From: WANG Cong <xiyou.wangcong@gmail.com>
To: Miao Xie <miaox@cn.fujitsu.com>
Cc: tglx@linutronix.de, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] time: fix sysfs_show_{available,current}_clocksources() buffer overflow problem
Date: Thu, 8 Nov 2007 19:47:41 +0800 [thread overview]
Message-ID: <20071108114741.GF2479@hacking> (raw)
In-Reply-To: <4732EAB4.5070605@cn.fujitsu.com>
On Thu, Nov 08, 2007 at 06:53:40PM +0800, Miao Xie wrote:
>Hi,every one.
> I found that there is a buffer overflow problem in the following code.
>
>Version: 2.6.24-rc2,
>File: kernel/time/clocksource.c:417-432
>--------------------------------------------------------------------
>static ssize_t
>sysfs_show_available_clocksources(struct sys_device *dev, char *buf)
>{
> struct clocksource *src;
> char *curr = buf;
>
> spin_lock_irq(&clocksource_lock);
> list_for_each_entry(src, &clocksource_list, list) {
> curr += sprintf(curr, "%s ", src->name);
> }
> spin_unlock_irq(&clocksource_lock);
>
> curr += sprintf(curr, "\n");
>
> return curr - buf;
>}
>-----------------------------------------------------------------------
>
>sysfs_show_current_clocksources() also has the same problem though in
>practice
>the size of current clocksource's name won't exceed PAGE_SIZE.
>
>I fix the bug by using snprintf according to the specification of the kernel
>(Version:2.6.24-rc2,File:Documentation/filesystems/sysfs.txt)
>
>Fix sysfs_show_available_clocksources() and
>sysfs_show_current_clocksources()
>buffer overflow problem with snprintf().
>
>Signed-off-by: Miao Xie <miaox@cn.fujitsu.com>
>
>---
> kernel/time/clocksource.c | 19 ++++++++++---------
> 1 files changed, 10 insertions(+), 9 deletions(-)
>
>diff --git a/kernel/time/clocksource.c b/kernel/time/clocksource.c
>index c8a9d13..5d5926f 100644
>--- a/kernel/time/clocksource.c
>+++ b/kernel/time/clocksource.c
>@@ -342,15 +342,13 @@ void clocksource_change_rating(struct clocksource
>*cs, int rating)
> static ssize_t
> sysfs_show_current_clocksources(struct sys_device *dev, char *buf)
> {
>- char *curr = buf;
>+ ssize_t count = 0;
>
> spin_lock_irq(&clocksource_lock);
>- curr += sprintf(curr, "%s ", curr_clocksource->name);
>+ count = snprintf(buf, PAGE_SIZE, "%s\n", curr_clocksource->name);
Yes, snprintf is safer than sprintf. But here, the 'count' will be
mis-pointed when snprintf returns no less than PAGE_SIZE (what you called
overflow). So you may also need:
if (unlikely(count >= PAGE_SIZE))
count = PAGE_SIZE - 1;
Just a simple guess. ;)
next prev parent reply other threads:[~2007-11-08 11:49 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-08 10:53 [PATCH] time: fix sysfs_show_{available,current}_clocksources() buffer overflow problem Miao Xie
2007-11-08 11:47 ` WANG Cong [this message]
2007-11-08 12:11 ` WANG Cong
2007-11-11 3:29 ` Miao Xie
2007-11-11 4:09 ` WANG Cong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071108114741.GF2479@hacking \
--to=xiyou.wangcong@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=miaox@cn.fujitsu.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.