| Message ID | 20200311073452.7056-1-tiwai@suse.de (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | drm/ttm: Use scnprintf() for avoiding potential buffer overflow | expand |
On Wed, Mar 11, 2020 at 03:34:52PM +0800, Takashi Iwai wrote: > Since snprintf() returns the would-be-output size instead of the > actual output size, the succeeding calls may go beyond the given > buffer limit. Fix it by replacing with scnprintf(). > > Signed-off-by: Takashi Iwai <tiwai@suse.de> Reviewed-by: Huang Rui <ray.huang@amd.com> > --- > drivers/gpu/drm/ttm/ttm_page_alloc_dma.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c > index bf876faea592..faefaaef7909 100644 > --- a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c > +++ b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c > @@ -604,7 +604,7 @@ static struct dma_pool *ttm_dma_pool_init(struct device *dev, gfp_t flags, > p = pool->name; > for (i = 0; i < ARRAY_SIZE(t); i++) { > if (type & t[i]) { > - p += snprintf(p, sizeof(pool->name) - (p - pool->name), > + p += scnprintf(p, sizeof(pool->name) - (p - pool->name), > "%s", n[i]); > } > } > -- > 2.16.4 >
Am 11.03.20 um 08:52 schrieb Huang Rui: > On Wed, Mar 11, 2020 at 03:34:52PM +0800, Takashi Iwai wrote: >> Since snprintf() returns the would-be-output size instead of the >> actual output size, the succeeding calls may go beyond the given >> buffer limit. Fix it by replacing with scnprintf(). >> >> Signed-off-by: Takashi Iwai <tiwai@suse.de> > Reviewed-by: Huang Rui <ray.huang@amd.com> Reviewed-by: Christian König <christian.koenig@amd.com> Takashi, should I push this to drm-misc-next or do you want to merge that somehow else? Thanks, Christian. > >> --- >> drivers/gpu/drm/ttm/ttm_page_alloc_dma.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c >> index bf876faea592..faefaaef7909 100644 >> --- a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c >> +++ b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c >> @@ -604,7 +604,7 @@ static struct dma_pool *ttm_dma_pool_init(struct device *dev, gfp_t flags, >> p = pool->name; >> for (i = 0; i < ARRAY_SIZE(t); i++) { >> if (type & t[i]) { >> - p += snprintf(p, sizeof(pool->name) - (p - pool->name), >> + p += scnprintf(p, sizeof(pool->name) - (p - pool->name), >> "%s", n[i]); >> } >> } >> -- >> 2.16.4 >>
On Wed, 11 Mar 2020 08:56:11 +0100, Christian K6nig wrote: > > Am 11.03.20 um 08:52 schrieb Huang Rui: > > On Wed, Mar 11, 2020 at 03:34:52PM +0800, Takashi Iwai wrote: > >> Since snprintf() returns the would-be-output size instead of the > >> actual output size, the succeeding calls may go beyond the given > >> buffer limit. Fix it by replacing with scnprintf(). > >> > >> Signed-off-by: Takashi Iwai <tiwai@suse.de> > > Reviewed-by: Huang Rui <ray.huang@amd.com> > > Reviewed-by: Christian König <christian.koenig@amd.com> > > Takashi, should I push this to drm-misc-next or do you want to merge > that somehow else? Please take through your tree as you like. Thanks! Takashi
diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c index bf876faea592..faefaaef7909 100644 --- a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c +++ b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c @@ -604,7 +604,7 @@ static struct dma_pool *ttm_dma_pool_init(struct device *dev, gfp_t flags, p = pool->name; for (i = 0; i < ARRAY_SIZE(t); i++) { if (type & t[i]) { - p += snprintf(p, sizeof(pool->name) - (p - pool->name), + p += scnprintf(p, sizeof(pool->name) - (p - pool->name), "%s", n[i]); } }
Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Signed-off-by: Takashi Iwai <tiwai@suse.de> --- drivers/gpu/drm/ttm/ttm_page_alloc_dma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)