Re: [PATCH] xfs: Use scnprintf() for avoiding potential buffer overflow

public inbox for linux-xfs@vger.kernel.org
 help / color / mirror / Atom feed

From: Dave Chinner <david@fromorbit.com>
To: Takashi Iwai <tiwai@suse.de>
Cc: "Darrick J . Wong" <darrick.wong@oracle.com>, linux-xfs@vger.kernel.org
Subject: Re: [PATCH] xfs: Use scnprintf() for avoiding potential buffer overflow
Date: Thu, 12 Mar 2020 09:09:14 +1100	[thread overview]
Message-ID: <20200311220914.GF10776@dread.disaster.area> (raw)
In-Reply-To: <20200311093552.25354-1-tiwai@suse.de>

On Wed, Mar 11, 2020 at 10:35:52AM +0100, Takashi Iwai wrote:
> Since snprintf() returns the would-be-output size instead of the
> actual output size, the succeeding calls may go beyond the given
> buffer limit.  Fix it by replacing with scnprintf().
> 
> Signed-off-by: Takashi Iwai <tiwai@suse.de>
> ---
>  fs/xfs/xfs_stats.c | 10 +++++-----
>  1 file changed, 5 insertions(+), 5 deletions(-)

what about all the other calls to snprintf() in fs/xfs/xfs_sysfs.c
and fs/xfs/xfs_error.c that return the "would be written" length to
their callers? i.e. we can return a length longer than the buffer
provided to the callers...

Aren't they all broken, too?

A quick survey of random snprintf() calls shows there's an abundance
of callers that do not check the return value of snprintf for
overflow when outputting stuff to proc/sysfs files. This seems like
a case of "snprintf() considered harmful, s/snprintf/scnprintf/
kernel wide, remove snprintf()"...

Cheers,

Dave,
-- 
Dave Chinner
david@fromorbit.com

next prev parent reply	other threads:[~2020-03-11 22:09 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-03-11  9:35 [PATCH] xfs: Use scnprintf() for avoiding potential buffer overflow Takashi Iwai
2020-03-11 18:21 ` Darrick J. Wong
2020-03-11 20:00   ` Takashi Iwai
2020-03-11 22:09 ` Dave Chinner [this message]
2020-03-12  7:01   ` Takashi Iwai
2020-03-12 22:27     ` Dave Chinner
2020-03-12 22:43       ` Darrick J. Wong
2020-03-13  5:00         ` Dave Chinner
2020-03-13  7:18           ` Takashi Iwai
2020-03-13 15:52             ` Darrick J. Wong
2020-03-15  8:49               ` Takashi Iwai
2020-03-13  6:52       ` Christoph Hellwig

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200311220914.GF10776@dread.disaster.area \
    --to=david@fromorbit.com \
    --cc=darrick.wong@oracle.com \
    --cc=linux-xfs@vger.kernel.org \
    --cc=tiwai@suse.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox