Linux Security Modules development
 help / color / mirror / Atom feed
From: Takashi Iwai <tiwai@suse.de>
To: Kentaro Takeda <takedakn@nttdata.co.jp>,
	Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: linux-security-module@vger.kernel.org
Subject: [PATCH] tomoyo: Use scnprintf() for avoiding potential buffer overflow
Date: Wed, 11 Mar 2020 10:36:27 +0100	[thread overview]
Message-ID: <20200311093627.25409-1-tiwai@suse.de> (raw)

Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit.  Fix it by replacing with scnprintf().

Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
 security/tomoyo/audit.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/security/tomoyo/audit.c b/security/tomoyo/audit.c
index 3c96e8402e94..aedc93959067 100644
--- a/security/tomoyo/audit.c
+++ b/security/tomoyo/audit.c
@@ -162,7 +162,7 @@ static char *tomoyo_print_header(struct tomoyo_request_info *r)
 
 	tomoyo_convert_time(ktime_get_real_seconds(), &stamp);
 
-	pos = snprintf(buffer, tomoyo_buffer_len - 1,
+	pos = scnprintf(buffer, tomoyo_buffer_len - 1,
 		       "#%04u/%02u/%02u %02u:%02u:%02u# profile=%u mode=%s granted=%s (global-pid=%u) task={ pid=%u ppid=%u uid=%u gid=%u euid=%u egid=%u suid=%u sgid=%u fsuid=%u fsgid=%u }",
 		       stamp.year, stamp.month, stamp.day, stamp.hour,
 		       stamp.min, stamp.sec, r->profile, tomoyo_mode[r->mode],
@@ -193,7 +193,7 @@ static char *tomoyo_print_header(struct tomoyo_request_info *r)
 		dev = stat->dev;
 		mode = stat->mode;
 		if (i & 1) {
-			pos += snprintf(buffer + pos,
+			pos += scnprintf(buffer + pos,
 					tomoyo_buffer_len - 1 - pos,
 					" path%u.parent={ uid=%u gid=%u ino=%lu perm=0%o }",
 					(i >> 1) + 1,
@@ -203,7 +203,7 @@ static char *tomoyo_print_header(struct tomoyo_request_info *r)
 					stat->mode & S_IALLUGO);
 			continue;
 		}
-		pos += snprintf(buffer + pos, tomoyo_buffer_len - 1 - pos,
+		pos += scnprintf(buffer + pos, tomoyo_buffer_len - 1 - pos,
 				" path%u={ uid=%u gid=%u ino=%lu major=%u minor=%u perm=0%o type=%s",
 				(i >> 1) + 1,
 				from_kuid(&init_user_ns, stat->uid),
@@ -213,12 +213,12 @@ static char *tomoyo_print_header(struct tomoyo_request_info *r)
 				mode & S_IALLUGO, tomoyo_filetype(mode));
 		if (S_ISCHR(mode) || S_ISBLK(mode)) {
 			dev = stat->rdev;
-			pos += snprintf(buffer + pos,
+			pos += scnprintf(buffer + pos,
 					tomoyo_buffer_len - 1 - pos,
 					" dev_major=%u dev_minor=%u",
 					MAJOR(dev), MINOR(dev));
 		}
-		pos += snprintf(buffer + pos, tomoyo_buffer_len - 1 - pos,
+		pos += scnprintf(buffer + pos, tomoyo_buffer_len - 1 - pos,
 				" }");
 	}
 no_obj_info:
@@ -276,17 +276,17 @@ char *tomoyo_init_log(struct tomoyo_request_info *r, int len, const char *fmt,
 	if (!buf)
 		goto out;
 	len--;
-	pos = snprintf(buf, len, "%s", header);
+	pos = scnprintf(buf, len, "%s", header);
 	if (realpath) {
 		struct linux_binprm *bprm = r->ee->bprm;
 
-		pos += snprintf(buf + pos, len - pos,
+		pos += scnprintf(buf + pos, len - pos,
 				" exec={ realpath=\"%s\" argc=%d envc=%d %s }",
 				realpath, bprm->argc, bprm->envc, bprm_info);
 	} else if (symlink)
-		pos += snprintf(buf + pos, len - pos, " symlink.target=\"%s\"",
+		pos += scnprintf(buf + pos, len - pos, " symlink.target=\"%s\"",
 				symlink);
-	pos += snprintf(buf + pos, len - pos, "\n%s\n", domainname);
+	pos += scnprintf(buf + pos, len - pos, "\n%s\n", domainname);
 	vsnprintf(buf + pos, len - pos, fmt, args);
 out:
 	kfree(realpath);
-- 
2.16.4


             reply	other threads:[~2020-03-11  9:36 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-03-11  9:36 Takashi Iwai [this message]
2020-03-11 10:20 ` [PATCH] tomoyo: Use scnprintf() for avoiding potential buffer overflow Tetsuo Handa
2020-03-11 11:06   ` Takashi Iwai

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200311093627.25409-1-tiwai@suse.de \
    --to=tiwai@suse.de \
    --cc=linux-security-module@vger.kernel.org \
    --cc=penguin-kernel@I-love.SAKURA.ne.jp \
    --cc=takedakn@nttdata.co.jp \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox