Re: [PATCH 2/2] iio: tsl2772: Use scnprintf() for avoiding potential buffer overflow

Jonathan Cameron <jic23@xxxxxxxxxx> · Sun, 15 Mar 2020 13:10:08 +0000

On Sun, 15 Mar 2020 06:33:58 -0400
Brian Masney <masneyb@xxxxxxxxxxxxx> wrote:

> On Sun, Mar 15, 2020 at 09:58:34AM +0000, Jonathan Cameron wrote:
> > On Wed, 11 Mar 2020 08:43:25 +0100
> > Takashi Iwai <tiwai@xxxxxxx> wrote:
> >   
> > > Since snprintf() returns the would-be-output size instead of the
> > > actual output size, the succeeding calls may go beyond the given
> > > buffer limit.  Fix it by replacing with scnprintf().
> > > 
> > > Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>  
> > 
> > This one is printing a short well defined list of values.  No way they go
> > anywhere near the smallest possible PAGE_SIZE buffer that it's printing
> > into.
> > 
> > Which is handy given the remaining space isn't adjusted as we add items
> > to the string.  Hence even with scnprintf it would overflow.
> > 
> > Brian, can you take a look at this when you get a moment?  
> 
> I also agree that this won't overflow in practice, however we should fix
> this up. Maybe the scnprintf() calls should be this:
> 
>     offset += scnprintf(buf + offset, PAGE_SIZE - offset, ...);

Agreed.

Jonathan

> 
> Brian
> 
> 
> > 
> > Thanks,
> > 
> > Jonathan
> >   
> > > ---
> > >  drivers/iio/light/tsl2772.c | 4 ++--
> > >  1 file changed, 2 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/drivers/iio/light/tsl2772.c b/drivers/iio/light/tsl2772.c
> > > index be37fcbd4654..44a0b56a558c 100644
> > > --- a/drivers/iio/light/tsl2772.c
> > > +++ b/drivers/iio/light/tsl2772.c
> > > @@ -986,7 +986,7 @@ static ssize_t in_illuminance0_lux_table_show(struct device *dev,
> > >  	int offset = 0;
> > >  
> > >  	while (i < TSL2772_MAX_LUX_TABLE_SIZE) {
> > > -		offset += snprintf(buf + offset, PAGE_SIZE, "%u,%u,",
> > > +		offset += scnprintf(buf + offset, PAGE_SIZE, "%u,%u,",
> > >  			chip->tsl2772_device_lux[i].ch0,
> > >  			chip->tsl2772_device_lux[i].ch1);
> > >  		if (chip->tsl2772_device_lux[i].ch0 == 0) {
> > > @@ -1000,7 +1000,7 @@ static ssize_t in_illuminance0_lux_table_show(struct device *dev,
> > >  		i++;
> > >  	}
> > >  
> > > -	offset += snprintf(buf + offset, PAGE_SIZE, "\n");
> > > +	offset += scnprintf(buf + offset, PAGE_SIZE, "\n");
> > >  	return offset;
> > >  }
> > >    