Re: [PATCH] staging: greybus: Use scnprintf() for avoiding potential buffer overflow

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 11 Mar 2020 17:40:02 +0100,
Johan Hovold wrote:
> 
> On Wed, Mar 11, 2020 at 12:01:26PM +0100, Takashi Iwai wrote:
> > On Wed, 11 Mar 2020 11:09:03 +0100,
> > Johan Hovold wrote:
> > > 
> > > On Wed, Mar 11, 2020 at 11:02:33AM +0100, Takashi Iwai wrote:
> > > > On Wed, 11 Mar 2020 10:58:14 +0100,
> > > > Johan Hovold wrote:
> > > > > 
> > > > > On Wed, Mar 11, 2020 at 10:19:06AM +0100, Takashi Iwai wrote:
> > > > > > Since snprintf() returns the would-be-output size instead of the
> > > > > > actual output size, the succeeding calls may go beyond the given
> > > > > > buffer limit.  Fix it by replacing with scnprintf().
> > > > > > 
> > > > > > Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
> > > > > > ---
> > > > > >  drivers/staging/greybus/tools/loopback_test.c | 24 ++++++++++++------------
> > > > > 
> > > > > Thanks for the fix.
> > > > > 
> > > > > Would you mind resending with a "staging: greybus: loopback_test:"
> > > > > prefix since this is not a subsystem wide issue, bur rather a bug in a
> > > > > specific user-space tool?
> > > > 
> > > > OK, will do that.
> > > 
> > > Thanks.
> > > 
> > > Perhaps you should replace the snprintf() at the start of the function
> > > in question as well by the way.
> > 
> > Yeah, it's I also wonder while working on many other codes, too.
> > I decided to minimize the changes at this time and concentrate only on
> > the code that has a pattern like:
> >    pos += snprintf(buf, limit - pos, ...)
> 
> But isn't the first snprintf() in such a sequence as much a part of the
> problem as the following ones?
> 
> If the first pos = snprintf(buf, limit, ...) overflows buf, then the
> next pos += snprintf(buf, limit - pos, ...) will be called with with a
> negative size argument (i.e. a very large unsigned value), which
> effectively breaks the length check regardless of whether you replace it
> with scnprintf() or not. And all later calls will similarly continue
> writing beyond the end of buf.

Yeah, that's the possible case although most calls are fine with it
since the limit is PAGE_SIZE or so.  This might need a bit more
special care.

> But wait a minute. This is user-space code, so there's no scnprintf().
> Did you not compile test this? ;P
>
> In fact it seems no-one has for a while. This code is just broken and
> doesn't even compile any more. Maybe we should just drop it instead.

Bah, I'm afraid that I overlooked this point!

I've scraped over many places via a script-like work, and did the
compile testing of the kernel, but not about tools.  If that's the
case, sorry for the mess, feel free to drop it. 


Takashi
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel



[Index of Archives]     [Linux Driver Backports]     [DMA Engine]     [Linux GPIO]     [Linux SPI]     [Video for Linux]     [Linux USB Devel]     [Linux Coverity]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]
  Powered by Linux