tree: git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git staging-testing
head: 59cc3399efd61fabb7f4aa23d4498bd9b01e5f6d
commit: 57562a72414ca35b2e614cfe0a1b1a7b7e7813dd [412/420] Staging: most: add MOST driver's core module
drivers/staging/most/mostcore/core.c:978 store_add_link() error: strlcpy() 'buffer' too small (80 vs u32max)
drivers/staging/most/mostcore/core.c:986 store_add_link() error: snprintf() is printing too much 4096 vs 80
drivers/staging/most/mostcore/core.c:1041 store_remove_link() error: strlcpy() 'buffer' too small (80 vs u32max)
git remote add staging git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
git remote update staging
git checkout 57562a72414ca35b2e614cfe0a1b1a7b7e7813dd
vim +/buffer +978 drivers/staging/most/mostcore/core.c
57562a72 Christian Gromm 2015-07-24 972 char *mdev_ch;
57562a72 Christian Gromm 2015-07-24 973 char *mdev_devnod;
57562a72 Christian Gromm 2015-07-24 974 char devnod_buf[STRING_SIZE];
57562a72 Christian Gromm 2015-07-24 975 int ret;
57562a72 Christian Gromm 2015-07-24 976 unsigned int max_len = min((int)len + 1, STRING_SIZE);
57562a72 Christian Gromm 2015-07-24 977
57562a72 Christian Gromm 2015-07-24 @978 strlcpy(buffer, buf, max_len);
Here Smatch is complaining that the min() casting is bad. A high value
of "len" is casted to negative and thus the minimum resulting in memory
corruption. If you have the cross function database built up it won't
complain because "len" can't be negative.
57562a72 Christian Gromm 2015-07-24 979 strlcpy(aim_obj->add_link, buf, max_len);
57562a72 Christian Gromm 2015-07-24 980
57562a72 Christian Gromm 2015-07-24 981 ret = split_string(buffer, &mdev, &mdev_ch, &mdev_devnod);
57562a72 Christian Gromm 2015-07-24 982 if (ret)
57562a72 Christian Gromm 2015-07-24 983 return ret;
57562a72 Christian Gromm 2015-07-24 984
57562a72 Christian Gromm 2015-07-24 985 if (mdev_devnod == 0 || *mdev_devnod == 0) {
57562a72 Christian Gromm 2015-07-24 @986 snprintf(devnod_buf, PAGE_SIZE, "%s-%s", mdev, mdev_ch);
The PAGE_SIZE should be "sizeof(devnod_buf)". This is a bug.
57562a72 Christian Gromm 2015-07-24 987 mdev_devnod = devnod_buf;
57562a72 Christian Gromm 2015-07-24 988 }
57562a72 Christian Gromm 2015-07-24 989
57562a72 Christian Gromm 2015-07-24 990 c = get_channel_by_name(mdev, mdev_ch);
57562a72 Christian Gromm 2015-07-24 991 if (IS_ERR(c))
57562a72 Christian Gromm 2015-07-24 992 return -ENODEV;
57562a72 Christian Gromm 2015-07-24 993
57562a72 Christian Gromm 2015-07-24 994 if (!c->first_aim)
57562a72 Christian Gromm 2015-07-24 995 aim_ptr = &c->first_aim;
57562a72 Christian Gromm 2015-07-24 996 else if (!c->second_aim)
57562a72 Christian Gromm 2015-07-24 997 aim_ptr = &c->second_aim;
57562a72 Christian Gromm 2015-07-24 998 else
57562a72 Christian Gromm 2015-07-24 999 return -ENOSPC;
57562a72 Christian Gromm 2015-07-24 1000
57562a72 Christian Gromm 2015-07-24 1001 ret = aim_obj->driver->probe_channel(c->iface, c->channel_id,
57562a72 Christian Gromm 2015-07-24 1002 &c->cfg, &c->kobj, mdev_devnod);
57562a72 Christian Gromm 2015-07-24 1003 if (ret)
57562a72 Christian Gromm 2015-07-24 1004 return ret;
57562a72 Christian Gromm 2015-07-24 1005 *aim_ptr = aim_obj->driver;
57562a72 Christian Gromm 2015-07-24 1006 return len;
57562a72 Christian Gromm 2015-07-24 1007 }
57562a72 Christian Gromm 2015-07-24 1008
57562a72 Christian Gromm 2015-07-24 1009 struct most_aim_attribute most_aim_attr_add_link =
57562a72 Christian Gromm 2015-07-24 1010 __ATTR(add_link, S_IRUGO | S_IWUSR, show_add_link, store_add_link);
57562a72 Christian Gromm 2015-07-24 1011
57562a72 Christian Gromm 2015-07-24 1012 static ssize_t show_remove_link(struct most_aim_obj *aim_obj,
57562a72 Christian Gromm 2015-07-24 1013 struct most_aim_attribute *attr,
57562a72 Christian Gromm 2015-07-24 1014 char *buf)
57562a72 Christian Gromm 2015-07-24 1015 {
57562a72 Christian Gromm 2015-07-24 1016 return snprintf(buf, PAGE_SIZE, "%s\n", aim_obj->remove_link);
57562a72 Christian Gromm 2015-07-24 1017 }
57562a72 Christian Gromm 2015-07-24 1018
57562a72 Christian Gromm 2015-07-24 1019 /**
57562a72 Christian Gromm 2015-07-24 1020 * store_remove_link - store function for remove_link attribute
57562a72 Christian Gromm 2015-07-24 1021 * @aim_obj: pointer to AIM object
57562a72 Christian Gromm 2015-07-24 1022 * @attr: its attributes
57562a72 Christian Gromm 2015-07-24 1023 * @buf: buffer
57562a72 Christian Gromm 2015-07-24 1024 * @len: buffer length
57562a72 Christian Gromm 2015-07-24 1025 *
57562a72 Christian Gromm 2015-07-24 1026 * Example:
57562a72 Christian Gromm 2015-07-24 1027 * echo -n -e "mdev0:ch0@ep_81\n" >remove_link
57562a72 Christian Gromm 2015-07-24 1028 */
57562a72 Christian Gromm 2015-07-24 1029 static ssize_t store_remove_link(struct most_aim_obj *aim_obj,
57562a72 Christian Gromm 2015-07-24 1030 struct most_aim_attribute *attr,
57562a72 Christian Gromm 2015-07-24 1031 const char *buf,
57562a72 Christian Gromm 2015-07-24 1032 size_t len)
57562a72 Christian Gromm 2015-07-24 1033 {
57562a72 Christian Gromm 2015-07-24 1034 struct most_c_obj *c;
57562a72 Christian Gromm 2015-07-24 1035 char buffer[STRING_SIZE];
57562a72 Christian Gromm 2015-07-24 1036 char *mdev;
57562a72 Christian Gromm 2015-07-24 1037 char *mdev_ch;
57562a72 Christian Gromm 2015-07-24 1038 int ret;
57562a72 Christian Gromm 2015-07-24 1039 unsigned int max_len = min((int)len + 1, STRING_SIZE);
57562a72 Christian Gromm 2015-07-24 1040
57562a72 Christian Gromm 2015-07-24 @1041 strlcpy(buffer, buf, max_len);
Same casting of high values to negative.
57562a72 Christian Gromm 2015-07-24 1042 strlcpy(aim_obj->remove_link, buf, max_len);
57562a72 Christian Gromm 2015-07-24 1043 ret = split_string(buffer, &mdev, &mdev_ch, NULL);
57562a72 Christian Gromm 2015-07-24 1044 if (ret)
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
