[patch] virtio_console: use snprintf() for safety

[patch] virtio_console: use snprintf() for safety

[Dan Carpenter]

My static checker complains that this sprintf() can overflow.

vdev->index is selected by ida_simple_get() in register_virtio_device()
so my reading of the code is that this overflow is theoretically
possible.  The max value of "id" is configurable and I'm not sure what
typical values are.

Anyway, it's simple enough to make the buffer larger and I changed it to
snprintf() as well.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
index 50754d20..8283989 100644
--- a/drivers/char/virtio_console.c
+++ b/drivers/char/virtio_console.c
@@ -1389,7 +1389,7 @@ static void send_sigio_to_port(struct port *port)
 
 static int add_port(struct ports_device *portdev, u32 id)
 {
-	char debugfs_name[16];
+	char debugfs_name[28];
 	struct port *port;
 	struct port_buffer *buf;
 	dev_t devt;
@@ -1492,8 +1492,8 @@ static int add_port(struct ports_device *portdev, u32 id)
 		 * Finally, create the debugfs file that we can use to
 		 * inspect a port's state at any time
 		 */
-		sprintf(debugfs_name, "vport%up%u",
-			port->portdev->vdev->index, id);
+		snprintf(debugfs_name, sizeof(debugfs_name), "vport%up%u",
+			 port->portdev->vdev->index, id);
 		port->debugfs_file = debugfs_create_file(debugfs_name, 0444,
 							 pdrvdata.debugfs_dir,
 							 port,

Re: [patch] virtio_console: use snprintf() for safety

[Amit Shah]

On (Fri) 08 May 2015 [09:19:02], Dan Carpenter wrote:
> My static checker complains that this sprintf() can overflow.
> 
> vdev->index is selected by ida_simple_get() in register_virtio_device()
> so my reading of the code is that this overflow is theoretically
> possible.  The max value of "id" is configurable and I'm not sure what
> typical values are.

vdev->index is per-device, and starts with 0 for the first attached
virtio-serial-pci device.  So to overflow, a lot of devices have to be
attached, which isn't possible with current qemu.  16 bytes was
already overkill..

> Anyway, it's simple enough to make the buffer larger and I changed it to
> snprintf() as well.

Any reason to choose 28?  I think 16 is enough.

The snprintf change is fine, though.


		Amit

Re: [patch] virtio_console: use snprintf() for safety

[Amit Shah]

On (Fri) 08 May 2015 [09:19:02], Dan Carpenter wrote:
> My static checker complains that this sprintf() can overflow.
> 
> vdev->index is selected by ida_simple_get() in register_virtio_device()
> so my reading of the code is that this overflow is theoretically
> possible.  The max value of "id" is configurable and I'm not sure what
> typical values are.

vdev->index is per-device, and starts with 0 for the first attached
virtio-serial-pci device.  So to overflow, a lot of devices have to be
attached, which isn't possible with current qemu.  16 bytes was
already overkill..

> Anyway, it's simple enough to make the buffer larger and I changed it to
> snprintf() as well.

Any reason to choose 28?  I think 16 is enough.

The snprintf change is fine, though.


		Amit

[patch v2] virtio_console: silence a static checker warning

[Dan Carpenter]

My static checker complains that this sprintf() can overflow but really
it can't.  Just silence the warning by using snprintf().

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: the overflow is not possible so just leave the buffer size alone and
    silence the warning with snprintf().

diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
index 50754d20..8283989 100644
--- a/drivers/char/virtio_console.c
+++ b/drivers/char/virtio_console.c
@@ -1492,8 +1492,8 @@ static int add_port(struct ports_device *portdev, u32 id)
 		 * Finally, create the debugfs file that we can use to
 		 * inspect a port's state at any time
 		 */
-		sprintf(debugfs_name, "vport%up%u",
-			port->portdev->vdev->index, id);
+		snprintf(debugfs_name, sizeof(debugfs_name), "vport%up%u",
+			 port->portdev->vdev->index, id);
 		port->debugfs_file = debugfs_create_file(debugfs_name, 0444,
 							 pdrvdata.debugfs_dir,
 							 port,
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[patch v2] virtio_console: silence a static checker warning

[Dan Carpenter]

My static checker complains that this sprintf() can overflow but really
it can't.  Just silence the warning by using snprintf().

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: the overflow is not possible so just leave the buffer size alone and
    silence the warning with snprintf().

diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
index 50754d20..8283989 100644
--- a/drivers/char/virtio_console.c
+++ b/drivers/char/virtio_console.c
@@ -1492,8 +1492,8 @@ static int add_port(struct ports_device *portdev, u32 id)
 		 * Finally, create the debugfs file that we can use to
 		 * inspect a port's state at any time
 		 */
-		sprintf(debugfs_name, "vport%up%u",
-			port->portdev->vdev->index, id);
+		snprintf(debugfs_name, sizeof(debugfs_name), "vport%up%u",
+			 port->portdev->vdev->index, id);
 		port->debugfs_file = debugfs_create_file(debugfs_name, 0444,
 							 pdrvdata.debugfs_dir,
 							 port,

Re: [patch v2] virtio_console: silence a static checker warning

[Amit Shah]

On (Fri) 08 May 2015 [12:16:25], Dan Carpenter wrote:
> My static checker complains that this sprintf() can overflow but really
> it can't.  Just silence the warning by using snprintf().

Reviewed-by: Amit Shah <amit.shah@redhat.com>

Thanks!


		Amit

Re: [patch v2] virtio_console: silence a static checker warning

[walter harms]

Am 08.05.2015 11:16, schrieb Dan Carpenter:
> My static checker complains that this sprintf() can overflow but really
> it can't.  Just silence the warning by using snprintf().
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> v2: the overflow is not possible so just leave the buffer size alone and
>     silence the warning with snprintf().
> 
> diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
> index 50754d20..8283989 100644
> --- a/drivers/char/virtio_console.c
> +++ b/drivers/char/virtio_console.c
> @@ -1492,8 +1492,8 @@ static int add_port(struct ports_device *portdev, u32 id)
>  		 * Finally, create the debugfs file that we can use to
>  		 * inspect a port's state at any time
>  		 */
> -		sprintf(debugfs_name, "vport%up%u",
> -			port->portdev->vdev->index, id);
> +		snprintf(debugfs_name, sizeof(debugfs_name), "vport%up%u",
> +			 port->portdev->vdev->index, id);


would it help to use %03u (or so) to make it more obvious ?

Note: i prefer a leading 0 in my programms to make it more easy
to work with grep and friends. you may thing otherwise.


re,
 wh

>  		port->debugfs_file = debugfs_create_file(debugfs_name, 0444,
>  							 pdrvdata.debugfs_dir,
>  							 port,
> --
> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> --
> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

Re: [patch v2] virtio_console: silence a static checker warning

[walter harms]

Am 08.05.2015 11:16, schrieb Dan Carpenter:
> My static checker complains that this sprintf() can overflow but really
> it can't.  Just silence the warning by using snprintf().
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> v2: the overflow is not possible so just leave the buffer size alone and
>     silence the warning with snprintf().
> 
> diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
> index 50754d20..8283989 100644
> --- a/drivers/char/virtio_console.c
> +++ b/drivers/char/virtio_console.c
> @@ -1492,8 +1492,8 @@ static int add_port(struct ports_device *portdev, u32 id)
>  		 * Finally, create the debugfs file that we can use to
>  		 * inspect a port's state at any time
>  		 */
> -		sprintf(debugfs_name, "vport%up%u",
> -			port->portdev->vdev->index, id);
> +		snprintf(debugfs_name, sizeof(debugfs_name), "vport%up%u",
> +			 port->portdev->vdev->index, id);


would it help to use %03u (or so) to make it more obvious ?

Note: i prefer a leading 0 in my programms to make it more easy
to work with grep and friends. you may thing otherwise.


re,
 wh

>  		port->debugfs_file = debugfs_create_file(debugfs_name, 0444,
>  							 pdrvdata.debugfs_dir,
>  							 port,
> --
> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> --
> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

Re: [patch v2] virtio_console: silence a static checker warning

[Amit Shah]

On (Fri) 08 May 2015 [12:16:25], Dan Carpenter wrote:
> My static checker complains that this sprintf() can overflow but really
> it can't.  Just silence the warning by using snprintf().

Reviewed-by: Amit Shah <amit.shah@redhat.com>

Thanks!


		Amit

Re: [patch v2] virtio_console: silence a static checker warning

[Dan Carpenter]

On Fri, May 08, 2015 at 11:30:09AM +0200, walter harms wrote:
> 
> 
> Am 08.05.2015 11:16, schrieb Dan Carpenter:
> > My static checker complains that this sprintf() can overflow but really
> > it can't.  Just silence the warning by using snprintf().
> > 
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > ---
> > v2: the overflow is not possible so just leave the buffer size alone and
> >     silence the warning with snprintf().
> > 
> > diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
> > index 50754d20..8283989 100644
> > --- a/drivers/char/virtio_console.c
> > +++ b/drivers/char/virtio_console.c
> > @@ -1492,8 +1492,8 @@ static int add_port(struct ports_device *portdev, u32 id)
> >  		 * Finally, create the debugfs file that we can use to
> >  		 * inspect a port's state at any time
> >  		 */
> > -		sprintf(debugfs_name, "vport%up%u",
> > -			port->portdev->vdev->index, id);
> > +		snprintf(debugfs_name, sizeof(debugfs_name), "vport%up%u",
> > +			 port->portdev->vdev->index, id);
> 
> 
> would it help to use %03u (or so) to make it more obvious ?
> 
> Note: i prefer a leading 0 in my programms to make it more easy
> to work with grep and friends. you may thing otherwise.

That's an user API change so it's probably a bad idea.

regards,
dan carpenter

Re: [patch v2] virtio_console: silence a static checker warning

[Dan Carpenter]

On Fri, May 08, 2015 at 11:30:09AM +0200, walter harms wrote:
> 
> 
> Am 08.05.2015 11:16, schrieb Dan Carpenter:
> > My static checker complains that this sprintf() can overflow but really
> > it can't.  Just silence the warning by using snprintf().
> > 
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > ---
> > v2: the overflow is not possible so just leave the buffer size alone and
> >     silence the warning with snprintf().
> > 
> > diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
> > index 50754d20..8283989 100644
> > --- a/drivers/char/virtio_console.c
> > +++ b/drivers/char/virtio_console.c
> > @@ -1492,8 +1492,8 @@ static int add_port(struct ports_device *portdev, u32 id)
> >  		 * Finally, create the debugfs file that we can use to
> >  		 * inspect a port's state at any time
> >  		 */
> > -		sprintf(debugfs_name, "vport%up%u",
> > -			port->portdev->vdev->index, id);
> > +		snprintf(debugfs_name, sizeof(debugfs_name), "vport%up%u",
> > +			 port->portdev->vdev->index, id);
> 
> 
> would it help to use %03u (or so) to make it more obvious ?
> 
> Note: i prefer a leading 0 in my programms to make it more easy
> to work with grep and friends. you may thing otherwise.

That's an user API change so it's probably a bad idea.

regards,
dan carpenter

Re: [patch v2] virtio_console: silence a static checker warning

[Amit Shah]

On (Fri) 08 May 2015 [11:30:09], walter harms wrote:
> 
> 
> Am 08.05.2015 11:16, schrieb Dan Carpenter:
> > My static checker complains that this sprintf() can overflow but really
> > it can't.  Just silence the warning by using snprintf().
> > 
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > ---
> > v2: the overflow is not possible so just leave the buffer size alone and
> >     silence the warning with snprintf().
> > 
> > diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
> > index 50754d20..8283989 100644
> > --- a/drivers/char/virtio_console.c
> > +++ b/drivers/char/virtio_console.c
> > @@ -1492,8 +1492,8 @@ static int add_port(struct ports_device *portdev, u32 id)
> >  		 * Finally, create the debugfs file that we can use to
> >  		 * inspect a port's state at any time
> >  		 */
> > -		sprintf(debugfs_name, "vport%up%u",
> > -			port->portdev->vdev->index, id);
> > +		snprintf(debugfs_name, sizeof(debugfs_name), "vport%up%u",
> > +			 port->portdev->vdev->index, id);
> 
> 
> would it help to use %03u (or so) to make it more obvious ?
> 
> Note: i prefer a leading 0 in my programms to make it more easy
> to work with grep and friends. you may thing otherwise.

Well we've been exposing names like /dev/vport0p0, /dev/vport2p15,
etc., and there might be scripts relying on such names, so that's one
argument against it.

However we do have pretty names that map to these ports via udev
rules, but not sure if we should change the name just to prepend 0s.

		Amit

Re: [patch v2] virtio_console: silence a static checker warning

[Amit Shah]

On (Fri) 08 May 2015 [11:30:09], walter harms wrote:
> 
> 
> Am 08.05.2015 11:16, schrieb Dan Carpenter:
> > My static checker complains that this sprintf() can overflow but really
> > it can't.  Just silence the warning by using snprintf().
> > 
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > ---
> > v2: the overflow is not possible so just leave the buffer size alone and
> >     silence the warning with snprintf().
> > 
> > diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
> > index 50754d20..8283989 100644
> > --- a/drivers/char/virtio_console.c
> > +++ b/drivers/char/virtio_console.c
> > @@ -1492,8 +1492,8 @@ static int add_port(struct ports_device *portdev, u32 id)
> >  		 * Finally, create the debugfs file that we can use to
> >  		 * inspect a port's state at any time
> >  		 */
> > -		sprintf(debugfs_name, "vport%up%u",
> > -			port->portdev->vdev->index, id);
> > +		snprintf(debugfs_name, sizeof(debugfs_name), "vport%up%u",
> > +			 port->portdev->vdev->index, id);
> 
> 
> would it help to use %03u (or so) to make it more obvious ?
> 
> Note: i prefer a leading 0 in my programms to make it more easy
> to work with grep and friends. you may thing otherwise.

Well we've been exposing names like /dev/vport0p0, /dev/vport2p15,
etc., and there might be scripts relying on such names, so that's one
argument against it.

However we do have pretty names that map to these ports via udev
rules, but not sure if we should change the name just to prepend 0s.

		Amit

Re: [patch v2] virtio_console: silence a static checker warning

[walter harms]

Am 08.05.2015 11:56, schrieb Amit Shah:
> On (Fri) 08 May 2015 [11:30:09], walter harms wrote:
>>
>>
>> Am 08.05.2015 11:16, schrieb Dan Carpenter:
>>> My static checker complains that this sprintf() can overflow but really
>>> it can't.  Just silence the warning by using snprintf().
>>>
>>> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>>> ---
>>> v2: the overflow is not possible so just leave the buffer size alone and
>>>     silence the warning with snprintf().
>>>
>>> diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
>>> index 50754d20..8283989 100644
>>> --- a/drivers/char/virtio_console.c
>>> +++ b/drivers/char/virtio_console.c
>>> @@ -1492,8 +1492,8 @@ static int add_port(struct ports_device *portdev, u32 id)
>>>  		 * Finally, create the debugfs file that we can use to
>>>  		 * inspect a port's state at any time
>>>  		 */
>>> -		sprintf(debugfs_name, "vport%up%u",
>>> -			port->portdev->vdev->index, id);
>>> +		snprintf(debugfs_name, sizeof(debugfs_name), "vport%up%u",
>>> +			 port->portdev->vdev->index, id);
>>
>>
>> would it help to use %03u (or so) to make it more obvious ?
>>
>> Note: i prefer a leading 0 in my programms to make it more easy
>> to work with grep and friends. you may thing otherwise.
> 
> Well we've been exposing names like /dev/vport0p0, /dev/vport2p15,
> etc., and there might be scripts relying on such names, so that's one
> argument against it.
> 
> However we do have pretty names that map to these ports via udev
> rules, but not sure if we should change the name just to prepend 0s.
> 
> 		Amit
> 
The basic idea was to limit the space, having leading zeros is my idea because
i found this more convenient in the past. Using something like "%3u" will give
static checkers a chance to detect the required max. space.

re,
 wh

Re: [patch v2] virtio_console: silence a static checker warning

[walter harms]

Am 08.05.2015 11:56, schrieb Amit Shah:
> On (Fri) 08 May 2015 [11:30:09], walter harms wrote:
>>
>>
>> Am 08.05.2015 11:16, schrieb Dan Carpenter:
>>> My static checker complains that this sprintf() can overflow but really
>>> it can't.  Just silence the warning by using snprintf().
>>>
>>> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>>> ---
>>> v2: the overflow is not possible so just leave the buffer size alone and
>>>     silence the warning with snprintf().
>>>
>>> diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
>>> index 50754d20..8283989 100644
>>> --- a/drivers/char/virtio_console.c
>>> +++ b/drivers/char/virtio_console.c
>>> @@ -1492,8 +1492,8 @@ static int add_port(struct ports_device *portdev, u32 id)
>>>  		 * Finally, create the debugfs file that we can use to
>>>  		 * inspect a port's state at any time
>>>  		 */
>>> -		sprintf(debugfs_name, "vport%up%u",
>>> -			port->portdev->vdev->index, id);
>>> +		snprintf(debugfs_name, sizeof(debugfs_name), "vport%up%u",
>>> +			 port->portdev->vdev->index, id);
>>
>>
>> would it help to use %03u (or so) to make it more obvious ?
>>
>> Note: i prefer a leading 0 in my programms to make it more easy
>> to work with grep and friends. you may thing otherwise.
> 
> Well we've been exposing names like /dev/vport0p0, /dev/vport2p15,
> etc., and there might be scripts relying on such names, so that's one
> argument against it.
> 
> However we do have pretty names that map to these ports via udev
> rules, but not sure if we should change the name just to prepend 0s.
> 
> 		Amit
> 
The basic idea was to limit the space, having leading zeros is my idea because
i found this more convenient in the past. Using something like "%3u" will give
static checkers a chance to detect the required max. space.

re,
 wh

Re: [patch v2] virtio_console: silence a static checker warning

[Dan Carpenter]

On Fri, May 08, 2015 at 01:13:22PM +0200, walter harms wrote:
> The basic idea was to limit the space, having leading zeros is my idea because
> i found this more convenient in the past. Using something like "%3u" will give
> static checkers a chance to detect the required max. space.

How are you calculating the %3?

The max for "id" is currently 31.  To be honest, I'm not certain the max
for ->index.  It's something in qemu but I'm not sure what.  Who is
going to keep it updated?

The %3 is sort of meaningless.  The lower levels of the code just ignore
it don't they?

regards,
dan carpenter

Re: [patch v2] virtio_console: silence a static checker warning

[Dan Carpenter]

On Fri, May 08, 2015 at 01:13:22PM +0200, walter harms wrote:
> The basic idea was to limit the space, having leading zeros is my idea because
> i found this more convenient in the past. Using something like "%3u" will give
> static checkers a chance to detect the required max. space.

How are you calculating the %3?

The max for "id" is currently 31.  To be honest, I'm not certain the max
for ->index.  It's something in qemu but I'm not sure what.  Who is
going to keep it updated?

The %3 is sort of meaningless.  The lower levels of the code just ignore
it don't they?

regards,
dan carpenter

[patch] virtio_console: use snprintf() for safety

[Dan Carpenter]

My static checker complains that this sprintf() can overflow.

vdev->index is selected by ida_simple_get() in register_virtio_device()
so my reading of the code is that this overflow is theoretically
possible.  The max value of "id" is configurable and I'm not sure what
typical values are.

Anyway, it's simple enough to make the buffer larger and I changed it to
snprintf() as well.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
index 50754d20..8283989 100644
--- a/drivers/char/virtio_console.c
+++ b/drivers/char/virtio_console.c
@@ -1389,7 +1389,7 @@ static void send_sigio_to_port(struct port *port)
 
 static int add_port(struct ports_device *portdev, u32 id)
 {
-	char debugfs_name[16];
+	char debugfs_name[28];
 	struct port *port;
 	struct port_buffer *buf;
 	dev_t devt;
@@ -1492,8 +1492,8 @@ static int add_port(struct ports_device *portdev, u32 id)
 		 * Finally, create the debugfs file that we can use to
 		 * inspect a port's state at any time
 		 */
-		sprintf(debugfs_name, "vport%up%u",
-			port->portdev->vdev->index, id);
+		snprintf(debugfs_name, sizeof(debugfs_name), "vport%up%u",
+			 port->portdev->vdev->index, id);
 		port->debugfs_file = debugfs_create_file(debugfs_name, 0444,
 							 pdrvdata.debugfs_dir,
 							 port,