From: Dan Carpenter <dan.carpenter@linaro.org>
To: liulongfang <liulongfang@huawei.com>
Cc: Marion & Christophe JAILLET <christophe.jaillet@wanadoo.fr>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
Zaibo Xu <xuzaibo@huawei.com>,
linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org,
linux-crypto@vger.kernel.org
Subject: Re: [PATCH] crypto: hisilicon/hpre - Fix a erroneous check after snprintf()
Date: Mon, 11 Sep 2023 10:27:25 +0300 [thread overview]
Message-ID: <6b9ada4d-0bfc-43c6-9793-be6762c1bbba@kadam.mountain> (raw)
In-Reply-To: <258d6883-f572-9ac7-f6c6-73c34b9d5b63@huawei.com>
On Mon, Sep 11, 2023 at 09:58:56AM +0800, liulongfang wrote:
> On 2023/9/7 19:15, Dan Carpenter wrote:
> > On Tue, Sep 05, 2023 at 07:27:47AM +0200, Marion & Christophe JAILLET wrote:
> >>>
> >>> The other snprintf in the same file also looks suspect.
> >>
> >> It looks correct to me.
> >>
> >> And HPRE_DBGFS_VAL_MAX_LEN being 20, it doesn't really matter. The string
> >> can't be truncated with just a "%u\n".
> >>
> >
> > drivers/crypto/hisilicon/hpre/hpre_main.c
> > 884 ret = snprintf(tbuf, HPRE_DBGFS_VAL_MAX_LEN, "%u\n", val);
> > 885 return simple_read_from_buffer(buf, count, pos, tbuf, ret);
> >
> > You can't pass the return value from snprintf() to simple_read_from_buffer().
> > Otherwise the snprintf() checking turned a sprintf() write overflow into
> > a read overflow, which is less bad but not ideal. It needs to be
> > scnprintf().
> >
>
> Here only one "%u" data is written to buf, the return value ret cannot exceed 10,
> and the length of tbuf is 20.
> How did the overflow you mentioned occur?
Why are we using snprintf() if the overflow can't occur? We could just
use sprintf().
The reason why we prefer to use snprintf() is because we are trying
extra hard to avoid buffer overflows. Belt and suspenders. The
overflow can't happen because we measured but even if we messed up we
are still safe.
We should apply that same logic to the next line. Even if an overflow
occurs, then we still want to be safe. And the way to do that is to
change snprintf() to scnprintf().
It is always incorrect to assume that snprintf() cannot overflow. It is
a mismatch. snprintf() is for careful people, and if we are going to be
careful then we have to be careful everywhere within the function
boundary. Outside of the function boundary then we can have different
assumptions, but within the function boundary then we have to logically
consistent.
It's the same logic as checking for NULL consistently.
foo->bar = frob();
if (!foo)
return -EINVAL;
This code is wrong. Even if foo can never be NULL and the code can
never crash, it is a logic inconsistency so it is wrong.
regards,
dan carpenter
next prev parent reply other threads:[~2023-09-11 7:27 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-04 20:17 [PATCH] crypto: hisilicon/hpre - Fix a erroneous check after snprintf() Christophe JAILLET
2023-09-05 2:27 ` Herbert Xu
2023-09-05 5:27 ` Marion & Christophe JAILLET
2023-09-05 8:17 ` Herbert Xu
2023-09-06 2:04 ` liulongfang
2023-09-08 16:11 ` Christophe JAILLET
2023-09-11 1:52 ` liulongfang
2023-09-07 11:15 ` Dan Carpenter
2023-09-11 1:58 ` liulongfang
2023-09-11 7:27 ` Dan Carpenter [this message]
2023-09-12 6:39 ` Dan Carpenter
2023-09-12 10:05 ` Herbert Xu
2023-09-15 10:43 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6b9ada4d-0bfc-43c6-9793-be6762c1bbba@kadam.mountain \
--to=dan.carpenter@linaro.org \
--cc=christophe.jaillet@wanadoo.fr \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=liulongfang@huawei.com \
--cc=xuzaibo@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox