Date: Sun, 7 Dec 2008 06:31:48 -0500 (EST)
From: Anders Kaseorg <andersk@MIT.EDU>
To: Linus Torvalds <torvalds@linux-foundation.org>
cc: linux-kernel@vger.kernel.org
Subject: [PATCH] Don't call sprintf() with overlapping input and output.
Message-ID: <alpine.DEB.2.00.0812070628001.13666@vinegar-pot.mit.edu>
User-Agent: Alpine 2.00 (DEB 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 5403
Lines: 134

The use of sprintf() to append to a buffer, as in
  sprintf(buf, "%sEntry: %d\n", buf, i)
is not valid according to C99 ("If copying takes place between objects
that overlap, the behavior is undefined.").  It breaks at least in
userspace under gcc -D_FORTIFY_SOURCE.  Replace this construct with
  sprintf(buf + strlen(buf), "Entry: %d\n", i)

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 Documentation/ia64/err_inject.txt     |    2 +-
 arch/ia64/sn/kernel/io_common.c       |    2 +-
 arch/s390/kernel/early.c              |    6 +++---
 arch/x86/kernel/cpu/intel_cacheinfo.c |    9 ++++-----
 drivers/media/video/se401.c           |    2 +-
 drivers/scsi/gdth_proc.c              |    2 +-
 drivers/usb/atm/usbatm.c              |    2 +-
 7 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/Documentation/ia64/err_inject.txt b/Documentation/ia64/err_inject.txt
index 223e4f0..62d0028 100644
--- a/Documentation/ia64/err_inject.txt
+++ b/Documentation/ia64/err_inject.txt
@@ -376,7 +376,7 @@ int create_sem(int cpu)
 	int sid;

 	sprintf(fn, PATH_FORMAT, cpu);
-	sprintf(fn, "%s/%s", fn, "err_type_info");
+	sprintf(fn + strlen(fn), "/%s", "err_type_info");
 	if ((key[cpu] = ftok(fn, 'e')) == -1) {
 		perror("ftok");
 		return -1;
diff --git a/arch/ia64/sn/kernel/io_common.c b/arch/ia64/sn/kernel/io_common.c
index 8a924a5..656e201 100644
--- a/arch/ia64/sn/kernel/io_common.c
+++ b/arch/ia64/sn/kernel/io_common.c
@@ -441,7 +441,7 @@ void sn_generate_path(struct pci_bus *pci_bus, char *address)
 	bricktype = MODULE_GET_BTYPE(moduleid);
 	if ((bricktype == L1_BRICKTYPE_191010) ||
 	    (bricktype == L1_BRICKTYPE_1932))
-			sprintf(address, "%s^%d", address, geo_slot(geoid));
+		sprintf(address + strlen(address), "^%d", geo_slot(geoid));
 }

 void __devinit
diff --git a/arch/s390/kernel/early.c b/arch/s390/kernel/early.c
index 2a2ca26..addee93 100644
--- a/arch/s390/kernel/early.c
+++ b/arch/s390/kernel/early.c
@@ -108,13 +108,13 @@ static noinline __init void create_kernel_nss(void)
 		sinitrd_pfn = PFN_DOWN(__pa(INITRD_START));
 		einitrd_pfn = PFN_UP(__pa(INITRD_START + INITRD_SIZE));
 		min_size = einitrd_pfn << 2;
-		sprintf(defsys_cmd, "%s EW %.5X-%.5X", defsys_cmd,
+		sprintf(defsys_cmd + strlen(defsys_cmd), " EW %.5X-%.5X",
 		sinitrd_pfn, einitrd_pfn);
 	}
 #endif

-	sprintf(defsys_cmd, "%s EW MINSIZE=%.7iK PARMREGS=0-13",
-		defsys_cmd, min_size);
+	sprintf(defsys_cmd + strlen(defsys_cmd),
+		" EW MINSIZE=%.7iK PARMREGS=0-13", min_size);
 	sprintf(savesys_cmd, "SAVESYS %s \n IPL %s",
 		kernel_nss_name, kernel_nss_name);

diff --git a/arch/x86/kernel/cpu/intel_cacheinfo.c b/arch/x86/kernel/cpu/intel_cacheinfo.c
index 3f46afb..396b720 100644
--- a/arch/x86/kernel/cpu/intel_cacheinfo.c
+++ b/arch/x86/kernel/cpu/intel_cacheinfo.c
@@ -709,13 +709,12 @@ static ssize_t show_cache_disable(struct _cpuid4_info *this_leaf, char *buf)

 		pci_read_config_dword(dev, 0x1BC + i * 4, &reg);

-		ret += sprintf(buf, "%sEntry: %d\n", buf, i);
-		ret += sprintf(buf, "%sReads:  %s\tNew Entries: %s\n", 
-			buf,
+		ret += sprintf(buf + strlen(buf), "Entry: %d\n", i);
+		ret += sprintf(buf + strlen(buf), "Reads:  %s\tNew Entries: %s\n",
 			reg & 0x80000000 ? "Disabled" : "Allowed",
 			reg & 0x40000000 ? "Disabled" : "Allowed");
-		ret += sprintf(buf, "%sSubCache: %x\tIndex: %x\n",
-			buf, (reg & 0x30000) >> 16, reg & 0xfff);
+		ret += sprintf(buf + strlen(buf), "SubCache: %x\tIndex: %x\n",
+			(reg & 0x30000) >> 16, reg & 0xfff);
 	}
 	return ret;
 }
diff --git a/drivers/media/video/se401.c b/drivers/media/video/se401.c
index 044a2e9..b8d2f03 100644
--- a/drivers/media/video/se401.c
+++ b/drivers/media/video/se401.c
@@ -1276,7 +1276,7 @@ static int se401_init(struct usb_se401 *se401, int button)
 	}
 	sprintf (temp, "%s Sizes:", temp);
 	for (i=0; i<se401->sizes; i++) {
-		sprintf(temp, "%s %dx%d", temp, se401->width[i], se401->height[i]);
+		sprintf(temp + strlen(temp), " %dx%d", se401->width[i], se401->height[i]);
 	}
 	dev_info(&se401->dev->dev, "%s\n", temp);
 	se401->maxframesize=se401->width[se401->sizes-1]*se401->height[se401->sizes-1]*3;
diff --git a/drivers/scsi/gdth_proc.c b/drivers/scsi/gdth_proc.c
index 59349a3..5748198 100644
--- a/drivers/scsi/gdth_proc.c
+++ b/drivers/scsi/gdth_proc.c
@@ -196,7 +196,7 @@ static int gdth_get_info(char *buffer,char **start,off_t offset,int length,
         for (i = 1;  i < MAX_RES_ARGS; i++) {
             if (reserve_list[i] == 0xff)
                 break;
-            sprintf(hrec,"%s,%d", hrec, reserve_list[i]);
+            sprintf(hrec + strlen(hrec), ",%d", reserve_list[i]);
         }
     }
     size = sprintf(buffer+len,
diff --git a/drivers/usb/atm/usbatm.c b/drivers/usb/atm/usbatm.c
index 06dd114..f52cfa5 100644
--- a/drivers/usb/atm/usbatm.c
+++ b/drivers/usb/atm/usbatm.c
@@ -1393,7 +1393,7 @@ static int usbatm_print_packet(const unsigned char *data, int len)
 		buffer[0] = '\0';
 		sprintf(buffer, "%.3d :", i);
 		for (j = 0; (j < 16) && (i < len); j++, i++) {
-			sprintf(buffer, "%s %2.2x", buffer, data[i]);
+			sprintf(buffer + strlen(buffer), " %2.2x", data[i]);
 		}
 		dbg("%s", buffer);
 	}
-- 
1.6.0.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/