From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756516Ab0JKVLz (ORCPT ); Mon, 11 Oct 2010 17:11:55 -0400 Received: from mail-wy0-f174.google.com ([74.125.82.174]:48403 "EHLO mail-wy0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756484Ab0JKVLx (ORCPT ); Mon, 11 Oct 2010 17:11:53 -0400 DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:subject:message-id:mail-followup-to:references :mime-version:content-type:content-disposition:in-reply-to :user-agent; b=xpTIMAmbpxxeU/yZShGlBgCYlLL/O1sX2jzbT87vop/CCs0jxvB1ZJ2sEKoGHLihV4 QBLLDY8hT95FWFPVVDMhKxvEZYTUqX29v/cAY5i1fB4aie5B1YP4Xm7Scz4iZpGUV5+b LvW5FjAMvjf2y2UDYHpWRgwMuedzhPfkHLwdI= Date: Mon, 11 Oct 2010 23:11:38 +0200 From: Dan Carpenter To: Mark Brown , Liam Girdwood , Jaroslav Kysela , Takashi Iwai , Peter Ujfalusi , Jassi Brar , alsa-devel@alsa-project.org, kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [patch] ASoC: soc: snprintf() doesn't return negative Message-ID: <20101011211138.GL5851@bicker> Mail-Followup-To: Dan Carpenter , Mark Brown , Liam Girdwood , Jaroslav Kysela , Takashi Iwai , Peter Ujfalusi , Jassi Brar , alsa-devel@alsa-project.org, kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org References: <20101011035416.GD5851@bicker> <20101011104009.GB9231@rakim.wolfsonmicro.main> <20101011164038.GE5851@bicker> <20101011185148.GB22355@opensource.wolfsonmicro.com> <20101011194502.GK5851@bicker> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20101011194502.GK5851@bicker> User-Agent: Mutt/1.5.18 (2008-05-17) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Oct 11, 2010 at 09:45:02PM +0200, Dan Carpenter wrote: > On Mon, Oct 11, 2010 at 07:51:48PM +0100, Mark Brown wrote: > > In actual fact quite a few devices have enough registers to be > > truncated, meaning that it's not only possible but likely we'll exercise > > the cases that deal with the end of buffer. If snprintf() is returning > > values larger than buffer size it was given we're likely to have an > > issue but it seems that there's something missing in your analysis since > > we're never seeing WARN_ON()s and are instead seeing the behaviour the > > code is intended to give, which is to truncate the output when we run > > out of space. > > > > Could you re-check your analysis, please? > > That's odd. I'm sorry, I can't explain why you wouldn't see a stack > trace... The code is straight forward: > > /* Reject out-of-range values early. Large positive sizes are > used for unknown buffer sizes. */ > if (WARN_ON_ONCE((int) size < 0)) > return 0; > > It would still give you truncated output but after the NULL terminator > there would be information leaked from the kernel. If the reader > program had allocated a large enough buffer to handle the extra > information it wouldn't cause a problem. > Actually it will never cause a problem with userspace because we pass the size of the userspace buffer to the kernel. The only issues are the information leak if the user passes in a 8k buffer and the also the WARN_ON_ONCE() regards, dan carpenter