[PATCH] drm: sysfs: Use scnprintf() for avoiding potential buffer overflow

[PATCH] drm: sysfs: Use scnprintf() for avoiding potential buffer overflow

[Takashi Iwai]

Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit.  Fix it by replacing with scnprintf().

Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
 drivers/gpu/drm/drm_sysfs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/drm_sysfs.c b/drivers/gpu/drm/drm_sysfs.c
index dd2bc85f43cc..9b3180e8c12f 100644
--- a/drivers/gpu/drm/drm_sysfs.c
+++ b/drivers/gpu/drm/drm_sysfs.c
@@ -230,7 +230,7 @@ static ssize_t modes_show(struct device *device,
 
 	mutex_lock(&connector->dev->mode_config.mutex);
 	list_for_each_entry(mode, &connector->modes, head) {
-		written += snprintf(buf + written, PAGE_SIZE - written, "%s\n",
+		written += scnprintf(buf + written, PAGE_SIZE - written, "%s\n",
 				    mode->name);
 	}
 	mutex_unlock(&connector->dev->mode_config.mutex);
-- 
2.16.4

_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

Re: [PATCH] drm: sysfs: Use scnprintf() for avoiding potential buffer overflow

[Thomas Zimmermann]

[-- Attachment #1.1.1: Type: text/plain, Size: 1632 bytes --]

Hi Takashi

Am 11.03.20 um 08:35 schrieb Takashi Iwai:
> Since snprintf() returns the would-be-output size instead of the
> actual output size, the succeeding calls may go beyond the given
> buffer limit.  Fix it by replacing with scnprintf().
> 
> Signed-off-by: Takashi Iwai <tiwai@suse.de>
> ---
>  drivers/gpu/drm/drm_sysfs.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/drm_sysfs.c b/drivers/gpu/drm/drm_sysfs.c
> index dd2bc85f43cc..9b3180e8c12f 100644
> --- a/drivers/gpu/drm/drm_sysfs.c
> +++ b/drivers/gpu/drm/drm_sysfs.c
> @@ -230,7 +230,7 @@ static ssize_t modes_show(struct device *device,
>  
>  	mutex_lock(&connector->dev->mode_config.mutex);
>  	list_for_each_entry(mode, &connector->modes, head) {
> -		written += snprintf(buf + written, PAGE_SIZE - written, "%s\n",
> +		written += scnprintf(buf + written, PAGE_SIZE - written, "%s\n",
>  				    mode->name);
>  	}
>  	mutex_unlock(&connector->dev->mode_config.mutex);
> 

In drm_sysfs.c, there are more _show functions with calls to snprintf()
that could be replaced by scnprintf(). ATM they don't return the correct
length for output that exceeds PAGE_SIZE. since you're at it, you may
replace them as well.

But in any case

Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>

for this patch.

Do you want me to merge the patch into drm-misc-next?

Best regards
Thomas


-- 
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5, 90409 Nürnberg, Germany
(HRB 36809, AG Nürnberg)
Geschäftsführer: Felix Imendörffer


[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

[-- Attachment #2: Type: text/plain, Size: 160 bytes --]

_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

Re: [PATCH] drm: sysfs: Use scnprintf() for avoiding potential buffer overflow

[Takashi Iwai]

On Wed, 11 Mar 2020 09:10:56 +0100,
Thomas Zimmermann wrote:
> 
> Hi Takashi
> 
> Am 11.03.20 um 08:35 schrieb Takashi Iwai:
> > Since snprintf() returns the would-be-output size instead of the
> > actual output size, the succeeding calls may go beyond the given
> > buffer limit.  Fix it by replacing with scnprintf().
> > 
> > Signed-off-by: Takashi Iwai <tiwai@suse.de>
> > ---
> >  drivers/gpu/drm/drm_sysfs.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/drivers/gpu/drm/drm_sysfs.c b/drivers/gpu/drm/drm_sysfs.c
> > index dd2bc85f43cc..9b3180e8c12f 100644
> > --- a/drivers/gpu/drm/drm_sysfs.c
> > +++ b/drivers/gpu/drm/drm_sysfs.c
> > @@ -230,7 +230,7 @@ static ssize_t modes_show(struct device *device,
> >  
> >  	mutex_lock(&connector->dev->mode_config.mutex);
> >  	list_for_each_entry(mode, &connector->modes, head) {
> > -		written += snprintf(buf + written, PAGE_SIZE - written, "%s\n",
> > +		written += scnprintf(buf + written, PAGE_SIZE - written, "%s\n",
> >  				    mode->name);
> >  	}
> >  	mutex_unlock(&connector->dev->mode_config.mutex);
> > 
> 
> In drm_sysfs.c, there are more _show functions with calls to snprintf()
> that could be replaced by scnprintf(). ATM they don't return the correct
> length for output that exceeds PAGE_SIZE. since you're at it, you may
> replace them as well.

Well, the rest snprintf() calls are single calls and can't be over
PAGE_SIZE obviously.  IOW, they could be rather replaced with
sprintf() instead, for a sake of simplicity. 

> But in any case
> 
> Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
> 
> for this patch.
> 
> Do you want me to merge the patch into drm-misc-next?

Yes, please.


thanks,

Takashi
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

Re: [PATCH] drm: sysfs: Use scnprintf() for avoiding potential buffer overflow

[Thomas Zimmermann]

[-- Attachment #1.1.1: Type: text/plain, Size: 2296 bytes --]

Hi

Am 11.03.20 um 09:24 schrieb Takashi Iwai:
> On Wed, 11 Mar 2020 09:10:56 +0100,
> Thomas Zimmermann wrote:
>>
>> Hi Takashi
>>
>> Am 11.03.20 um 08:35 schrieb Takashi Iwai:
>>> Since snprintf() returns the would-be-output size instead of the
>>> actual output size, the succeeding calls may go beyond the given
>>> buffer limit.  Fix it by replacing with scnprintf().
>>>
>>> Signed-off-by: Takashi Iwai <tiwai@suse.de>
>>> ---
>>>  drivers/gpu/drm/drm_sysfs.c | 2 +-
>>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/gpu/drm/drm_sysfs.c b/drivers/gpu/drm/drm_sysfs.c
>>> index dd2bc85f43cc..9b3180e8c12f 100644
>>> --- a/drivers/gpu/drm/drm_sysfs.c
>>> +++ b/drivers/gpu/drm/drm_sysfs.c
>>> @@ -230,7 +230,7 @@ static ssize_t modes_show(struct device *device,
>>>  
>>>  	mutex_lock(&connector->dev->mode_config.mutex);
>>>  	list_for_each_entry(mode, &connector->modes, head) {
>>> -		written += snprintf(buf + written, PAGE_SIZE - written, "%s\n",
>>> +		written += scnprintf(buf + written, PAGE_SIZE - written, "%s\n",
>>>  				    mode->name);
>>>  	}
>>>  	mutex_unlock(&connector->dev->mode_config.mutex);
>>>
>>
>> In drm_sysfs.c, there are more _show functions with calls to snprintf()
>> that could be replaced by scnprintf(). ATM they don't return the correct
>> length for output that exceeds PAGE_SIZE. since you're at it, you may
>> replace them as well.
> 
> Well, the rest snprintf() calls are single calls and can't be over
> PAGE_SIZE obviously.  IOW, they could be rather replaced with
> sprintf() instead, for a sake of simplicity. 

Admittedly, none of these strings look as if they ever go beyond
PAGE_SIZE, but sncprintf() is still a simple way of defensive
programming here (and returns the correct value).

> 
>> But in any case
>>
>> Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
>>
>> for this patch.
>>
>> Do you want me to merge the patch into drm-misc-next?
> 
> Yes, please.

OK, will do later today.

Best regards
Thomas

> 
> 
> thanks,
> 
> Takashi
> 

-- 
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5, 90409 Nürnberg, Germany
(HRB 36809, AG Nürnberg)
Geschäftsführer: Felix Imendörffer


[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

[-- Attachment #2: Type: text/plain, Size: 160 bytes --]

_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

Re: [PATCH] drm: sysfs: Use scnprintf() for avoiding potential buffer overflow

[Thomas Zimmermann]

[-- Attachment #1.1.1: Type: text/plain, Size: 2179 bytes --]



Am 11.03.20 um 09:24 schrieb Takashi Iwai:
> On Wed, 11 Mar 2020 09:10:56 +0100,
> Thomas Zimmermann wrote:
>>
>> Hi Takashi
>>
>> Am 11.03.20 um 08:35 schrieb Takashi Iwai:
>>> Since snprintf() returns the would-be-output size instead of the
>>> actual output size, the succeeding calls may go beyond the given
>>> buffer limit.  Fix it by replacing with scnprintf().
>>>
>>> Signed-off-by: Takashi Iwai <tiwai@suse.de>
>>> ---
>>>  drivers/gpu/drm/drm_sysfs.c | 2 +-
>>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/gpu/drm/drm_sysfs.c b/drivers/gpu/drm/drm_sysfs.c
>>> index dd2bc85f43cc..9b3180e8c12f 100644
>>> --- a/drivers/gpu/drm/drm_sysfs.c
>>> +++ b/drivers/gpu/drm/drm_sysfs.c
>>> @@ -230,7 +230,7 @@ static ssize_t modes_show(struct device *device,
>>>  
>>>  	mutex_lock(&connector->dev->mode_config.mutex);
>>>  	list_for_each_entry(mode, &connector->modes, head) {
>>> -		written += snprintf(buf + written, PAGE_SIZE - written, "%s\n",
>>> +		written += scnprintf(buf + written, PAGE_SIZE - written, "%s\n",
>>>  				    mode->name);
>>>  	}
>>>  	mutex_unlock(&connector->dev->mode_config.mutex);
>>>
>>
>> In drm_sysfs.c, there are more _show functions with calls to snprintf()
>> that could be replaced by scnprintf(). ATM they don't return the correct
>> length for output that exceeds PAGE_SIZE. since you're at it, you may
>> replace them as well.
> 
> Well, the rest snprintf() calls are single calls and can't be over
> PAGE_SIZE obviously.  IOW, they could be rather replaced with
> sprintf() instead, for a sake of simplicity. 
> 
>> But in any case
>>
>> Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
>>
>> for this patch.
>>
>> Do you want me to merge the patch into drm-misc-next?
> 
> Yes, please.

https://cgit.freedesktop.org/drm/drm-misc/commit/?id=9b9f2219b2c4fa3d1a41245cdc263d09a4c9ad92

Best regards
Thomas

> 
> 
> thanks,
> 
> Takashi
> 

-- 
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5, 90409 Nürnberg, Germany
(HRB 36809, AG Nürnberg)
Geschäftsführer: Felix Imendörffer


[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

[-- Attachment #2: Type: text/plain, Size: 160 bytes --]

_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel