| Message ID | 20250409014633.31303-1-jiangfeng@kylinos.cn (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v3] drm: Fix potential overflow issue in event_string array | expand |
Em 08/04/2025 22:46, jiangfeng@kylinos.cn escreveu: > From: Feng Jiang <jiangfeng@kylinos.cn> > > When calling scnprintf() to append recovery method to event_string, > the second argument should be `sizeof(event_string) - len`, otherwise > there is a potential overflow problem. > > Fixes: b7cf9f4ac1b8 ("drm: Introduce device wedged event") > Signed-off-by: Feng Jiang <jiangfeng@kylinos.cn> Reviewed-by: André Almeida <andrealmeid@igalia.com>
On Wed, Apr 09, 2025 at 09:46:33AM +0800, jiangfeng@kylinos.cn wrote: > From: Feng Jiang <jiangfeng@kylinos.cn> > > When calling scnprintf() to append recovery method to event_string, > the second argument should be `sizeof(event_string) - len`, otherwise > there is a potential overflow problem. > > Fixes: b7cf9f4ac1b8 ("drm: Introduce device wedged event") > Signed-off-by: Feng Jiang <jiangfeng@kylinos.cn> Reviewed-by: Raag Jadav <raag.jadav@intel.com> Thanks for the fix.
diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c index 17fc5dc708f4..60e5ac179c15 100644 --- a/drivers/gpu/drm/drm_drv.c +++ b/drivers/gpu/drm/drm_drv.c @@ -549,7 +549,7 @@ int drm_dev_wedged_event(struct drm_device *dev, unsigned long method) if (drm_WARN_ONCE(dev, !recovery, "invalid recovery method %u\n", opt)) break; - len += scnprintf(event_string + len, sizeof(event_string), "%s,", recovery); + len += scnprintf(event_string + len, sizeof(event_string) - len, "%s,", recovery); } if (recovery)