Linux-IIO Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH v2 0/2] iio: Use scnprintf() for avoiding potential buffer overflow
@ 2020-03-16 12:49 Takashi Iwai
  2020-03-16 12:49 ` [PATCH v2 1/2] iio: core: " Takashi Iwai
  2020-03-16 12:49 ` [PATCH v2 2/2] iio: tsl2772: " Takashi Iwai
  0 siblings, 2 replies; 7+ messages in thread
From: Takashi Iwai @ 2020-03-16 12:49 UTC (permalink / raw)
  To: Jonathan Cameron; +Cc: Brian Masney, linux-iio

Hi,

here is a respin of the trivial patchset to replace snprintf() calls
with the safer scnprintf() calls for avoiding potential buffer
overflows.

v1->v2: Fix the snprintf() buffer limit argument in tsl2772
	Rephrase the changelog


Takashi

===

Takashi Iwai (2):
  iio: core: Use scnprintf() for avoiding potential buffer overflow
  iio: tsl2772: Use scnprintf() for avoiding potential buffer overflow

 drivers/iio/industrialio-core.c | 34 +++++++++++++++++-----------------
 drivers/iio/light/tsl2772.c     |  6 +++---
 2 files changed, 20 insertions(+), 20 deletions(-)

-- 
2.16.4


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH v2 1/2] iio: core: Use scnprintf() for avoiding potential buffer overflow
  2020-03-16 12:49 [PATCH v2 0/2] iio: Use scnprintf() for avoiding potential buffer overflow Takashi Iwai
@ 2020-03-16 12:49 ` " Takashi Iwai
  2020-03-16 16:19   ` Brian Masney
  2020-03-16 12:49 ` [PATCH v2 2/2] iio: tsl2772: " Takashi Iwai
  1 sibling, 1 reply; 7+ messages in thread
From: Takashi Iwai @ 2020-03-16 12:49 UTC (permalink / raw)
  To: Jonathan Cameron; +Cc: Brian Masney, linux-iio

snprintf() is a hard-to-use function, it's especially difficult to use
it for concatenating substrings in a buffer with a limited size.
Since snprintf() returns the would-be-output size, not the actual
size, the subsequent use of snprintf() may go beyond the given limit
easily.  Although the current code doesn't actually overflow the
buffer, it's an incorrect usage.

This patch replaces such snprintf() calls with a safer version,
scnprintf().

Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
v1->v2: Rephrase the changelog

 drivers/iio/industrialio-core.c | 34 +++++++++++++++++-----------------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
index 65ff0d067018..197006b5d5c2 100644
--- a/drivers/iio/industrialio-core.c
+++ b/drivers/iio/industrialio-core.c
@@ -559,46 +559,46 @@ static ssize_t __iio_format_value(char *buf, size_t len, unsigned int type,
 
 	switch (type) {
 	case IIO_VAL_INT:
-		return snprintf(buf, len, "%d", vals[0]);
+		return scnprintf(buf, len, "%d", vals[0]);
 	case IIO_VAL_INT_PLUS_MICRO_DB:
 		scale_db = true;
 		/* fall through */
 	case IIO_VAL_INT_PLUS_MICRO:
 		if (vals[1] < 0)
-			return snprintf(buf, len, "-%d.%06u%s", abs(vals[0]),
+			return scnprintf(buf, len, "-%d.%06u%s", abs(vals[0]),
 					-vals[1], scale_db ? " dB" : "");
 		else
-			return snprintf(buf, len, "%d.%06u%s", vals[0], vals[1],
+			return scnprintf(buf, len, "%d.%06u%s", vals[0], vals[1],
 					scale_db ? " dB" : "");
 	case IIO_VAL_INT_PLUS_NANO:
 		if (vals[1] < 0)
-			return snprintf(buf, len, "-%d.%09u", abs(vals[0]),
+			return scnprintf(buf, len, "-%d.%09u", abs(vals[0]),
 					-vals[1]);
 		else
-			return snprintf(buf, len, "%d.%09u", vals[0], vals[1]);
+			return scnprintf(buf, len, "%d.%09u", vals[0], vals[1]);
 	case IIO_VAL_FRACTIONAL:
 		tmp = div_s64((s64)vals[0] * 1000000000LL, vals[1]);
 		tmp1 = vals[1];
 		tmp0 = (int)div_s64_rem(tmp, 1000000000, &tmp1);
-		return snprintf(buf, len, "%d.%09u", tmp0, abs(tmp1));
+		return scnprintf(buf, len, "%d.%09u", tmp0, abs(tmp1));
 	case IIO_VAL_FRACTIONAL_LOG2:
 		tmp = shift_right((s64)vals[0] * 1000000000LL, vals[1]);
 		tmp0 = (int)div_s64_rem(tmp, 1000000000LL, &tmp1);
-		return snprintf(buf, len, "%d.%09u", tmp0, abs(tmp1));
+		return scnprintf(buf, len, "%d.%09u", tmp0, abs(tmp1));
 	case IIO_VAL_INT_MULTIPLE:
 	{
 		int i;
 		int l = 0;
 
 		for (i = 0; i < size; ++i) {
-			l += snprintf(&buf[l], len - l, "%d ", vals[i]);
+			l += scnprintf(&buf[l], len - l, "%d ", vals[i]);
 			if (l >= len)
 				break;
 		}
 		return l;
 	}
 	case IIO_VAL_CHAR:
-		return snprintf(buf, len, "%c", (char)vals[0]);
+		return scnprintf(buf, len, "%c", (char)vals[0]);
 	default:
 		return 0;
 	}
@@ -669,10 +669,10 @@ static ssize_t iio_format_avail_list(char *buf, const int *vals,
 			if (len >= PAGE_SIZE)
 				return -EFBIG;
 			if (i < length - 1)
-				len += snprintf(buf + len, PAGE_SIZE - len,
+				len += scnprintf(buf + len, PAGE_SIZE - len,
 						" ");
 			else
-				len += snprintf(buf + len, PAGE_SIZE - len,
+				len += scnprintf(buf + len, PAGE_SIZE - len,
 						"\n");
 			if (len >= PAGE_SIZE)
 				return -EFBIG;
@@ -685,10 +685,10 @@ static ssize_t iio_format_avail_list(char *buf, const int *vals,
 			if (len >= PAGE_SIZE)
 				return -EFBIG;
 			if (i < length / 2 - 1)
-				len += snprintf(buf + len, PAGE_SIZE - len,
+				len += scnprintf(buf + len, PAGE_SIZE - len,
 						" ");
 			else
-				len += snprintf(buf + len, PAGE_SIZE - len,
+				len += scnprintf(buf + len, PAGE_SIZE - len,
 						"\n");
 			if (len >= PAGE_SIZE)
 				return -EFBIG;
@@ -712,10 +712,10 @@ static ssize_t iio_format_avail_range(char *buf, const int *vals, int type)
 			if (len >= PAGE_SIZE)
 				return -EFBIG;
 			if (i < 2)
-				len += snprintf(buf + len, PAGE_SIZE - len,
+				len += scnprintf(buf + len, PAGE_SIZE - len,
 						" ");
 			else
-				len += snprintf(buf + len, PAGE_SIZE - len,
+				len += scnprintf(buf + len, PAGE_SIZE - len,
 						"]\n");
 			if (len >= PAGE_SIZE)
 				return -EFBIG;
@@ -728,10 +728,10 @@ static ssize_t iio_format_avail_range(char *buf, const int *vals, int type)
 			if (len >= PAGE_SIZE)
 				return -EFBIG;
 			if (i < 2)
-				len += snprintf(buf + len, PAGE_SIZE - len,
+				len += scnprintf(buf + len, PAGE_SIZE - len,
 						" ");
 			else
-				len += snprintf(buf + len, PAGE_SIZE - len,
+				len += scnprintf(buf + len, PAGE_SIZE - len,
 						"]\n");
 			if (len >= PAGE_SIZE)
 				return -EFBIG;
-- 
2.16.4


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH v2 2/2] iio: tsl2772: Use scnprintf() for avoiding potential buffer overflow
  2020-03-16 12:49 [PATCH v2 0/2] iio: Use scnprintf() for avoiding potential buffer overflow Takashi Iwai
  2020-03-16 12:49 ` [PATCH v2 1/2] iio: core: " Takashi Iwai
@ 2020-03-16 12:49 ` " Takashi Iwai
  2020-03-16 16:20   ` Brian Masney
  1 sibling, 1 reply; 7+ messages in thread
From: Takashi Iwai @ 2020-03-16 12:49 UTC (permalink / raw)
  To: Jonathan Cameron; +Cc: Brian Masney, linux-iio

snprintf() is a hard-to-use function, it's especially difficult to use
it for concatenating substrings in a buffer with a limited size.
Since snprintf() returns the would-be-output size, not the actual
size, the subsequent use of snprintf() may go beyond the given limit
easily.  Although the current code doesn't actually overflow the
buffer, it's an incorrect usage.

This patch replaces such snprintf() calls with a safer version,
scnprintf().

Also this fixes the incorrect argument of the buffer limit size passed
to snprintf(), too.  The size has to be decremented for the remaining
length.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
v1->v2: Fix the snprintf() buffer limit argument
        Rephrase the changelog

 drivers/iio/light/tsl2772.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/iio/light/tsl2772.c b/drivers/iio/light/tsl2772.c
index be37fcbd4654..9fbde9b71b63 100644
--- a/drivers/iio/light/tsl2772.c
+++ b/drivers/iio/light/tsl2772.c
@@ -932,7 +932,7 @@ static ssize_t in_illuminance0_target_input_show(struct device *dev,
 {
 	struct tsl2772_chip *chip = iio_priv(dev_to_iio_dev(dev));
 
-	return snprintf(buf, PAGE_SIZE, "%d\n", chip->settings.als_cal_target);
+	return scnprintf(buf, PAGE_SIZE, "%d\n", chip->settings.als_cal_target);
 }
 
 static ssize_t in_illuminance0_target_input_store(struct device *dev,
@@ -986,7 +986,7 @@ static ssize_t in_illuminance0_lux_table_show(struct device *dev,
 	int offset = 0;
 
 	while (i < TSL2772_MAX_LUX_TABLE_SIZE) {
-		offset += snprintf(buf + offset, PAGE_SIZE, "%u,%u,",
+		offset += scnprintf(buf + offset, PAGE_SIZE - offset, "%u,%u,",
 			chip->tsl2772_device_lux[i].ch0,
 			chip->tsl2772_device_lux[i].ch1);
 		if (chip->tsl2772_device_lux[i].ch0 == 0) {
@@ -1000,7 +1000,7 @@ static ssize_t in_illuminance0_lux_table_show(struct device *dev,
 		i++;
 	}
 
-	offset += snprintf(buf + offset, PAGE_SIZE, "\n");
+	offset += scnprintf(buf + offset, PAGE_SIZE - offset, "\n");
 	return offset;
 }
 
-- 
2.16.4


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH v2 1/2] iio: core: Use scnprintf() for avoiding potential buffer overflow
  2020-03-16 12:49 ` [PATCH v2 1/2] iio: core: " Takashi Iwai
@ 2020-03-16 16:19   ` Brian Masney
  2020-03-22 18:06     ` Jonathan Cameron
  0 siblings, 1 reply; 7+ messages in thread
From: Brian Masney @ 2020-03-16 16:19 UTC (permalink / raw)
  To: Takashi Iwai; +Cc: Jonathan Cameron, linux-iio

On Mon, Mar 16, 2020 at 01:49:40PM +0100, Takashi Iwai wrote:
> snprintf() is a hard-to-use function, it's especially difficult to use
> it for concatenating substrings in a buffer with a limited size.
> Since snprintf() returns the would-be-output size, not the actual
> size, the subsequent use of snprintf() may go beyond the given limit
> easily.  Although the current code doesn't actually overflow the
> buffer, it's an incorrect usage.
> 
> This patch replaces such snprintf() calls with a safer version,
> scnprintf().
> 
> Signed-off-by: Takashi Iwai <tiwai@suse.de>

Reviewed-by: Brian Masney <masneyb@onstation.org>

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH v2 2/2] iio: tsl2772: Use scnprintf() for avoiding potential buffer overflow
  2020-03-16 12:49 ` [PATCH v2 2/2] iio: tsl2772: " Takashi Iwai
@ 2020-03-16 16:20   ` Brian Masney
  2020-03-22 18:08     ` Jonathan Cameron
  0 siblings, 1 reply; 7+ messages in thread
From: Brian Masney @ 2020-03-16 16:20 UTC (permalink / raw)
  To: Takashi Iwai; +Cc: Jonathan Cameron, linux-iio

On Mon, Mar 16, 2020 at 01:49:41PM +0100, Takashi Iwai wrote:
> snprintf() is a hard-to-use function, it's especially difficult to use
> it for concatenating substrings in a buffer with a limited size.
> Since snprintf() returns the would-be-output size, not the actual
> size, the subsequent use of snprintf() may go beyond the given limit
> easily.  Although the current code doesn't actually overflow the
> buffer, it's an incorrect usage.
> 
> This patch replaces such snprintf() calls with a safer version,
> scnprintf().
> 
> Also this fixes the incorrect argument of the buffer limit size passed
> to snprintf(), too.  The size has to be decremented for the remaining
> length.
> 
> Signed-off-by: Takashi Iwai <tiwai@suse.de>

Reviewed-by: Brian Masney <masneyb@onstation.org>

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH v2 1/2] iio: core: Use scnprintf() for avoiding potential buffer overflow
  2020-03-16 16:19   ` Brian Masney
@ 2020-03-22 18:06     ` Jonathan Cameron
  0 siblings, 0 replies; 7+ messages in thread
From: Jonathan Cameron @ 2020-03-22 18:06 UTC (permalink / raw)
  To: Brian Masney; +Cc: Takashi Iwai, linux-iio

On Mon, 16 Mar 2020 12:19:35 -0400
Brian Masney <masneyb@onstation.org> wrote:

> On Mon, Mar 16, 2020 at 01:49:40PM +0100, Takashi Iwai wrote:
> > snprintf() is a hard-to-use function, it's especially difficult to use
> > it for concatenating substrings in a buffer with a limited size.
> > Since snprintf() returns the would-be-output size, not the actual
> > size, the subsequent use of snprintf() may go beyond the given limit
> > easily.  Although the current code doesn't actually overflow the
> > buffer, it's an incorrect usage.
> > 
> > This patch replaces such snprintf() calls with a safer version,
> > scnprintf().
> > 
> > Signed-off-by: Takashi Iwai <tiwai@suse.de>  
> 
> Reviewed-by: Brian Masney <masneyb@onstation.org>
I picked this one up from v1.

Thanks,

Jonathan



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH v2 2/2] iio: tsl2772: Use scnprintf() for avoiding potential buffer overflow
  2020-03-16 16:20   ` Brian Masney
@ 2020-03-22 18:08     ` Jonathan Cameron
  0 siblings, 0 replies; 7+ messages in thread
From: Jonathan Cameron @ 2020-03-22 18:08 UTC (permalink / raw)
  To: Brian Masney; +Cc: Takashi Iwai, linux-iio

On Mon, 16 Mar 2020 12:20:26 -0400
Brian Masney <masneyb@onstation.org> wrote:

> On Mon, Mar 16, 2020 at 01:49:41PM +0100, Takashi Iwai wrote:
> > snprintf() is a hard-to-use function, it's especially difficult to use
> > it for concatenating substrings in a buffer with a limited size.
> > Since snprintf() returns the would-be-output size, not the actual
> > size, the subsequent use of snprintf() may go beyond the given limit
> > easily.  Although the current code doesn't actually overflow the
> > buffer, it's an incorrect usage.
> > 
> > This patch replaces such snprintf() calls with a safer version,
> > scnprintf().
> > 
> > Also this fixes the incorrect argument of the buffer limit size passed
> > to snprintf(), too.  The size has to be decremented for the remaining
> > length.
> > 
> > Signed-off-by: Takashi Iwai <tiwai@suse.de>  
> 
> Reviewed-by: Brian Masney <masneyb@onstation.org>
Applied.  Thanks for sorting this out.

Jonathan


^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, back to index

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-16 12:49 [PATCH v2 0/2] iio: Use scnprintf() for avoiding potential buffer overflow Takashi Iwai
2020-03-16 12:49 ` [PATCH v2 1/2] iio: core: " Takashi Iwai
2020-03-16 16:19   ` Brian Masney
2020-03-22 18:06     ` Jonathan Cameron
2020-03-16 12:49 ` [PATCH v2 2/2] iio: tsl2772: " Takashi Iwai
2020-03-16 16:20   ` Brian Masney
2020-03-22 18:08     ` Jonathan Cameron

Linux-IIO Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-iio/0 linux-iio/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-iio linux-iio/ https://lore.kernel.org/linux-iio \
		linux-iio@vger.kernel.org
	public-inbox-index linux-iio

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-iio


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git