(struct device *device, mutex_lock(&connector->dev->mode_config.mutex); list_for_each_entry(mode, &connector->modes, head) { - written += snprintf(buf + written, PAGE_SIZE - written, "%s\n", + written += scnprintf(buf + written, PAGE_SIZE - written, "%s\n", mode->name); } mutex_unlock(&connector->dev->mode_config.mutex);
Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Signed-off-by: Takashi Iwai <tiwai@suse.de> --- drivers/gpu/drm/drm_sysfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)