Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965195AbdGTKah (ORCPT ); Thu, 20 Jul 2017 06:30:37 -0400 Received: from terminus.zytor.com ([65.50.211.136]:46731 "EHLO terminus.zytor.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S964827AbdGTKaf (ORCPT ); Thu, 20 Jul 2017 06:30:35 -0400 Date: Thu, 20 Jul 2017 03:27:01 -0700 From: tip-bot for Arnd Bergmann Message-ID: Cc: peterz@infradead.org, arnd@arndb.de, hpa@zytor.com, mingo@kernel.org, torvalds@linux-foundation.org, linux-kernel@vger.kernel.org, tglx@linutronix.de Reply-To: peterz@infradead.org, tglx@linutronix.de, linux-kernel@vger.kernel.org, torvalds@linux-foundation.org, mingo@kernel.org, arnd@arndb.de, hpa@zytor.com In-Reply-To: <20170719125310.2487451-9-arnd@arndb.de> References: <20170719125310.2487451-9-arnd@arndb.de> To: linux-tip-commits@vger.kernel.org Subject: [tip:x86/urgent] x86/platform/intel-mid: Fix a format string overflow warning Git-Commit-ID: 0bc73048d7baecf94117d1a948853a627e6ba5c8 X-Mailer: tip-git-log-daemon Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 Content-Disposition: inline Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2685 Lines: 52 Commit-ID: 0bc73048d7baecf94117d1a948853a627e6ba5c8 Gitweb: http://git.kernel.org/tip/0bc73048d7baecf94117d1a948853a627e6ba5c8 Author: Arnd Bergmann AuthorDate: Wed, 19 Jul 2017 14:53:06 +0200 Committer: Ingo Molnar CommitDate: Thu, 20 Jul 2017 10:46:25 +0200 x86/platform/intel-mid: Fix a format string overflow warning We have space for exactly three characters for the index in "max7315_%d_base", but as GCC points out having more would cause an string overflow: arch/x86/platform/intel-mid/device_libs/platform_max7315.c: In function 'max7315_platform_data': arch/x86/platform/intel-mid/device_libs/platform_max7315.c:41:26: error: '%d' directive writing between 1 and 11 bytes into a region of size 9 [-Werror=format-overflow=] sprintf(base_pin_name, "max7315_%d_base", nr); ^~~~~~~~~~~~~~~~~ arch/x86/platform/intel-mid/device_libs/platform_max7315.c:41:26: note: directive argument in the range [-2147483647, 2147483647] arch/x86/platform/intel-mid/device_libs/platform_max7315.c:41:3: note: 'sprintf' output between 15 and 25 bytes into a destination of size 17 sprintf(base_pin_name, "max7315_%d_base", nr); This makes it use an snprintf() to truncate the string if that happened rather than overflowing the stack. In practice, this is safe, because there won't be a large number of max7315 devices in the systems, and both the format and the length are defined by the firmware interface. Signed-off-by: Arnd Bergmann Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/20170719125310.2487451-9-arnd@arndb.de Signed-off-by: Ingo Molnar --- arch/x86/platform/intel-mid/device_libs/platform_max7315.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/x86/platform/intel-mid/device_libs/platform_max7315.c b/arch/x86/platform/intel-mid/device_libs/platform_max7315.c index 6e075af..58337b2 100644 --- a/arch/x86/platform/intel-mid/device_libs/platform_max7315.c +++ b/arch/x86/platform/intel-mid/device_libs/platform_max7315.c @@ -38,8 +38,10 @@ static void __init *max7315_platform_data(void *info) */ strcpy(i2c_info->type, "max7315"); if (nr++) { - sprintf(base_pin_name, "max7315_%d_base", nr); - sprintf(intr_pin_name, "max7315_%d_int", nr); + snprintf(base_pin_name, sizeof(base_pin_name), + "max7315_%d_base", nr); + snprintf(intr_pin_name, sizeof(intr_pin_name), + "max7315_%d_int", nr); } else { strcpy(base_pin_name, "max7315_base"); strcpy(intr_pin_name, "max7315_int");