Linux-ACPI Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] ACPI: fan: Use scnprintf() for avoiding potential buffer overflow
@ 2020-03-11  7:08 Takashi Iwai
  2020-03-14 10:13 ` Rafael J. Wysocki
  0 siblings, 1 reply; 2+ messages in thread
From: Takashi Iwai @ 2020-03-11  7:08 UTC (permalink / raw)
  To: linux-acpi; +Cc: Zhang Rui, Rafael J . Wysocki, Len Brown

Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit.  Fix it by replacing with scnprintf().

Also adjust the argument to really match with the actually remaining
buffer size.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
 drivers/acpi/fan.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/drivers/acpi/fan.c b/drivers/acpi/fan.c
index aaf4e8f348cf..873e039ad4b7 100644
--- a/drivers/acpi/fan.c
+++ b/drivers/acpi/fan.c
@@ -276,29 +276,29 @@ static ssize_t show_state(struct device *dev, struct device_attribute *attr, cha
 	int count;
 
 	if (fps->control == 0xFFFFFFFF || fps->control > 100)
-		count = snprintf(buf, PAGE_SIZE, "not-defined:");
+		count = scnprintf(buf, PAGE_SIZE, "not-defined:");
 	else
-		count = snprintf(buf, PAGE_SIZE, "%lld:", fps->control);
+		count = scnprintf(buf, PAGE_SIZE, "%lld:", fps->control);
 
 	if (fps->trip_point == 0xFFFFFFFF || fps->trip_point > 9)
-		count += snprintf(&buf[count], PAGE_SIZE, "not-defined:");
+		count += scnprintf(&buf[count], PAGE_SIZE - count, "not-defined:");
 	else
-		count += snprintf(&buf[count], PAGE_SIZE, "%lld:", fps->trip_point);
+		count += scnprintf(&buf[count], PAGE_SIZE - count, "%lld:", fps->trip_point);
 
 	if (fps->speed == 0xFFFFFFFF)
-		count += snprintf(&buf[count], PAGE_SIZE, "not-defined:");
+		count += scnprintf(&buf[count], PAGE_SIZE - count, "not-defined:");
 	else
-		count += snprintf(&buf[count], PAGE_SIZE, "%lld:", fps->speed);
+		count += scnprintf(&buf[count], PAGE_SIZE - count, "%lld:", fps->speed);
 
 	if (fps->noise_level == 0xFFFFFFFF)
-		count += snprintf(&buf[count], PAGE_SIZE, "not-defined:");
+		count += scnprintf(&buf[count], PAGE_SIZE - count, "not-defined:");
 	else
-		count += snprintf(&buf[count], PAGE_SIZE, "%lld:", fps->noise_level * 100);
+		count += scnprintf(&buf[count], PAGE_SIZE - count, "%lld:", fps->noise_level * 100);
 
 	if (fps->power == 0xFFFFFFFF)
-		count += snprintf(&buf[count], PAGE_SIZE, "not-defined\n");
+		count += scnprintf(&buf[count], PAGE_SIZE - count, "not-defined\n");
 	else
-		count += snprintf(&buf[count], PAGE_SIZE, "%lld\n", fps->power);
+		count += scnprintf(&buf[count], PAGE_SIZE - count, "%lld\n", fps->power);
 
 	return count;
 }
-- 
2.16.4


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH] ACPI: fan: Use scnprintf() for avoiding potential buffer overflow
  2020-03-11  7:08 [PATCH] ACPI: fan: Use scnprintf() for avoiding potential buffer overflow Takashi Iwai
@ 2020-03-14 10:13 ` Rafael J. Wysocki
  0 siblings, 0 replies; 2+ messages in thread
From: Rafael J. Wysocki @ 2020-03-14 10:13 UTC (permalink / raw)
  To: Takashi Iwai; +Cc: linux-acpi, Zhang Rui, Len Brown

On Wednesday, March 11, 2020 8:08:51 AM CET Takashi Iwai wrote:
> Since snprintf() returns the would-be-output size instead of the
> actual output size, the succeeding calls may go beyond the given
> buffer limit.  Fix it by replacing with scnprintf().
> 
> Also adjust the argument to really match with the actually remaining
> buffer size.
> 
> Signed-off-by: Takashi Iwai <tiwai@suse.de>
> ---
>  drivers/acpi/fan.c | 20 ++++++++++----------
>  1 file changed, 10 insertions(+), 10 deletions(-)
> 
> diff --git a/drivers/acpi/fan.c b/drivers/acpi/fan.c
> index aaf4e8f348cf..873e039ad4b7 100644
> --- a/drivers/acpi/fan.c
> +++ b/drivers/acpi/fan.c
> @@ -276,29 +276,29 @@ static ssize_t show_state(struct device *dev, struct device_attribute *attr, cha
>  	int count;
>  
>  	if (fps->control == 0xFFFFFFFF || fps->control > 100)
> -		count = snprintf(buf, PAGE_SIZE, "not-defined:");
> +		count = scnprintf(buf, PAGE_SIZE, "not-defined:");
>  	else
> -		count = snprintf(buf, PAGE_SIZE, "%lld:", fps->control);
> +		count = scnprintf(buf, PAGE_SIZE, "%lld:", fps->control);
>  
>  	if (fps->trip_point == 0xFFFFFFFF || fps->trip_point > 9)
> -		count += snprintf(&buf[count], PAGE_SIZE, "not-defined:");
> +		count += scnprintf(&buf[count], PAGE_SIZE - count, "not-defined:");
>  	else
> -		count += snprintf(&buf[count], PAGE_SIZE, "%lld:", fps->trip_point);
> +		count += scnprintf(&buf[count], PAGE_SIZE - count, "%lld:", fps->trip_point);
>  
>  	if (fps->speed == 0xFFFFFFFF)
> -		count += snprintf(&buf[count], PAGE_SIZE, "not-defined:");
> +		count += scnprintf(&buf[count], PAGE_SIZE - count, "not-defined:");
>  	else
> -		count += snprintf(&buf[count], PAGE_SIZE, "%lld:", fps->speed);
> +		count += scnprintf(&buf[count], PAGE_SIZE - count, "%lld:", fps->speed);
>  
>  	if (fps->noise_level == 0xFFFFFFFF)
> -		count += snprintf(&buf[count], PAGE_SIZE, "not-defined:");
> +		count += scnprintf(&buf[count], PAGE_SIZE - count, "not-defined:");
>  	else
> -		count += snprintf(&buf[count], PAGE_SIZE, "%lld:", fps->noise_level * 100);
> +		count += scnprintf(&buf[count], PAGE_SIZE - count, "%lld:", fps->noise_level * 100);
>  
>  	if (fps->power == 0xFFFFFFFF)
> -		count += snprintf(&buf[count], PAGE_SIZE, "not-defined\n");
> +		count += scnprintf(&buf[count], PAGE_SIZE - count, "not-defined\n");
>  	else
> -		count += snprintf(&buf[count], PAGE_SIZE, "%lld\n", fps->power);
> +		count += scnprintf(&buf[count], PAGE_SIZE - count, "%lld\n", fps->power);
>  
>  	return count;
>  }
> 

Applied as 5.7 material, thanks!





^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-11  7:08 [PATCH] ACPI: fan: Use scnprintf() for avoiding potential buffer overflow Takashi Iwai
2020-03-14 10:13 ` Rafael J. Wysocki

Linux-ACPI Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-acpi/0 linux-acpi/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-acpi linux-acpi/ https://lore.kernel.org/linux-acpi \
		linux-acpi@vger.kernel.org
	public-inbox-index linux-acpi

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-acpi


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git