From: WANG Cong <xiyou.wangcong@gmail.com>
To: Miao Xie <miaox@cn.fujitsu.com>
Cc: tglx@linutronix.de, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] time: fix sysfs_show_{available,current}_clocksources() buffer overflow problem
Date: Thu, 8 Nov 2007 19:47:41 +0800 [thread overview]
Message-ID: <20071108114741.GF2479@hacking> (raw)
In-Reply-To: <4732EAB4.5070605@cn.fujitsu.com>
On Thu, Nov 08, 2007 at 06:53:40PM +0800, Miao Xie wrote:
>Hi,every one.
> I found that there is a buffer overflow problem in the following code.
>
>Version: 2.6.24-rc2,
>File: kernel/time/clocksource.c:417-432
>--------------------------------------------------------------------
>static ssize_t
>sysfs_show_available_clocksources(struct sys_device *dev, char *buf)
>{
> struct clocksource *src;
> char *curr = buf;
>
> spin_lock_irq(&clocksource_lock);
> list_for_each_entry(src, &clocksource_list, list) {
> curr += sprintf(curr, "%s ", src->name);
> }
> spin_unlock_irq(&clocksource_lock);
>
> curr += sprintf(curr, "\n");
>
> return curr - buf;
>}
>-----------------------------------------------------------------------
>
>sysfs_show_current_clocksources() also has the same problem though in
>practice
>the size of current clocksource's name won't exceed PAGE_SIZE.
>
>I fix the bug by using snprintf according to the specification of the kernel
>(Version:2.6.24-rc2,File:Documentation/filesystems/sysfs.txt)
>
>Fix sysfs_show_available_clocksources() and
>sysfs_show_current_clocksources()
>buffer overflow problem with snprintf().
>
>Signed-off-by: Miao Xie <miaox@cn.fujitsu.com>
>
>---
> kernel/time/clocksource.c | 19 ++++++++++---------
> 1 files changed, 10 insertions(+), 9 deletions(-)
>
>diff --git a/kernel/time/clocksource.c b/kernel/time/clocksource.c
>index c8a9d13..5d5926f 100644
>--- a/kernel/time/clocksource.c
>+++ b/kernel/time/clocksource.c
>@@ -342,15 +342,13 @@ void clocksource_change_rating(struct clocksource
>*cs, int rating)
> static ssize_t
> sysfs_show_current_clocksources(struct sys_device *dev, char *buf)
> {
>- char *curr = buf;
>+ ssize_t count = 0;
>
> spin_lock_irq(&clocksource_lock);
>- curr += sprintf(curr, "%s ", curr_clocksource->name);
>+ count = snprintf(buf, PAGE_SIZE, "%s\n", curr_clocksource->name);
Yes, snprintf is safer than sprintf. But here, the 'count' will be
mis-pointed when snprintf returns no less than PAGE_SIZE (what you called
overflow). So you may also need:
if (unlikely(count >= PAGE_SIZE))
count = PAGE_SIZE - 1;
Just a simple guess. ;)
next prev parent reply other threads:[~2007-11-08 11:49 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-08 10:53 [PATCH] time: fix sysfs_show_{available,current}_clocksources() buffer overflow problem Miao Xie
2007-11-08 11:47 ` WANG Cong [this message]
2007-11-08 12:11 ` WANG Cong
2007-11-11 3:29 ` Miao Xie
2007-11-11 4:09 ` WANG Cong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071108114741.GF2479@hacking \
--to=xiyou.wangcong@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=miaox@cn.fujitsu.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox