Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1572361imu; Wed, 16 Jan 2019 23:06:21 -0800 (PST) X-Google-Smtp-Source: ALg8bN7gBtUhG1nM3unEU/4AKnmyVurJSlAhzf/XpXdERc/W8pzzJMbx8aCIqLHdSK0egJyMpBUG X-Received: by 2002:a17:902:b60a:: with SMTP id b10mr13127707pls.303.1547708781156; Wed, 16 Jan 2019 23:06:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547708781; cv=none; d=google.com; s=arc-20160816; b=zq1FtL3OWcDQMYYTg7gc/3lzRbhMqX3plPMk6jUOc2uzcHAzM+qO6FZ0+sYXScHgwv swFNOWsNiqYlVfxgKsIP5NvV0FGlWZmOsVkgxINf+HP1pMloytdFW4n3p3sPrt8by7cF OPV/SKc1Hz0SjYhWUvqiFFJfXJjbsivw/70awYhESplja+IfYfqQmS1ofIuKL96rS5wq y1fizSIrQgmBHTCGMeC398gzjyn/t2KmujCBS2H01IfzZAARp4GKLVtSOFgIyH6+zpEQ qhGwR8hPFB6lRidAPge2vn2USzh5RwyvHu3HpAOixdXH7EKM+ErdZtXuIKaOfIQi1m+B mHwg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=1UI5ek9QmA+HtLc0gKdCQSGjOLkuJiQG2ROyB2fTggo=; b=RodXlyb0abXvAnkDwCwvbMuCopvywfciM7IP0oJMxLkK2JzXdDLgpZ0pLFcl7E3Eu3 0t+sKVjhfwq+/vkrMsW/dOubwAXGklyozkXlCCkmTbURka0vqcbfVvneifVlly5vT+2C qMkKJSpH++1un7B23Qec0EoOpMhN371AzdlIOcrN5KFDc6NrB/6yevFtADdIXJkV2N3d xsT7x0/X4Uh9dFalT6Mon5S1KlzBguLYZZ193aoqdeFBa92UNkFPPuqGtrQbo/b3fdK0 3yb0Qr897ZOfSoplAiR8ROCEtHhMCsZulow9YL4b5xjMhXOPYLLzDT5x21TlqGjrBjWd JVVA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q17si980699pfc.198.2019.01.16.23.06.05; Wed, 16 Jan 2019 23:06:21 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731341AbfAPTf4 (ORCPT + 99 others); Wed, 16 Jan 2019 14:35:56 -0500 Received: from mga17.intel.com ([192.55.52.151]:45473 "EHLO mga17.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730757AbfAPTfy (ORCPT ); Wed, 16 Jan 2019 14:35:54 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 Jan 2019 11:35:53 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,487,1539673200"; d="scan'208";a="126578277" Received: from tkevorki-mobl4.amr.corp.intel.com (HELO [10.254.178.90]) ([10.254.178.90]) by orsmga002.jf.intel.com with ESMTP; 16 Jan 2019 11:35:51 -0800 Subject: Re: [PATCH 6/8] ASoC: intel: skylake: change snprintf to scnprintf for possible overflow To: Kees Cook , Willy Tarreau Cc: Silvio Cesare , LKML , Liam Girdwood , Jie Yang , Dan Carpenter , Will Deacon , Greg KH References: <20190112152844.26550-1-w@1wt.eu> <20190112152844.26550-6-w@1wt.eu> From: Pierre-Louis Bossart Message-ID: Date: Wed, 16 Jan 2019 13:35:51 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org >> diff --git a/sound/soc/intel/skylake/skl-debug.c b/sound/soc/intel/skylake/skl-debug.c >> index 5d7ac2ee7a3c..bb28db734fb7 100644 >> --- a/sound/soc/intel/skylake/skl-debug.c >> +++ b/sound/soc/intel/skylake/skl-debug.c >> @@ -43,7 +43,7 @@ static ssize_t skl_print_pins(struct skl_module_pin *m_pin, char *buf, >> ssize_t ret = 0; >> >> for (i = 0; i < max_pin; i++) >> - ret += snprintf(buf + size, MOD_BUF - size, >> + ret += scnprintf(buf + size, MOD_BUF - size, >> "%s %d\n\tModule %d\n\tInstance %d\n\t" >> "In-used %s\n\tType %s\n" >> "\tState %d\n\tIndex %d\n", >> > While working on a Coccinelle script to find more cases of this, I > noticed that this code is buggy: it keeps overwriting the same > position in the buf string: "buf + size" and don't take "ret" into > account at all. This needs to be: > > ret += scnprintf(buf + size + ret, MOD_BUF - size - ret, Thanks for the sighting. Indeed this looks like a bug, all other calls to snprintf use "ret" to modify the destination/length. The only explanation I have for it not being noticed earlier is that it's possibly not used - a 5mn test on 2 machines show the loop is actually not run (max_pin == 0). It'll take me a bit of time to figure out what exactly this routine is supposed to do, maybe we should do the cross-tree change first? -Pierre