tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

drm/msm: Replace unsafe snprintf usage with scnprintf

The refill_buf function uses snprintf to append to a fixed-size buffer.
snprintf returns the length that would have been written, which can
exceed the remaining buffer size. If this happens, ptr advances beyond
the buffer and rem becomes negative. In the 2nd iteration, rem is
treated as a large unsigned integer, causing snprintf to write oob.

While this behavior is technically mitigated by num_perfcntrs being
locked at 5, it's still unsafe if num_perfcntrs were ever to change/a
second source was added.

Signed-off-by: Evan Lambert <veyga@veygax.dev>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/696358/
Link: https://lore.kernel.org/r/20251224124254.17920-3-veyga@veygax.dev
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>

authored by

Evan Lambert and committed by
Dmitry Baryshkov 66691e27 88733a0b

+5 -5
+5 -5
drivers/gpu/drm/msm/msm_perf.c
··· 65 65 66 66 if ((perf->cnt++ % 32) == 0) { 67 67 /* Header line: */ 68 - n = snprintf(ptr, rem, "%%BUSY"); 68 + n = scnprintf(ptr, rem, "%%BUSY"); 69 69 ptr += n; 70 70 rem -= n; 71 71 72 72 for (i = 0; i < gpu->num_perfcntrs; i++) { 73 73 const struct msm_gpu_perfcntr *perfcntr = &gpu->perfcntrs[i]; 74 - n = snprintf(ptr, rem, "\t%s", perfcntr->name); 74 + n = scnprintf(ptr, rem, "\t%s", perfcntr->name); 75 75 ptr += n; 76 76 rem -= n; 77 77 } ··· 93 93 return ret; 94 94 95 95 val = totaltime ? 1000 * activetime / totaltime : 0; 96 - n = snprintf(ptr, rem, "%3d.%d%%", val / 10, val % 10); 96 + n = scnprintf(ptr, rem, "%3d.%d%%", val / 10, val % 10); 97 97 ptr += n; 98 98 rem -= n; 99 99 100 100 for (i = 0; i < ret; i++) { 101 101 /* cycle counters (I think).. convert to MHz.. */ 102 102 val = cntrs[i] / 10000; 103 - n = snprintf(ptr, rem, "\t%5d.%02d", 103 + n = scnprintf(ptr, rem, "\t%5d.%02d", 104 104 val / 100, val % 100); 105 105 ptr += n; 106 106 rem -= n; 107 107 } 108 108 } 109 109 110 - n = snprintf(ptr, rem, "\n"); 110 + n = scnprintf(ptr, rem, "\n"); 111 111 ptr += n; 112 112 rem -= n; 113 113