* [PATCH] drm: sysfs: Use scnprintf() for avoiding potential buffer overflow
@ 2020-03-11 7:35 Takashi Iwai
2020-03-11 8:10 ` Thomas Zimmermann
0 siblings, 1 reply; 5+ messages in thread
From: Takashi Iwai @ 2020-03-11 7:35 UTC (permalink / raw)
To: Maarten Lankhorst, Maxime Ripard, Thomas Zimmermann; +Cc: dri-devel
Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit. Fix it by replacing with scnprintf().
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
drivers/gpu/drm/drm_sysfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_sysfs.c b/drivers/gpu/drm/drm_sysfs.c
index dd2bc85f43cc..9b3180e8c12f 100644
--- a/drivers/gpu/drm/drm_sysfs.c
+++ b/drivers/gpu/drm/drm_sysfs.c
@@ -230,7 +230,7 @@ static ssize_t modes_show(struct device *device,
mutex_lock(&connector->dev->mode_config.mutex);
list_for_each_entry(mode, &connector->modes, head) {
- written += snprintf(buf + written, PAGE_SIZE - written, "%s\n",
+ written += scnprintf(buf + written, PAGE_SIZE - written, "%s\n",
mode->name);
}
mutex_unlock(&connector->dev->mode_config.mutex);
--
2.16.4
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] drm: sysfs: Use scnprintf() for avoiding potential buffer overflow
2020-03-11 7:35 [PATCH] drm: sysfs: Use scnprintf() for avoiding potential buffer overflow Takashi Iwai
@ 2020-03-11 8:10 ` Thomas Zimmermann
2020-03-11 8:24 ` Takashi Iwai
0 siblings, 1 reply; 5+ messages in thread
From: Thomas Zimmermann @ 2020-03-11 8:10 UTC (permalink / raw)
To: Takashi Iwai, Maarten Lankhorst, Maxime Ripard; +Cc: dri-devel
[-- Attachment #1.1.1: Type: text/plain, Size: 1632 bytes --]
Hi Takashi
Am 11.03.20 um 08:35 schrieb Takashi Iwai:
> Since snprintf() returns the would-be-output size instead of the
> actual output size, the succeeding calls may go beyond the given
> buffer limit. Fix it by replacing with scnprintf().
>
> Signed-off-by: Takashi Iwai <tiwai@suse.de>
> ---
> drivers/gpu/drm/drm_sysfs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/drm_sysfs.c b/drivers/gpu/drm/drm_sysfs.c
> index dd2bc85f43cc..9b3180e8c12f 100644
> --- a/drivers/gpu/drm/drm_sysfs.c
> +++ b/drivers/gpu/drm/drm_sysfs.c
> @@ -230,7 +230,7 @@ static ssize_t modes_show(struct device *device,
>
> mutex_lock(&connector->dev->mode_config.mutex);
> list_for_each_entry(mode, &connector->modes, head) {
> - written += snprintf(buf + written, PAGE_SIZE - written, "%s\n",
> + written += scnprintf(buf + written, PAGE_SIZE - written, "%s\n",
> mode->name);
> }
> mutex_unlock(&connector->dev->mode_config.mutex);
>
In drm_sysfs.c, there are more _show functions with calls to snprintf()
that could be replaced by scnprintf(). ATM they don't return the correct
length for output that exceeds PAGE_SIZE. since you're at it, you may
replace them as well.
But in any case
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
for this patch.
Do you want me to merge the patch into drm-misc-next?
Best regards
Thomas
--
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5, 90409 Nürnberg, Germany
(HRB 36809, AG Nürnberg)
Geschäftsführer: Felix Imendörffer
[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
[-- Attachment #2: Type: text/plain, Size: 160 bytes --]
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] drm: sysfs: Use scnprintf() for avoiding potential buffer overflow
2020-03-11 8:10 ` Thomas Zimmermann
@ 2020-03-11 8:24 ` Takashi Iwai
2020-03-11 10:13 ` Thomas Zimmermann
2020-03-11 13:58 ` Thomas Zimmermann
0 siblings, 2 replies; 5+ messages in thread
From: Takashi Iwai @ 2020-03-11 8:24 UTC (permalink / raw)
To: Thomas Zimmermann; +Cc: dri-devel
On Wed, 11 Mar 2020 09:10:56 +0100,
Thomas Zimmermann wrote:
>
> Hi Takashi
>
> Am 11.03.20 um 08:35 schrieb Takashi Iwai:
> > Since snprintf() returns the would-be-output size instead of the
> > actual output size, the succeeding calls may go beyond the given
> > buffer limit. Fix it by replacing with scnprintf().
> >
> > Signed-off-by: Takashi Iwai <tiwai@suse.de>
> > ---
> > drivers/gpu/drm/drm_sysfs.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/gpu/drm/drm_sysfs.c b/drivers/gpu/drm/drm_sysfs.c
> > index dd2bc85f43cc..9b3180e8c12f 100644
> > --- a/drivers/gpu/drm/drm_sysfs.c
> > +++ b/drivers/gpu/drm/drm_sysfs.c
> > @@ -230,7 +230,7 @@ static ssize_t modes_show(struct device *device,
> >
> > mutex_lock(&connector->dev->mode_config.mutex);
> > list_for_each_entry(mode, &connector->modes, head) {
> > - written += snprintf(buf + written, PAGE_SIZE - written, "%s\n",
> > + written += scnprintf(buf + written, PAGE_SIZE - written, "%s\n",
> > mode->name);
> > }
> > mutex_unlock(&connector->dev->mode_config.mutex);
> >
>
> In drm_sysfs.c, there are more _show functions with calls to snprintf()
> that could be replaced by scnprintf(). ATM they don't return the correct
> length for output that exceeds PAGE_SIZE. since you're at it, you may
> replace them as well.
Well, the rest snprintf() calls are single calls and can't be over
PAGE_SIZE obviously. IOW, they could be rather replaced with
sprintf() instead, for a sake of simplicity.
> But in any case
>
> Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
>
> for this patch.
>
> Do you want me to merge the patch into drm-misc-next?
Yes, please.
thanks,
Takashi
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] drm: sysfs: Use scnprintf() for avoiding potential buffer overflow
2020-03-11 8:24 ` Takashi Iwai
@ 2020-03-11 10:13 ` Thomas Zimmermann
2020-03-11 13:58 ` Thomas Zimmermann
1 sibling, 0 replies; 5+ messages in thread
From: Thomas Zimmermann @ 2020-03-11 10:13 UTC (permalink / raw)
To: Takashi Iwai; +Cc: dri-devel
[-- Attachment #1.1.1: Type: text/plain, Size: 2296 bytes --]
Hi
Am 11.03.20 um 09:24 schrieb Takashi Iwai:
> On Wed, 11 Mar 2020 09:10:56 +0100,
> Thomas Zimmermann wrote:
>>
>> Hi Takashi
>>
>> Am 11.03.20 um 08:35 schrieb Takashi Iwai:
>>> Since snprintf() returns the would-be-output size instead of the
>>> actual output size, the succeeding calls may go beyond the given
>>> buffer limit. Fix it by replacing with scnprintf().
>>>
>>> Signed-off-by: Takashi Iwai <tiwai@suse.de>
>>> ---
>>> drivers/gpu/drm/drm_sysfs.c | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/gpu/drm/drm_sysfs.c b/drivers/gpu/drm/drm_sysfs.c
>>> index dd2bc85f43cc..9b3180e8c12f 100644
>>> --- a/drivers/gpu/drm/drm_sysfs.c
>>> +++ b/drivers/gpu/drm/drm_sysfs.c
>>> @@ -230,7 +230,7 @@ static ssize_t modes_show(struct device *device,
>>>
>>> mutex_lock(&connector->dev->mode_config.mutex);
>>> list_for_each_entry(mode, &connector->modes, head) {
>>> - written += snprintf(buf + written, PAGE_SIZE - written, "%s\n",
>>> + written += scnprintf(buf + written, PAGE_SIZE - written, "%s\n",
>>> mode->name);
>>> }
>>> mutex_unlock(&connector->dev->mode_config.mutex);
>>>
>>
>> In drm_sysfs.c, there are more _show functions with calls to snprintf()
>> that could be replaced by scnprintf(). ATM they don't return the correct
>> length for output that exceeds PAGE_SIZE. since you're at it, you may
>> replace them as well.
>
> Well, the rest snprintf() calls are single calls and can't be over
> PAGE_SIZE obviously. IOW, they could be rather replaced with
> sprintf() instead, for a sake of simplicity.
Admittedly, none of these strings look as if they ever go beyond
PAGE_SIZE, but sncprintf() is still a simple way of defensive
programming here (and returns the correct value).
>
>> But in any case
>>
>> Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
>>
>> for this patch.
>>
>> Do you want me to merge the patch into drm-misc-next?
>
> Yes, please.
OK, will do later today.
Best regards
Thomas
>
>
> thanks,
>
> Takashi
>
--
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5, 90409 Nürnberg, Germany
(HRB 36809, AG Nürnberg)
Geschäftsführer: Felix Imendörffer
[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
[-- Attachment #2: Type: text/plain, Size: 160 bytes --]
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] drm: sysfs: Use scnprintf() for avoiding potential buffer overflow
2020-03-11 8:24 ` Takashi Iwai
2020-03-11 10:13 ` Thomas Zimmermann
@ 2020-03-11 13:58 ` Thomas Zimmermann
1 sibling, 0 replies; 5+ messages in thread
From: Thomas Zimmermann @ 2020-03-11 13:58 UTC (permalink / raw)
To: Takashi Iwai; +Cc: dri-devel
[-- Attachment #1.1.1: Type: text/plain, Size: 2179 bytes --]
Am 11.03.20 um 09:24 schrieb Takashi Iwai:
> On Wed, 11 Mar 2020 09:10:56 +0100,
> Thomas Zimmermann wrote:
>>
>> Hi Takashi
>>
>> Am 11.03.20 um 08:35 schrieb Takashi Iwai:
>>> Since snprintf() returns the would-be-output size instead of the
>>> actual output size, the succeeding calls may go beyond the given
>>> buffer limit. Fix it by replacing with scnprintf().
>>>
>>> Signed-off-by: Takashi Iwai <tiwai@suse.de>
>>> ---
>>> drivers/gpu/drm/drm_sysfs.c | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/gpu/drm/drm_sysfs.c b/drivers/gpu/drm/drm_sysfs.c
>>> index dd2bc85f43cc..9b3180e8c12f 100644
>>> --- a/drivers/gpu/drm/drm_sysfs.c
>>> +++ b/drivers/gpu/drm/drm_sysfs.c
>>> @@ -230,7 +230,7 @@ static ssize_t modes_show(struct device *device,
>>>
>>> mutex_lock(&connector->dev->mode_config.mutex);
>>> list_for_each_entry(mode, &connector->modes, head) {
>>> - written += snprintf(buf + written, PAGE_SIZE - written, "%s\n",
>>> + written += scnprintf(buf + written, PAGE_SIZE - written, "%s\n",
>>> mode->name);
>>> }
>>> mutex_unlock(&connector->dev->mode_config.mutex);
>>>
>>
>> In drm_sysfs.c, there are more _show functions with calls to snprintf()
>> that could be replaced by scnprintf(). ATM they don't return the correct
>> length for output that exceeds PAGE_SIZE. since you're at it, you may
>> replace them as well.
>
> Well, the rest snprintf() calls are single calls and can't be over
> PAGE_SIZE obviously. IOW, they could be rather replaced with
> sprintf() instead, for a sake of simplicity.
>
>> But in any case
>>
>> Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
>>
>> for this patch.
>>
>> Do you want me to merge the patch into drm-misc-next?
>
> Yes, please.
https://cgit.freedesktop.org/drm/drm-misc/commit/?id=9b9f2219b2c4fa3d1a41245cdc263d09a4c9ad92
Best regards
Thomas
>
>
> thanks,
>
> Takashi
>
--
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5, 90409 Nürnberg, Germany
(HRB 36809, AG Nürnberg)
Geschäftsführer: Felix Imendörffer
[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
[-- Attachment #2: Type: text/plain, Size: 160 bytes --]
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-03-11 13:58 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-11 7:35 [PATCH] drm: sysfs: Use scnprintf() for avoiding potential buffer overflow Takashi Iwai
2020-03-11 8:10 ` Thomas Zimmermann
2020-03-11 8:24 ` Takashi Iwai
2020-03-11 10:13 ` Thomas Zimmermann
2020-03-11 13:58 ` Thomas Zimmermann
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).