* [PATCH RESEND] m68k: emu: Replace unbounded sprintf in nfhd_init_one
@ 2026-03-18 0:16 Thorsten Blum
2026-03-20 19:16 ` Kees Cook
0 siblings, 1 reply; 2+ messages in thread
From: Thorsten Blum @ 2026-03-18 0:16 UTC (permalink / raw)
To: Geert Uytterhoeven, Jens Axboe, Al Viro, Kees Cook,
Martin K. Petersen
Cc: Thorsten Blum, linux-m68k, linux-kernel
Replace unbounded sprintf() with the safer snprintf().
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
---
arch/m68k/emu/nfblock.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/m68k/emu/nfblock.c b/arch/m68k/emu/nfblock.c
index 93536cf2a38e..fa6256c5af22 100644
--- a/arch/m68k/emu/nfblock.c
+++ b/arch/m68k/emu/nfblock.c
@@ -132,7 +132,8 @@ static int __init nfhd_init_one(int id, u32 blocks, u32 bsize)
dev->disk->minors = 16;
dev->disk->fops = &nfhd_ops;
dev->disk->private_data = dev;
- sprintf(dev->disk->disk_name, "nfhd%u", dev_id);
+ snprintf(dev->disk->disk_name, sizeof(dev->disk->disk_name), "nfhd%u",
+ dev_id);
set_capacity(dev->disk, (sector_t)blocks * (bsize / 512));
err = add_disk(dev->disk);
if (err)
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH RESEND] m68k: emu: Replace unbounded sprintf in nfhd_init_one
2026-03-18 0:16 [PATCH RESEND] m68k: emu: Replace unbounded sprintf in nfhd_init_one Thorsten Blum
@ 2026-03-20 19:16 ` Kees Cook
0 siblings, 0 replies; 2+ messages in thread
From: Kees Cook @ 2026-03-20 19:16 UTC (permalink / raw)
To: Thorsten Blum
Cc: Geert Uytterhoeven, Jens Axboe, Al Viro, Martin K. Petersen,
linux-m68k, linux-kernel
On Wed, Mar 18, 2026 at 01:16:33AM +0100, Thorsten Blum wrote:
> Replace unbounded sprintf() with the safer snprintf().
>
> Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
> ---
> arch/m68k/emu/nfblock.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/arch/m68k/emu/nfblock.c b/arch/m68k/emu/nfblock.c
> index 93536cf2a38e..fa6256c5af22 100644
> --- a/arch/m68k/emu/nfblock.c
> +++ b/arch/m68k/emu/nfblock.c
> @@ -132,7 +132,8 @@ static int __init nfhd_init_one(int id, u32 blocks, u32 bsize)
> dev->disk->minors = 16;
> dev->disk->fops = &nfhd_ops;
> dev->disk->private_data = dev;
> - sprintf(dev->disk->disk_name, "nfhd%u", dev_id);
> + snprintf(dev->disk->disk_name, sizeof(dev->disk->disk_name), "nfhd%u",
> + dev_id);
> set_capacity(dev->disk, (sector_t)blocks * (bsize / 512));
> err = add_disk(dev->disk);
> if (err)
This one falls into a "currently impossible" category:
for (i = NFHD_DEV_OFFSET; i < 24; i++) {
if (nfhd_get_capacity(i, 0, &blocks, &bsize))
continue;
nfhd_init_one(i, blocks, bsize);
static int __init nfhd_init_one(int id, u32 blocks, u32 bsize)
{
...
int dev_id = id - NFHD_DEV_OFFSET;
...
sprintf(dev->disk->disk_name, "nfhd%u", dev_id);
I'd almost prefer to see "id" bounds checked prior to the dev_id
calculation (in some unlikely future where "id" isn't
NFHD_DEV_OFFSET-based).
#define DISK_NAME_LEN 32
...
char disk_name[DISK_NAME_LEN]; /* name of major driver */
The largest the %u could get would be 10 digits, so it'll always be in
bounds.
But there's no harm in the change:
Reviewed-by: Kees Cook <kees@kernel.org>
--
Kees Cook
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-03-20 19:16 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-18 0:16 [PATCH RESEND] m68k: emu: Replace unbounded sprintf in nfhd_init_one Thorsten Blum
2026-03-20 19:16 ` Kees Cook
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox