| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 7 Dec 2008 06:31:48 -0500 (EST)
From: Anders Kaseorg <andersk@....EDU>
To: Linus Torvalds <torvalds@...ux-foundation.org>
cc: linux-kernel@...r.kernel.org
Subject: [PATCH] Don't call sprintf() with overlapping input and output.
The use of sprintf() to append to a buffer, as in
sprintf(buf, "%sEntry: %d\n", buf, i)
is not valid according to C99 ("If copying takes place between objects
that overlap, the behavior is undefined."). It breaks at least in
userspace under gcc -D_FORTIFY_SOURCE. Replace this construct with
sprintf(buf + strlen(buf), "Entry: %d\n", i)
Signed-off-by: Anders Kaseorg <andersk@....edu>
---
Documentation/ia64/err_inject.txt | 2 +-
arch/ia64/sn/kernel/io_common.c | 2 +-
arch/s390/kernel/early.c | 6 +++---
arch/x86/kernel/cpu/intel_cacheinfo.c | 9 ++++-----
drivers/media/video/se401.c | 2 +-
drivers/scsi/gdth_proc.c | 2 +-
drivers/usb/atm/usbatm.c | 2 +-
7 files changed, 12 insertions(+), 13 deletions(-)
diff --git a/Documentation/ia64/err_inject.txt b/Documentation/ia64/err_inject.txt
index 223e4f0..62d0028 100644
--- a/Documentation/ia64/err_inject.txt
+++ b/Documentation/ia64/err_inject.txt
@@ -376,7 +376,7 @@ int create_sem(int cpu)
int sid;
sprintf(fn, PATH_FORMAT, cpu);
- sprintf(fn, "%s/%s", fn, "err_type_info");
+ sprintf(fn + strlen(fn), "/%s", "err_type_info");
if ((key[cpu] = ftok(fn, 'e')) == -1) {
perror("ftok");
return -1;
diff --git a/arch/ia64/sn/kernel/io_common.c b/arch/ia64/sn/kernel/io_common.c
index 8a924a5..656e201 100644
--- a/arch/ia64/sn/kernel/io_common.c
+++ b/arch/ia64/sn/kernel/io_common.c
@@ -441,7 +441,7 @@ void sn_generate_path(struct pci_bus *pci_bus, char *address)
bricktype = MODULE_GET_BTYPE(moduleid);
if ((bricktype == L1_BRICKTYPE_191010) ||
(bricktype == L1_BRICKTYPE_1932))
- sprintf(address, "%s^%d", address, geo_slot(geoid));
+ sprintf(address + strlen(address), "^%d", geo_slot(geoid));
}
void __devinit
diff --git a/arch/s390/kernel/early.c b/arch/s390/kernel/early.c
index 2a2ca26..addee93 100644
--- a/arch/s390/kernel/early.c
+++ b/arch/s390/kernel/early.c
@@ -108,13 +108,13 @@ static noinline __init void create_kernel_nss(void)
sinitrd_pfn = PFN_DOWN(__pa(INITRD_START));
einitrd_pfn = PFN_UP(__pa(INITRD_START + INITRD_SIZE));
min_size = einitrd_pfn << 2;
- sprintf(defsys_cmd, "%s EW %.5X-%.5X", defsys_cmd,
+ sprintf(defsys_cmd + strlen(defsys_cmd), " EW %.5X-%.5X",
sinitrd_pfn, einitrd_pfn);
}
#endif
- sprintf(defsys_cmd, "%s EW MINSIZE=%.7iK PARMREGS=0-13",
- defsys_cmd, min_size);
+ sprintf(defsys_cmd + strlen(defsys_cmd),
+ " EW MINSIZE=%.7iK PARMREGS=0-13", min_size);
sprintf(savesys_cmd, "SAVESYS %s \n IPL %s",
kernel_nss_name, kernel_nss_name);
diff --git a/arch/x86/kernel/cpu/intel_cacheinfo.c b/arch/x86/kernel/cpu/intel_cacheinfo.c
index 3f46afb..396b720 100644
--- a/arch/x86/kernel/cpu/intel_cacheinfo.c
+++ b/arch/x86/kernel/cpu/intel_cacheinfo.c
@@ -709,13 +709,12 @@ static ssize_t show_cache_disable(struct _cpuid4_info *this_leaf, char *buf)
pci_read_config_dword(dev, 0x1BC + i * 4, ®);
- ret += sprintf(buf, "%sEntry: %d\n", buf, i);
- ret += sprintf(buf, "%sReads: %s\tNew Entries: %s\n",
- buf,
+ ret += sprintf(buf + strlen(buf), "Entry: %d\n", i);
+ ret += sprintf(buf + strlen(buf), "Reads: %s\tNew Entries: %s\n",
reg & 0x80000000 ? "Disabled" : "Allowed",
reg & 0x40000000 ? "Disabled" : "Allowed");
- ret += sprintf(buf, "%sSubCache: %x\tIndex: %x\n",
- buf, (reg & 0x30000) >> 16, reg & 0xfff);
+ ret += sprintf(buf + strlen(buf), "SubCache: %x\tIndex: %x\n",
+ (reg & 0x30000) >> 16, reg & 0xfff);
}
return ret;
}
diff --git a/drivers/media/video/se401.c b/drivers/media/video/se401.c
index 044a2e9..b8d2f03 100644
--- a/drivers/media/video/se401.c
+++ b/drivers/media/video/se401.c
@@ -1276,7 +1276,7 @@ static int se401_init(struct usb_se401 *se401, int button)
}
sprintf (temp, "%s Sizes:", temp);
for (i=0; i<se401->sizes; i++) {
- sprintf(temp, "%s %dx%d", temp, se401->width[i], se401->height[i]);
+ sprintf(temp + strlen(temp), " %dx%d", se401->width[i], se401->height[i]);
}
dev_info(&se401->dev->dev, "%s\n", temp);
se401->maxframesize=se401->width[se401->sizes-1]*se401->height[se401->sizes-1]*3;
diff --git a/drivers/scsi/gdth_proc.c b/drivers/scsi/gdth_proc.c
index 59349a3..5748198 100644
--- a/drivers/scsi/gdth_proc.c
+++ b/drivers/scsi/gdth_proc.c
@@ -196,7 +196,7 @@ static int gdth_get_info(char *buffer,char **start,off_t offset,int length,
for (i = 1; i < MAX_RES_ARGS; i++) {
if (reserve_list[i] == 0xff)
break;
- sprintf(hrec,"%s,%d", hrec, reserve_list[i]);
+ sprintf(hrec + strlen(hrec), ",%d", reserve_list[i]);
}
}
size = sprintf(buffer+len,
diff --git a/drivers/usb/atm/usbatm.c b/drivers/usb/atm/usbatm.c
index 06dd114..f52cfa5 100644
--- a/drivers/usb/atm/usbatm.c
+++ b/drivers/usb/atm/usbatm.c
@@ -1393,7 +1393,7 @@ static int usbatm_print_packet(const unsigned char *data, int len)
buffer[0] = '\0';
sprintf(buffer, "%.3d :", i);
for (j = 0; (j < 16) && (i < len); j++, i++) {
- sprintf(buffer, "%s %2.2x", buffer, data[i]);
+ sprintf(buffer + strlen(buffer), " %2.2x", data[i]);
}
dbg("%s", buffer);
}
--
1.6.0.4
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists