diff mbox series

[RESEND,04/10] crypto: hisilicon/zip - replace 'sprintf' with 'scnprintf'

Message ID 1598238709-58699-5-git-send-email-shenyang39@huawei.com (mailing list archive)
State Changes Requested
Delegated to: Herbert Xu
Headers show
Series crypto: hisilicon/zip - misc clean up | expand

Commit Message

Yang Shen Aug. 24, 2020, 3:11 a.m. UTC 
Replace 'sprintf' with 'scnprintf' to avoid overrun.

Signed-off-by: Yang Shen <shenyang39@huawei.com>
Reviewed-by: Zhou Wang <wangzhou1@hisilicon.com>
---
 drivers/crypto/hisilicon/zip/zip_main.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

Comments

David Laight Aug. 24, 2020, 8:29 a.m. UTC | #1 
From: Yang Shen
> Sent: 24 August 2020 04:12
> 
> Replace 'sprintf' with 'scnprintf' to avoid overrun.
> 
> Signed-off-by: Yang Shen <shenyang39@huawei.com>
> Reviewed-by: Zhou Wang <wangzhou1@hisilicon.com>
> ---
>  drivers/crypto/hisilicon/zip/zip_main.c | 11 +++++++----
>  1 file changed, 7 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/crypto/hisilicon/zip/zip_main.c b/drivers/crypto/hisilicon/zip/zip_main.c
> index df1a16f..1883d1b 100644
> --- a/drivers/crypto/hisilicon/zip/zip_main.c
> +++ b/drivers/crypto/hisilicon/zip/zip_main.c
> @@ -428,7 +428,7 @@ static ssize_t hisi_zip_ctrl_debug_read(struct file *filp, char __user *buf,
>  		return -EINVAL;
>  	}
>  	spin_unlock_irq(&file->lock);
> -	ret = sprintf(tbuf, "%u\n", val);
> +	ret = scnprintf(tbuf, HZIP_BUF_SIZE, "%u\n", val);

Should that be sizeof (tbuf).

>  	return simple_read_from_buffer(buf, count, pos, tbuf, ret);
>  }
> 
> @@ -514,13 +514,16 @@ static int hisi_zip_core_debug_init(struct hisi_qm *qm)
>  	struct debugfs_regset32 *regset;
>  	struct dentry *tmp_d;
>  	char buf[HZIP_BUF_SIZE];
> -	int i;
> +	int i, ret;
> 
>  	for (i = 0; i < HZIP_CORE_NUM; i++) {
>  		if (i < HZIP_COMP_CORE_NUM)
> -			sprintf(buf, "comp_core%d", i);
> +			ret = scnprintf(buf, HZIP_BUF_SIZE, "comp_core%d", i);
>  		else
> -			sprintf(buf, "decomp_core%d", i - HZIP_COMP_CORE_NUM);
> +			ret = scnprintf(buf, HZIP_BUF_SIZE, "decomp_core%d",
> +					i - HZIP_COMP_CORE_NUM);
> +		if (!ret)
> +			return -ENOMEM;

and that is just so wrong - did you even try to test
the 'buffer too small' code path?

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
Yang Shen Aug. 26, 2020, 8:56 a.m. UTC | #2 
On 2020/8/24 16:29, David Laight wrote:
> From: Yang Shen
>> Sent: 24 August 2020 04:12
>>
>> Replace 'sprintf' with 'scnprintf' to avoid overrun.
>>
>> Signed-off-by: Yang Shen <shenyang39@huawei.com>
>> Reviewed-by: Zhou Wang <wangzhou1@hisilicon.com>
>> ---
>>  drivers/crypto/hisilicon/zip/zip_main.c | 11 +++++++----
>>  1 file changed, 7 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/crypto/hisilicon/zip/zip_main.c b/drivers/crypto/hisilicon/zip/zip_main.c
>> index df1a16f..1883d1b 100644
>> --- a/drivers/crypto/hisilicon/zip/zip_main.c
>> +++ b/drivers/crypto/hisilicon/zip/zip_main.c
>> @@ -428,7 +428,7 @@ static ssize_t hisi_zip_ctrl_debug_read(struct file *filp, char __user *buf,
>>  		return -EINVAL;
>>  	}
>>  	spin_unlock_irq(&file->lock);
>> -	ret = sprintf(tbuf, "%u\n", val);
>> +	ret = scnprintf(tbuf, HZIP_BUF_SIZE, "%u\n", val);
>
> Should that be sizeof (tbuf).
>
>>  	return simple_read_from_buffer(buf, count, pos, tbuf, ret);
>>  }
>>
>> @@ -514,13 +514,16 @@ static int hisi_zip_core_debug_init(struct hisi_qm *qm)
>>  	struct debugfs_regset32 *regset;
>>  	struct dentry *tmp_d;
>>  	char buf[HZIP_BUF_SIZE];
>> -	int i;
>> +	int i, ret;
>>
>>  	for (i = 0; i < HZIP_CORE_NUM; i++) {
>>  		if (i < HZIP_COMP_CORE_NUM)
>> -			sprintf(buf, "comp_core%d", i);
>> +			ret = scnprintf(buf, HZIP_BUF_SIZE, "comp_core%d", i);
>>  		else
>> -			sprintf(buf, "decomp_core%d", i - HZIP_COMP_CORE_NUM);
>> +			ret = scnprintf(buf, HZIP_BUF_SIZE, "decomp_core%d",
>> +					i - HZIP_COMP_CORE_NUM);
>> +		if (!ret)
>> +			return -ENOMEM;
>
> and that is just so wrong - did you even try to test
> the 'buffer too small' code path?
>
> 	David
>

Do you means the check is unnecessary?

Yang
> -
> Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
> Registration No: 1397386 (Wales)
>
>
> .
>
Herbert Xu Sept. 4, 2020, 7:40 a.m. UTC | #3 
On Wed, Aug 26, 2020 at 04:56:40PM +0800, shenyang (M) wrote:
>
> > > @@ -514,13 +514,16 @@ static int hisi_zip_core_debug_init(struct hisi_qm *qm)
> > >  	struct debugfs_regset32 *regset;
> > >  	struct dentry *tmp_d;
> > >  	char buf[HZIP_BUF_SIZE];
> > > -	int i;
> > > +	int i, ret;
> > > 
> > >  	for (i = 0; i < HZIP_CORE_NUM; i++) {
> > >  		if (i < HZIP_COMP_CORE_NUM)
> > > -			sprintf(buf, "comp_core%d", i);
> > > +			ret = scnprintf(buf, HZIP_BUF_SIZE, "comp_core%d", i);
> > >  		else
> > > -			sprintf(buf, "decomp_core%d", i - HZIP_COMP_CORE_NUM);
> > > +			ret = scnprintf(buf, HZIP_BUF_SIZE, "decomp_core%d",
> > > +					i - HZIP_COMP_CORE_NUM);
> > > +		if (!ret)
> > > +			return -ENOMEM;
> > 
> > and that is just so wrong - did you even try to test
> > the 'buffer too small' code path?
> 
> Do you means the check is unnecessary?

No he's saying that your patch does the wrong thing when the string
is truncated.

Also ENOMEM is a strange error for that case.

Cheers,
Yang Shen Sept. 4, 2020, 8:43 a.m. UTC | #4 
On 2020/9/4 15:40, Herbert Xu wrote:
> On Wed, Aug 26, 2020 at 04:56:40PM +0800, shenyang (M) wrote:
>>
>>>> @@ -514,13 +514,16 @@ static int hisi_zip_core_debug_init(struct hisi_qm *qm)
>>>>  	struct debugfs_regset32 *regset;
>>>>  	struct dentry *tmp_d;
>>>>  	char buf[HZIP_BUF_SIZE];
>>>> -	int i;
>>>> +	int i, ret;
>>>>
>>>>  	for (i = 0; i < HZIP_CORE_NUM; i++) {
>>>>  		if (i < HZIP_COMP_CORE_NUM)
>>>> -			sprintf(buf, "comp_core%d", i);
>>>> +			ret = scnprintf(buf, HZIP_BUF_SIZE, "comp_core%d", i);
>>>>  		else
>>>> -			sprintf(buf, "decomp_core%d", i - HZIP_COMP_CORE_NUM);
>>>> +			ret = scnprintf(buf, HZIP_BUF_SIZE, "decomp_core%d",
>>>> +					i - HZIP_COMP_CORE_NUM);
>>>> +		if (!ret)
>>>> +			return -ENOMEM;
>>>
>>> and that is just so wrong - did you even try to test
>>> the 'buffer too small' code path?
>>
>> Do you means the check is unnecessary?
>
> No he's saying that your patch does the wrong thing when the string
> is truncated.
>
> Also ENOMEM is a strange error for that case.
>
> Cheers,
>

Here 'HZIP_BUF_SIZE' is 22, so the buf is enough for the string.

The check for the return is really unnecessary, I will remove it in the
next version.

Thanks,
Yang
diff mbox series

Patch

diff --git a/drivers/crypto/hisilicon/zip/zip_main.c b/drivers/crypto/hisilicon/zip/zip_main.c
index df1a16f..1883d1b 100644
--- a/drivers/crypto/hisilicon/zip/zip_main.c
+++ b/drivers/crypto/hisilicon/zip/zip_main.c
@@ -428,7 +428,7 @@  static ssize_t hisi_zip_ctrl_debug_read(struct file *filp, char __user *buf,
 		return -EINVAL;
 	}
 	spin_unlock_irq(&file->lock);
-	ret = sprintf(tbuf, "%u\n", val);
+	ret = scnprintf(tbuf, HZIP_BUF_SIZE, "%u\n", val);
 	return simple_read_from_buffer(buf, count, pos, tbuf, ret);
 }
 
@@ -514,13 +514,16 @@  static int hisi_zip_core_debug_init(struct hisi_qm *qm)
 	struct debugfs_regset32 *regset;
 	struct dentry *tmp_d;
 	char buf[HZIP_BUF_SIZE];
-	int i;
+	int i, ret;
 
 	for (i = 0; i < HZIP_CORE_NUM; i++) {
 		if (i < HZIP_COMP_CORE_NUM)
-			sprintf(buf, "comp_core%d", i);
+			ret = scnprintf(buf, HZIP_BUF_SIZE, "comp_core%d", i);
 		else
-			sprintf(buf, "decomp_core%d", i - HZIP_COMP_CORE_NUM);
+			ret = scnprintf(buf, HZIP_BUF_SIZE, "decomp_core%d",
+					i - HZIP_COMP_CORE_NUM);
+		if (!ret)
+			return -ENOMEM;
 
 		regset = devm_kzalloc(dev, sizeof(*regset), GFP_KERNEL);
 		if (!regset)