[PATCH] PM / OPP: Use snprintf() instead of sprintf()

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] PM / OPP: Use snprintf() instead of sprintf()
@ 2016-01-05 10:45 ` Viresh Kumar
  0 siblings, 0 replies; 5+ messages in thread
From: Viresh Kumar @ 2016-01-05 10:45 UTC (permalink / raw)
  To: Rafael Wysocki
  Cc: linaro-kernel, linux-pm, Viresh Kumar, Geert Uytterhoeven,
	Greg Kroah-Hartman, Len Brown, open list, Nishanth Menon,
	Pavel Machek, Stephen Boyd, Viresh Kumar

sprintf() can access memory outside of the range of the character array,
and is risky in some situations. The driver specified prop_name string
can be longer than NAME_MAX here (only an attacker will do that though)
and so blindly copying it into the character array of size NAME_MAX
isn't safe. Instead we must use snprintf() here.

Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
---
 drivers/base/power/opp/core.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/base/power/opp/core.c b/drivers/base/power/opp/core.c
index cd230c63aee6..cf351d3dab1c 100644
--- a/drivers/base/power/opp/core.c
+++ b/drivers/base/power/opp/core.c
@@ -808,7 +808,8 @@ static int opp_parse_supplies(struct dev_pm_opp *opp, struct device *dev,
 
 	/* Search for "opp-microvolt-<name>" */
 	if (dev_opp->prop_name) {
-		sprintf(name, "opp-microvolt-%s", dev_opp->prop_name);
+		snprintf(name, sizeof(name), "opp-microvolt-%s",
+			 dev_opp->prop_name);
 		prop = of_find_property(opp->np, name, NULL);
 	}
 
@@ -849,7 +850,8 @@ static int opp_parse_supplies(struct dev_pm_opp *opp, struct device *dev,
 	/* Search for "opp-microamp-<name>" */
 	prop = NULL;
 	if (dev_opp->prop_name) {
-		sprintf(name, "opp-microamp-%s", dev_opp->prop_name);
+		snprintf(name, sizeof(name), "opp-microamp-%s",
+			 dev_opp->prop_name);
 		prop = of_find_property(opp->np, name, NULL);
 	}
 
-- 
2.7.0.rc1.186.g94414c4

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH] PM / OPP: Use snprintf() instead of sprintf()
@ 2016-01-05 10:45 ` Viresh Kumar
  0 siblings, 0 replies; 5+ messages in thread
From: Viresh Kumar @ 2016-01-05 10:45 UTC (permalink / raw)
  To: Rafael Wysocki
  Cc: linaro-kernel, linux-pm, Viresh Kumar, Geert Uytterhoeven,
	Greg Kroah-Hartman, Len Brown, open list, Nishanth Menon,
	Pavel Machek, Stephen Boyd, Viresh Kumar

sprintf() can access memory outside of the range of the character array,
and is risky in some situations. The driver specified prop_name string
can be longer than NAME_MAX here (only an attacker will do that though)
and so blindly copying it into the character array of size NAME_MAX
isn't safe. Instead we must use snprintf() here.

Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
---
 drivers/base/power/opp/core.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/base/power/opp/core.c b/drivers/base/power/opp/core.c
index cd230c63aee6..cf351d3dab1c 100644
--- a/drivers/base/power/opp/core.c
+++ b/drivers/base/power/opp/core.c
@@ -808,7 +808,8 @@ static int opp_parse_supplies(struct dev_pm_opp *opp, struct device *dev,
 
 	/* Search for "opp-microvolt-<name>" */
 	if (dev_opp->prop_name) {
-		sprintf(name, "opp-microvolt-%s", dev_opp->prop_name);
+		snprintf(name, sizeof(name), "opp-microvolt-%s",
+			 dev_opp->prop_name);
 		prop = of_find_property(opp->np, name, NULL);
 	}
 
@@ -849,7 +850,8 @@ static int opp_parse_supplies(struct dev_pm_opp *opp, struct device *dev,
 	/* Search for "opp-microamp-<name>" */
 	prop = NULL;
 	if (dev_opp->prop_name) {
-		sprintf(name, "opp-microamp-%s", dev_opp->prop_name);
+		snprintf(name, sizeof(name), "opp-microamp-%s",
+			 dev_opp->prop_name);
 		prop = of_find_property(opp->np, name, NULL);
 	}
 
-- 
2.7.0.rc1.186.g94414c4


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] PM / OPP: Use snprintf() instead of sprintf()
  2016-01-05 10:45 ` Viresh Kumar
  (?)
@ 2016-01-05 10:51 ` Geert Uytterhoeven
  -1 siblings, 0 replies; 5+ messages in thread
From: Geert Uytterhoeven @ 2016-01-05 10:51 UTC (permalink / raw)
  To: Viresh Kumar
  Cc: Rafael Wysocki, linaro-kernel, Linux PM list, Greg Kroah-Hartman,
	Len Brown, open list, Nishanth Menon, Pavel Machek, Stephen Boyd,
	Viresh Kumar

On Tue, Jan 5, 2016 at 11:45 AM, Viresh Kumar <viresh.kumar@linaro.org> wrote:
> sprintf() can access memory outside of the range of the character array,
> and is risky in some situations. The driver specified prop_name string
> can be longer than NAME_MAX here (only an attacker will do that though)
> and so blindly copying it into the character array of size NAME_MAX
> isn't safe. Instead we must use snprintf() here.

Thanks!

> Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
> Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>

Acked-by: Geert Uytterhoeven <geert+renesas@glider.be>

Gr{oetje,eeting}s,

                        Geert

--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] PM / OPP: Use snprintf() instead of sprintf()
  2016-01-05 10:45 ` Viresh Kumar
  (?)
  (?)
@ 2016-01-05 19:52 ` Stephen Boyd
  -1 siblings, 0 replies; 5+ messages in thread
From: Stephen Boyd @ 2016-01-05 19:52 UTC (permalink / raw)
  To: Viresh Kumar
  Cc: Rafael Wysocki, linaro-kernel, linux-pm, Geert Uytterhoeven,
	Greg Kroah-Hartman, Len Brown, open list, Nishanth Menon,
	Pavel Machek, Viresh Kumar

On 01/05, Viresh Kumar wrote:
> sprintf() can access memory outside of the range of the character array,
> and is risky in some situations. The driver specified prop_name string
> can be longer than NAME_MAX here (only an attacker will do that though)
> and so blindly copying it into the character array of size NAME_MAX
> isn't safe. Instead we must use snprintf() here.
> 
> Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
> Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
> ---

Acked-by: Stephen Boyd <sboyd@codeaurora.org>

-- 
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
a Linux Foundation Collaborative Project

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] PM / OPP: Use snprintf() instead of sprintf()
  2016-01-05 10:45 ` Viresh Kumar
                   ` (2 preceding siblings ...)
  (?)
@ 2016-01-08  0:48 ` Rafael J. Wysocki
  -1 siblings, 0 replies; 5+ messages in thread
From: Rafael J. Wysocki @ 2016-01-08  0:48 UTC (permalink / raw)
  To: Viresh Kumar
  Cc: linaro-kernel, linux-pm, Geert Uytterhoeven, Greg Kroah-Hartman,
	Len Brown, open list, Nishanth Menon, Pavel Machek, Stephen Boyd,
	Viresh Kumar

On Tuesday, January 05, 2016 04:15:54 PM Viresh Kumar wrote:
> sprintf() can access memory outside of the range of the character array,
> and is risky in some situations. The driver specified prop_name string
> can be longer than NAME_MAX here (only an attacker will do that though)
> and so blindly copying it into the character array of size NAME_MAX
> isn't safe. Instead we must use snprintf() here.
> 
> Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
> Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>

Applied, thanks!

> ---
>  drivers/base/power/opp/core.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/base/power/opp/core.c b/drivers/base/power/opp/core.c
> index cd230c63aee6..cf351d3dab1c 100644
> --- a/drivers/base/power/opp/core.c
> +++ b/drivers/base/power/opp/core.c
> @@ -808,7 +808,8 @@ static int opp_parse_supplies(struct dev_pm_opp *opp, struct device *dev,
>  
>  	/* Search for "opp-microvolt-<name>" */
>  	if (dev_opp->prop_name) {
> -		sprintf(name, "opp-microvolt-%s", dev_opp->prop_name);
> +		snprintf(name, sizeof(name), "opp-microvolt-%s",
> +			 dev_opp->prop_name);
>  		prop = of_find_property(opp->np, name, NULL);
>  	}
>  
> @@ -849,7 +850,8 @@ static int opp_parse_supplies(struct dev_pm_opp *opp, struct device *dev,
>  	/* Search for "opp-microamp-<name>" */
>  	prop = NULL;
>  	if (dev_opp->prop_name) {
> -		sprintf(name, "opp-microamp-%s", dev_opp->prop_name);
> +		snprintf(name, sizeof(name), "opp-microamp-%s",
> +			 dev_opp->prop_name);
>  		prop = of_find_property(opp->np, name, NULL);
>  	}
>  
> 

-- 
I speak only for myself.
Rafael J. Wysocki, Intel Open Source Technology Center.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2016-01-08  0:17 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-01-05 10:45 [PATCH] PM / OPP: Use snprintf() instead of sprintf() Viresh Kumar
2016-01-05 10:45 ` Viresh Kumar
2016-01-05 10:51 ` Geert Uytterhoeven
2016-01-05 19:52 ` Stephen Boyd
2016-01-08  0:48 ` Rafael J. Wysocki

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.