On 2023/9/7 19:15, Dan Carpenter wrote: > On Tue, Sep 05, 2023 at 07:27:47AM +0200, Marion & Christophe JAILLET wrote: >>> >>> The other snprintf in the same file also looks suspect. >> >> It looks correct to me. >> >> And HPRE_DBGFS_VAL_MAX_LEN being 20, it doesn't really matter. The string >> can't be truncated with just a "%u\n". >> > > drivers/crypto/hisilicon/hpre/hpre_main.c > 884 ret = snprintf(tbuf, HPRE_DBGFS_VAL_MAX_LEN, "%u\n", val); > 885 return simple_read_from_buffer(buf, count, pos, tbuf, ret); > > You can't pass the return value from snprintf() to simple_read_from_buffer(). > Otherwise the snprintf() checking turned a sprintf() write overflow into > a read overflow, which is less bad but not ideal. It needs to be > scnprintf(). > Here only one "%u" data is written to buf, the return value ret cannot exceed 10, and the length of tbuf is 20. How did the overflow you mentioned occur? Thanks, Longfang. > regards, > dan carpenter > > > . >