On Mon, Oct 11, 2010 at 09:45:02PM +0200, Dan Carpenter wrote: > On Mon, Oct 11, 2010 at 07:51:48PM +0100, Mark Brown wrote: > > In actual fact quite a few devices have enough registers to be > > truncated, meaning that it's not only possible but likely we'll exercise > > the cases that deal with the end of buffer. If snprintf() is returning > > values larger than buffer size it was given we're likely to have an > > issue but it seems that there's something missing in your analysis since > > we're never seeing WARN_ON()s and are instead seeing the behaviour the > > code is intended to give, which is to truncate the output when we run > > out of space. > > > > Could you re-check your analysis, please? > > That's odd. I'm sorry, I can't explain why you wouldn't see a stack > trace... The code is straight forward: > > /* Reject out-of-range values early. Large positive sizes are > used for unknown buffer sizes. */ > if (WARN_ON_ONCE((int) size < 0)) > return 0; > > It would still give you truncated output but after the NULL terminator > there would be information leaked from the kernel. If the reader > program had allocated a large enough buffer to handle the extra > information it wouldn't cause a problem. > Actually it will never cause a problem with userspace because we pass the size of the userspace buffer to the kernel. The only issues are the information leak if the user passes in a 8k buffer and the also the WARN_ON_ONCE() regards, dan carpenter -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html