Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf().
Signed-off-by: Takashi Iwai tiwai@suse.de --- drivers/gpu/drm/drm_sysfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_sysfs.c b/drivers/gpu/drm/drm_sysfs.c index dd2bc85f43cc..9b3180e8c12f 100644 --- a/drivers/gpu/drm/drm_sysfs.c +++ b/drivers/gpu/drm/drm_sysfs.c @@ -230,7 +230,7 @@ static ssize_t modes_show(struct device *device,
mutex_lock(&connector->dev->mode_config.mutex); list_for_each_entry(mode, &connector->modes, head) { - written += snprintf(buf + written, PAGE_SIZE - written, "%s\n", + written += scnprintf(buf + written, PAGE_SIZE - written, "%s\n", mode->name); } mutex_unlock(&connector->dev->mode_config.mutex);
Hi Takashi
Am 11.03.20 um 08:35 schrieb Takashi Iwai:
Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf().
Signed-off-by: Takashi Iwai tiwai@suse.de
drivers/gpu/drm/drm_sysfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_sysfs.c b/drivers/gpu/drm/drm_sysfs.c index dd2bc85f43cc..9b3180e8c12f 100644 --- a/drivers/gpu/drm/drm_sysfs.c +++ b/drivers/gpu/drm/drm_sysfs.c @@ -230,7 +230,7 @@ static ssize_t modes_show(struct device *device,
mutex_lock(&connector->dev->mode_config.mutex); list_for_each_entry(mode, &connector->modes, head) {
written += snprintf(buf + written, PAGE_SIZE - written, "%s\n",
written += scnprintf(buf + written, PAGE_SIZE - written, "%s\n", mode->name);
In drm_sysfs.c, there are more _show functions with calls to snprintf() that could be replaced by scnprintf(). ATM they don't return the correct length for output that exceeds PAGE_SIZE. since you're at it, you may replace them as well.
But in any case
Reviewed-by: Thomas Zimmermann tzimmermann@suse.de
for this patch.
Do you want me to merge the patch into drm-misc-next?
Best regards Thomas
On Wed, 11 Mar 2020 09:10:56 +0100, Thomas Zimmermann wrote:
Hi Takashi
Am 11.03.20 um 08:35 schrieb Takashi Iwai:
Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf().
Signed-off-by: Takashi Iwai tiwai@suse.de
drivers/gpu/drm/drm_sysfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_sysfs.c b/drivers/gpu/drm/drm_sysfs.c index dd2bc85f43cc..9b3180e8c12f 100644 --- a/drivers/gpu/drm/drm_sysfs.c +++ b/drivers/gpu/drm/drm_sysfs.c @@ -230,7 +230,7 @@ static ssize_t modes_show(struct device *device,
mutex_lock(&connector->dev->mode_config.mutex); list_for_each_entry(mode, &connector->modes, head) {
written += snprintf(buf + written, PAGE_SIZE - written, "%s\n",
written += scnprintf(buf + written, PAGE_SIZE - written, "%s\n", mode->name);In drm_sysfs.c, there are more _show functions with calls to snprintf() that could be replaced by scnprintf(). ATM they don't return the correct length for output that exceeds PAGE_SIZE. since you're at it, you may replace them as well.
Well, the rest snprintf() calls are single calls and can't be over PAGE_SIZE obviously. IOW, they could be rather replaced with sprintf() instead, for a sake of simplicity.
But in any case
Reviewed-by: Thomas Zimmermann tzimmermann@suse.de
for this patch.
Do you want me to merge the patch into drm-misc-next?
Yes, please.
thanks,
Takashi
Hi
Am 11.03.20 um 09:24 schrieb Takashi Iwai:
On Wed, 11 Mar 2020 09:10:56 +0100, Thomas Zimmermann wrote:
Hi Takashi
Am 11.03.20 um 08:35 schrieb Takashi Iwai:
Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf().
Signed-off-by: Takashi Iwai tiwai@suse.de
drivers/gpu/drm/drm_sysfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_sysfs.c b/drivers/gpu/drm/drm_sysfs.c index dd2bc85f43cc..9b3180e8c12f 100644 --- a/drivers/gpu/drm/drm_sysfs.c +++ b/drivers/gpu/drm/drm_sysfs.c @@ -230,7 +230,7 @@ static ssize_t modes_show(struct device *device,
mutex_lock(&connector->dev->mode_config.mutex); list_for_each_entry(mode, &connector->modes, head) {
written += snprintf(buf + written, PAGE_SIZE - written, "%s\n",
written += scnprintf(buf + written, PAGE_SIZE - written, "%s\n", mode->name);In drm_sysfs.c, there are more _show functions with calls to snprintf() that could be replaced by scnprintf(). ATM they don't return the correct length for output that exceeds PAGE_SIZE. since you're at it, you may replace them as well.
Well, the rest snprintf() calls are single calls and can't be over PAGE_SIZE obviously. IOW, they could be rather replaced with sprintf() instead, for a sake of simplicity.
Admittedly, none of these strings look as if they ever go beyond PAGE_SIZE, but sncprintf() is still a simple way of defensive programming here (and returns the correct value).
But in any case
Reviewed-by: Thomas Zimmermann tzimmermann@suse.de
for this patch.
Do you want me to merge the patch into drm-misc-next?
Yes, please.
OK, will do later today.
Best regards Thomas
thanks,
Takashi
Am 11.03.20 um 09:24 schrieb Takashi Iwai:
On Wed, 11 Mar 2020 09:10:56 +0100, Thomas Zimmermann wrote:
Hi Takashi
Am 11.03.20 um 08:35 schrieb Takashi Iwai:
Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf().
Signed-off-by: Takashi Iwai tiwai@suse.de
drivers/gpu/drm/drm_sysfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_sysfs.c b/drivers/gpu/drm/drm_sysfs.c index dd2bc85f43cc..9b3180e8c12f 100644 --- a/drivers/gpu/drm/drm_sysfs.c +++ b/drivers/gpu/drm/drm_sysfs.c @@ -230,7 +230,7 @@ static ssize_t modes_show(struct device *device,
mutex_lock(&connector->dev->mode_config.mutex); list_for_each_entry(mode, &connector->modes, head) {
written += snprintf(buf + written, PAGE_SIZE - written, "%s\n",
written += scnprintf(buf + written, PAGE_SIZE - written, "%s\n", mode->name);In drm_sysfs.c, there are more _show functions with calls to snprintf() that could be replaced by scnprintf(). ATM they don't return the correct length for output that exceeds PAGE_SIZE. since you're at it, you may replace them as well.
Well, the rest snprintf() calls are single calls and can't be over PAGE_SIZE obviously. IOW, they could be rather replaced with sprintf() instead, for a sake of simplicity.
But in any case
Reviewed-by: Thomas Zimmermann tzimmermann@suse.de
for this patch.
Do you want me to merge the patch into drm-misc-next?
Yes, please.
https://cgit.freedesktop.org/drm/drm-misc/commit/?id=9b9f2219b2c4fa3d1a41245...
Best regards Thomas
thanks,
Takashi
dri-devel@lists.freedesktop.org
-
Takashi Iwai -
Thomas Zimmermann