* [PATCH] drm: sysfs: Use scnprintf() for avoiding potential buffer overflow @ 2020-03-11 7:35 Takashi Iwai 2020-03-11 8:10 ` Thomas Zimmermann 0 siblings, 1 reply; 5+ messages in thread From: Takashi Iwai @ 2020-03-11 7:35 UTC (permalink / raw) To: Maarten Lankhorst, Maxime Ripard, Thomas Zimmermann; +Cc: dri-devel Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Signed-off-by: Takashi Iwai <tiwai@suse.de> --- drivers/gpu/drm/drm_sysfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_sysfs.c b/drivers/gpu/drm/drm_sysfs.c index dd2bc85f43cc..9b3180e8c12f 100644 --- a/drivers/gpu/drm/drm_sysfs.c +++ b/drivers/gpu/drm/drm_sysfs.c @@ -230,7 +230,7 @@ static ssize_t modes_show(struct device *device, mutex_lock(&connector->dev->mode_config.mutex); list_for_each_entry(mode, &connector->modes, head) { - written += snprintf(buf + written, PAGE_SIZE - written, "%s\n", + written += scnprintf(buf + written, PAGE_SIZE - written, "%s\n", mode->name); } mutex_unlock(&connector->dev->mode_config.mutex); -- 2.16.4 _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] drm: sysfs: Use scnprintf() for avoiding potential buffer overflow 2020-03-11 7:35 [PATCH] drm: sysfs: Use scnprintf() for avoiding potential buffer overflow Takashi Iwai @ 2020-03-11 8:10 ` Thomas Zimmermann 2020-03-11 8:24 ` Takashi Iwai 0 siblings, 1 reply; 5+ messages in thread From: Thomas Zimmermann @ 2020-03-11 8:10 UTC (permalink / raw) To: Takashi Iwai, Maarten Lankhorst, Maxime Ripard; +Cc: dri-devel [-- Attachment #1.1.1: Type: text/plain, Size: 1632 bytes --] Hi Takashi Am 11.03.20 um 08:35 schrieb Takashi Iwai: > Since snprintf() returns the would-be-output size instead of the > actual output size, the succeeding calls may go beyond the given > buffer limit. Fix it by replacing with scnprintf(). > > Signed-off-by: Takashi Iwai <tiwai@suse.de> > --- > drivers/gpu/drm/drm_sysfs.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/drm_sysfs.c b/drivers/gpu/drm/drm_sysfs.c > index dd2bc85f43cc..9b3180e8c12f 100644 > --- a/drivers/gpu/drm/drm_sysfs.c > +++ b/drivers/gpu/drm/drm_sysfs.c > @@ -230,7 +230,7 @@ static ssize_t modes_show(struct device *device, > > mutex_lock(&connector->dev->mode_config.mutex); > list_for_each_entry(mode, &connector->modes, head) { > - written += snprintf(buf + written, PAGE_SIZE - written, "%s\n", > + written += scnprintf(buf + written, PAGE_SIZE - written, "%s\n", > mode->name); > } > mutex_unlock(&connector->dev->mode_config.mutex); > In drm_sysfs.c, there are more _show functions with calls to snprintf() that could be replaced by scnprintf(). ATM they don't return the correct length for output that exceeds PAGE_SIZE. since you're at it, you may replace them as well. But in any case Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de> for this patch. Do you want me to merge the patch into drm-misc-next? Best regards Thomas -- Thomas Zimmermann Graphics Driver Developer SUSE Software Solutions Germany GmbH Maxfeldstr. 5, 90409 Nürnberg, Germany (HRB 36809, AG Nürnberg) Geschäftsführer: Felix Imendörffer [-- Attachment #1.2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 488 bytes --] [-- Attachment #2: Type: text/plain, Size: 160 bytes --] _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] drm: sysfs: Use scnprintf() for avoiding potential buffer overflow 2020-03-11 8:10 ` Thomas Zimmermann @ 2020-03-11 8:24 ` Takashi Iwai 2020-03-11 10:13 ` Thomas Zimmermann 2020-03-11 13:58 ` Thomas Zimmermann 0 siblings, 2 replies; 5+ messages in thread From: Takashi Iwai @ 2020-03-11 8:24 UTC (permalink / raw) To: Thomas Zimmermann; +Cc: dri-devel On Wed, 11 Mar 2020 09:10:56 +0100, Thomas Zimmermann wrote: > > Hi Takashi > > Am 11.03.20 um 08:35 schrieb Takashi Iwai: > > Since snprintf() returns the would-be-output size instead of the > > actual output size, the succeeding calls may go beyond the given > > buffer limit. Fix it by replacing with scnprintf(). > > > > Signed-off-by: Takashi Iwai <tiwai@suse.de> > > --- > > drivers/gpu/drm/drm_sysfs.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/drivers/gpu/drm/drm_sysfs.c b/drivers/gpu/drm/drm_sysfs.c > > index dd2bc85f43cc..9b3180e8c12f 100644 > > --- a/drivers/gpu/drm/drm_sysfs.c > > +++ b/drivers/gpu/drm/drm_sysfs.c > > @@ -230,7 +230,7 @@ static ssize_t modes_show(struct device *device, > > > > mutex_lock(&connector->dev->mode_config.mutex); > > list_for_each_entry(mode, &connector->modes, head) { > > - written += snprintf(buf + written, PAGE_SIZE - written, "%s\n", > > + written += scnprintf(buf + written, PAGE_SIZE - written, "%s\n", > > mode->name); > > } > > mutex_unlock(&connector->dev->mode_config.mutex); > > > > In drm_sysfs.c, there are more _show functions with calls to snprintf() > that could be replaced by scnprintf(). ATM they don't return the correct > length for output that exceeds PAGE_SIZE. since you're at it, you may > replace them as well. Well, the rest snprintf() calls are single calls and can't be over PAGE_SIZE obviously. IOW, they could be rather replaced with sprintf() instead, for a sake of simplicity. > But in any case > > Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de> > > for this patch. > > Do you want me to merge the patch into drm-misc-next? Yes, please. thanks, Takashi _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] drm: sysfs: Use scnprintf() for avoiding potential buffer overflow 2020-03-11 8:24 ` Takashi Iwai @ 2020-03-11 10:13 ` Thomas Zimmermann 2020-03-11 13:58 ` Thomas Zimmermann 1 sibling, 0 replies; 5+ messages in thread From: Thomas Zimmermann @ 2020-03-11 10:13 UTC (permalink / raw) To: Takashi Iwai; +Cc: dri-devel [-- Attachment #1.1.1: Type: text/plain, Size: 2296 bytes --] Hi Am 11.03.20 um 09:24 schrieb Takashi Iwai: > On Wed, 11 Mar 2020 09:10:56 +0100, > Thomas Zimmermann wrote: >> >> Hi Takashi >> >> Am 11.03.20 um 08:35 schrieb Takashi Iwai: >>> Since snprintf() returns the would-be-output size instead of the >>> actual output size, the succeeding calls may go beyond the given >>> buffer limit. Fix it by replacing with scnprintf(). >>> >>> Signed-off-by: Takashi Iwai <tiwai@suse.de> >>> --- >>> drivers/gpu/drm/drm_sysfs.c | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/drivers/gpu/drm/drm_sysfs.c b/drivers/gpu/drm/drm_sysfs.c >>> index dd2bc85f43cc..9b3180e8c12f 100644 >>> --- a/drivers/gpu/drm/drm_sysfs.c >>> +++ b/drivers/gpu/drm/drm_sysfs.c >>> @@ -230,7 +230,7 @@ static ssize_t modes_show(struct device *device, >>> >>> mutex_lock(&connector->dev->mode_config.mutex); >>> list_for_each_entry(mode, &connector->modes, head) { >>> - written += snprintf(buf + written, PAGE_SIZE - written, "%s\n", >>> + written += scnprintf(buf + written, PAGE_SIZE - written, "%s\n", >>> mode->name); >>> } >>> mutex_unlock(&connector->dev->mode_config.mutex); >>> >> >> In drm_sysfs.c, there are more _show functions with calls to snprintf() >> that could be replaced by scnprintf(). ATM they don't return the correct >> length for output that exceeds PAGE_SIZE. since you're at it, you may >> replace them as well. > > Well, the rest snprintf() calls are single calls and can't be over > PAGE_SIZE obviously. IOW, they could be rather replaced with > sprintf() instead, for a sake of simplicity. Admittedly, none of these strings look as if they ever go beyond PAGE_SIZE, but sncprintf() is still a simple way of defensive programming here (and returns the correct value). > >> But in any case >> >> Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de> >> >> for this patch. >> >> Do you want me to merge the patch into drm-misc-next? > > Yes, please. OK, will do later today. Best regards Thomas > > > thanks, > > Takashi > -- Thomas Zimmermann Graphics Driver Developer SUSE Software Solutions Germany GmbH Maxfeldstr. 5, 90409 Nürnberg, Germany (HRB 36809, AG Nürnberg) Geschäftsführer: Felix Imendörffer [-- Attachment #1.2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 488 bytes --] [-- Attachment #2: Type: text/plain, Size: 160 bytes --] _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] drm: sysfs: Use scnprintf() for avoiding potential buffer overflow 2020-03-11 8:24 ` Takashi Iwai 2020-03-11 10:13 ` Thomas Zimmermann @ 2020-03-11 13:58 ` Thomas Zimmermann 1 sibling, 0 replies; 5+ messages in thread From: Thomas Zimmermann @ 2020-03-11 13:58 UTC (permalink / raw) To: Takashi Iwai; +Cc: dri-devel [-- Attachment #1.1.1: Type: text/plain, Size: 2179 bytes --] Am 11.03.20 um 09:24 schrieb Takashi Iwai: > On Wed, 11 Mar 2020 09:10:56 +0100, > Thomas Zimmermann wrote: >> >> Hi Takashi >> >> Am 11.03.20 um 08:35 schrieb Takashi Iwai: >>> Since snprintf() returns the would-be-output size instead of the >>> actual output size, the succeeding calls may go beyond the given >>> buffer limit. Fix it by replacing with scnprintf(). >>> >>> Signed-off-by: Takashi Iwai <tiwai@suse.de> >>> --- >>> drivers/gpu/drm/drm_sysfs.c | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/drivers/gpu/drm/drm_sysfs.c b/drivers/gpu/drm/drm_sysfs.c >>> index dd2bc85f43cc..9b3180e8c12f 100644 >>> --- a/drivers/gpu/drm/drm_sysfs.c >>> +++ b/drivers/gpu/drm/drm_sysfs.c >>> @@ -230,7 +230,7 @@ static ssize_t modes_show(struct device *device, >>> >>> mutex_lock(&connector->dev->mode_config.mutex); >>> list_for_each_entry(mode, &connector->modes, head) { >>> - written += snprintf(buf + written, PAGE_SIZE - written, "%s\n", >>> + written += scnprintf(buf + written, PAGE_SIZE - written, "%s\n", >>> mode->name); >>> } >>> mutex_unlock(&connector->dev->mode_config.mutex); >>> >> >> In drm_sysfs.c, there are more _show functions with calls to snprintf() >> that could be replaced by scnprintf(). ATM they don't return the correct >> length for output that exceeds PAGE_SIZE. since you're at it, you may >> replace them as well. > > Well, the rest snprintf() calls are single calls and can't be over > PAGE_SIZE obviously. IOW, they could be rather replaced with > sprintf() instead, for a sake of simplicity. > >> But in any case >> >> Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de> >> >> for this patch. >> >> Do you want me to merge the patch into drm-misc-next? > > Yes, please. https://cgit.freedesktop.org/drm/drm-misc/commit/?id=9b9f2219b2c4fa3d1a41245cdc263d09a4c9ad92 Best regards Thomas > > > thanks, > > Takashi > -- Thomas Zimmermann Graphics Driver Developer SUSE Software Solutions Germany GmbH Maxfeldstr. 5, 90409 Nürnberg, Germany (HRB 36809, AG Nürnberg) Geschäftsführer: Felix Imendörffer [-- Attachment #1.2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 488 bytes --] [-- Attachment #2: Type: text/plain, Size: 160 bytes --] _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-03-11 13:58 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-03-11 7:35 [PATCH] drm: sysfs: Use scnprintf() for avoiding potential buffer overflow Takashi Iwai 2020-03-11 8:10 ` Thomas Zimmermann 2020-03-11 8:24 ` Takashi Iwai 2020-03-11 10:13 ` Thomas Zimmermann 2020-03-11 13:58 ` Thomas Zimmermann
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).