[PATCH v3] drm: Fix potential overflow issue in event_string array

[PATCH v3] drm: Fix potential overflow issue in event_string array

[jiangfeng]

From: Feng Jiang <jiangfeng@kylinos.cn>

When calling scnprintf() to append recovery method to event_string,
the second argument should be `sizeof(event_string) - len`, otherwise
there is a potential overflow problem.

Fixes: b7cf9f4ac1b8 ("drm: Introduce device wedged event")
Signed-off-by: Feng Jiang <jiangfeng@kylinos.cn>
---
v3:
- update the subject

v2:
- update commit message
- keep scnprintf() as a single line
---
 drivers/gpu/drm/drm_drv.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
index 17fc5dc708f4..60e5ac179c15 100644
--- a/drivers/gpu/drm/drm_drv.c
+++ b/drivers/gpu/drm/drm_drv.c
@@ -549,7 +549,7 @@ int drm_dev_wedged_event(struct drm_device *dev, unsigned long method)
 		if (drm_WARN_ONCE(dev, !recovery, "invalid recovery method %u\n", opt))
 			break;
 
-		len += scnprintf(event_string + len, sizeof(event_string), "%s,", recovery);
+		len += scnprintf(event_string + len, sizeof(event_string) - len, "%s,", recovery);
 	}
 
 	if (recovery)
-- 
2.25.1

Re: [PATCH v3] drm: Fix potential overflow issue in event_string array

[André Almeida]

Em 08/04/2025 22:46, jiangfeng@kylinos.cn escreveu:
> From: Feng Jiang <jiangfeng@kylinos.cn>
> 
> When calling scnprintf() to append recovery method to event_string,
> the second argument should be `sizeof(event_string) - len`, otherwise
> there is a potential overflow problem.
> 
> Fixes: b7cf9f4ac1b8 ("drm: Introduce device wedged event")
> Signed-off-by: Feng Jiang <jiangfeng@kylinos.cn>

Reviewed-by: André Almeida <andrealmeid@igalia.com>

Re: [PATCH v3] drm: Fix potential overflow issue in event_string array

[Raag Jadav]

On Wed, Apr 09, 2025 at 09:46:33AM +0800, jiangfeng@kylinos.cn wrote:
> From: Feng Jiang <jiangfeng@kylinos.cn>
> 
> When calling scnprintf() to append recovery method to event_string,
> the second argument should be `sizeof(event_string) - len`, otherwise
> there is a potential overflow problem.
> 
> Fixes: b7cf9f4ac1b8 ("drm: Introduce device wedged event")
> Signed-off-by: Feng Jiang <jiangfeng@kylinos.cn>

Reviewed-by: Raag Jadav <raag.jadav@intel.com>

Thanks for the fix.

Re: [PATCH v3] drm: Fix potential overflow issue in event_string array

[Raag Jadav]

On Wed, Apr 09, 2025 at 09:24:41AM +0300, Raag Jadav wrote:
> On Wed, Apr 09, 2025 at 09:46:33AM +0800, jiangfeng@kylinos.cn wrote:
> > From: Feng Jiang <jiangfeng@kylinos.cn>
> > 
> > When calling scnprintf() to append recovery method to event_string,
> > the second argument should be `sizeof(event_string) - len`, otherwise
> > there is a potential overflow problem.
> > 
> > Fixes: b7cf9f4ac1b8 ("drm: Introduce device wedged event")
> > Signed-off-by: Feng Jiang <jiangfeng@kylinos.cn>
> 
> Reviewed-by: Raag Jadav <raag.jadav@intel.com>
> 
> Thanks for the fix.

This one seems got lost in the noise but important for 6.15.
Any takers?

Raag

Re: [PATCH v3] drm: Fix potential overflow issue in event_string array

[Rodrigo Vivi]

On Thu, May 01, 2025 at 03:22:25PM +0300, Raag Jadav wrote:
> On Wed, Apr 09, 2025 at 09:24:41AM +0300, Raag Jadav wrote:
> > On Wed, Apr 09, 2025 at 09:46:33AM +0800, jiangfeng@kylinos.cn wrote:
> > > From: Feng Jiang <jiangfeng@kylinos.cn>
> > > 
> > > When calling scnprintf() to append recovery method to event_string,
> > > the second argument should be `sizeof(event_string) - len`, otherwise
> > > there is a potential overflow problem.
> > > 
> > > Fixes: b7cf9f4ac1b8 ("drm: Introduce device wedged event")
> > > Signed-off-by: Feng Jiang <jiangfeng@kylinos.cn>
> > 
> > Reviewed-by: Raag Jadav <raag.jadav@intel.com>
> > 
> > Thanks for the fix.
> 
> This one seems got lost in the noise but important for 6.15.
> Any takers?

pushed to drm-misc-fixes

> 
> Raag