[PATCH] elevator: fix truncation of icq_cache_name

[PATCH] elevator: fix truncation of icq_cache_name

[Eric Biggers]

From: Eric Biggers <ebiggers@google.com>

gcc 7.1 reports the following warning:

    block/elevator.c: In function ‘elv_register’:
    block/elevator.c:898:5: warning: ‘snprintf’ output may be truncated before the last format character [-Wformat-truncation=]
         "%s_io_cq", e->elevator_name);
         ^~~~~~~~~~
    block/elevator.c:897:3: note: ‘snprintf’ output between 7 and 22 bytes into a destination of size 21
       snprintf(e->icq_cache_name, sizeof(e->icq_cache_name),
       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         "%s_io_cq", e->elevator_name);
         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The bug is that the name of the icq_cache is 6 characters longer than
the elevator name, but only ELV_NAME_MAX + 5 characters were reserved
for it --- so in the case of a maximum-length elevator name, the 'q'
character in "_io_cq" would be truncated by snprintf().  Fix it by
reserving ELV_NAME_MAX + 6 characters instead.

Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 include/linux/elevator.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/linux/elevator.h b/include/linux/elevator.h
index 9ec5e22846e0..0e306c5a86d6 100644
--- a/include/linux/elevator.h
+++ b/include/linux/elevator.h
@@ -153,7 +153,7 @@ struct elevator_type
 #endif
 
 	/* managed by elevator core */
-	char icq_cache_name[ELV_NAME_MAX + 5];	/* elvname + "_io_cq" */
+	char icq_cache_name[ELV_NAME_MAX + 6];	/* elvname + "_io_cq" */
 	struct list_head list;
 };
 
-- 
2.13.0

Re: [PATCH] elevator: fix truncation of icq_cache_name

[Bart Van Assche]

On Fri, 2017-06-02 at 20:35 -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
>=20
> gcc 7.1 reports the following warning:
>=20
>     block/elevator.c: In function =91elv_register=92:
>     block/elevator.c:898:5: warning: =91snprintf=92 output may be truncat=
ed before the last format character [-Wformat-truncation=3D]
>          "%s_io_cq", e->elevator_name);
>          ^~~~~~~~~~
>     block/elevator.c:897:3: note: =91snprintf=92 output between 7 and 22 =
bytes into a destination of size 21
>        snprintf(e->icq_cache_name, sizeof(e->icq_cache_name),
>        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>          "%s_io_cq", e->elevator_name);
>          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>=20
> The bug is that the name of the icq_cache is 6 characters longer than
> the elevator name, but only ELV_NAME_MAX + 5 characters were reserved
> for it --- so in the case of a maximum-length elevator name, the 'q'
> character in "_io_cq" would be truncated by snprintf().  Fix it by
> reserving ELV_NAME_MAX + 6 characters instead.

Reviewed-by: Bart Van Assche <Bart.VanAssche@sandisk.com>=

Re: [PATCH] elevator: fix truncation of icq_cache_name

[Jens Axboe]

On 06/02/2017 09:35 PM, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
> 
> gcc 7.1 reports the following warning:
> 
>     block/elevator.c: In function ‘elv_register’:
>     block/elevator.c:898:5: warning: ‘snprintf’ output may be truncated before the last format character [-Wformat-truncation=]
>          "%s_io_cq", e->elevator_name);
>          ^~~~~~~~~~
>     block/elevator.c:897:3: note: ‘snprintf’ output between 7 and 22 bytes into a destination of size 21
>        snprintf(e->icq_cache_name, sizeof(e->icq_cache_name),
>        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>          "%s_io_cq", e->elevator_name);
>          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> The bug is that the name of the icq_cache is 6 characters longer than
> the elevator name, but only ELV_NAME_MAX + 5 characters were reserved
> for it --- so in the case of a maximum-length elevator name, the 'q'
> character in "_io_cq" would be truncated by snprintf().  Fix it by
> reserving ELV_NAME_MAX + 6 characters instead.

Added, thanks.

-- 
Jens Axboe