Patch "usb: yurex: Replace snprintf() with the safer scnprintf() variant" has been added to the 6.1-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    usb: yurex: Replace snprintf() with the safer scnprintf() variant

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     usb-yurex-replace-snprintf-with-the-safer-scnprintf-.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 312031bb74ffb51701b453fd3ea0af4debef5a3d
Author: Lee Jones <lee@xxxxxxxxxx>
Date:   Wed Dec 13 16:42:37 2023 +0000

    usb: yurex: Replace snprintf() with the safer scnprintf() variant
    
    [ Upstream commit 86b20af11e84c26ae3fde4dcc4f490948e3f8035 ]
    
    There is a general misunderstanding amongst engineers that {v}snprintf()
    returns the length of the data *actually* encoded into the destination
    array.  However, as per the C99 standard {v}snprintf() really returns
    the length of the data that *would have been* written if there were
    enough space for it.  This misunderstanding has led to buffer-overruns
    in the past.  It's generally considered safer to use the {v}scnprintf()
    variants in their place (or even sprintf() in simple cases).  So let's
    do that.
    
    Whilst we're at it, let's define some magic numbers to increase
    readability and ease of maintenance.
    
    Link: https://lwn.net/Articles/69419/
    Link: https://github.com/KSPP/linux/issues/105
    Cc: Tomoki Sekiyama <tomoki.sekiyama@xxxxxxxxx>
    Signed-off-by: Lee Jones <lee@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20231213164246.1021885-9-lee@xxxxxxxxxx
    Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
    Stable-dep-of: 93907620b308 ("USB: misc: yurex: fix race between read and write")
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c
index c640f98d20c54..5a13cddace0e6 100644
--- a/drivers/usb/misc/yurex.c
+++ b/drivers/usb/misc/yurex.c
@@ -34,6 +34,8 @@
 #define YUREX_BUF_SIZE		8
 #define YUREX_WRITE_TIMEOUT	(HZ*2)
 
+#define MAX_S64_STRLEN 20 /* {-}922337203685477580{7,8} */
+
 /* table of devices that work with this driver */
 static struct usb_device_id yurex_table[] = {
 	{ USB_DEVICE(YUREX_VENDOR_ID, YUREX_PRODUCT_ID) },
@@ -401,7 +403,7 @@ static ssize_t yurex_read(struct file *file, char __user *buffer, size_t count,
 {
 	struct usb_yurex *dev;
 	int len = 0;
-	char in_buffer[20];
+	char in_buffer[MAX_S64_STRLEN];
 	unsigned long flags;
 
 	dev = file->private_data;
@@ -412,14 +414,14 @@ static ssize_t yurex_read(struct file *file, char __user *buffer, size_t count,
 		return -ENODEV;
 	}
 
+	if (WARN_ON_ONCE(dev->bbu > S64_MAX || dev->bbu < S64_MIN))
+		return -EIO;
+
 	spin_lock_irqsave(&dev->lock, flags);
-	len = snprintf(in_buffer, 20, "%lld\n", dev->bbu);
+	scnprintf(in_buffer, MAX_S64_STRLEN, "%lld\n", dev->bbu);
 	spin_unlock_irqrestore(&dev->lock, flags);
 	mutex_unlock(&dev->io_mutex);
 
-	if (WARN_ON_ONCE(len >= sizeof(in_buffer)))
-		return -EIO;
-
 	return simple_read_from_buffer(buffer, count, ppos, in_buffer, len);
 }
 




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux