| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 14 Jul 2017 13:33:28 +0100
From: Robin Murphy <robin.murphy@....com>
To: Arnd Bergmann <arnd@...db.de>, linux-kernel@...r.kernel.org,
Sunil Goutham <sgoutham@...ium.com>,
Robert Richter <rric@...nel.org>
Cc: George Cherian <george.cherian@...ium.com>,
"James E . J . Bottomley" <jejb@...ux.vnet.ibm.com>,
linux-scsi@...r.kernel.org,
"Martin K . Petersen" <martin.petersen@...cle.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
x86@...nel.org,
Radha Mohan Chintakuntla <rchintakuntla@...ium.com>,
Vadim Lomovtsev <Vadim.Lomovtsev@...iumnetworks.com>,
linux-arm-kernel@...ts.infradead.org, netdev@...r.kernel.org,
Thanneeru Srinivasulu <tsrinivasulu@...ium.com>,
akpm@...ux-foundation.org,
Linus Torvalds <torvalds@...ux-foundation.org>,
"David S . Miller" <davem@...emloft.net>,
Guenter Roeck <linux@...ck-us.net>
Subject: Re: [PATCH 11/22] net: thunder_bgx: avoid format string overflow
warning
On 14/07/17 13:07, Arnd Bergmann wrote:
> gcc warns that the temporary buffer might be too small here:
>
> drivers/net/ethernet/cavium/thunder/thunder_bgx.c: In function 'bgx_probe':
> drivers/net/ethernet/cavium/thunder/thunder_bgx.c:1020:16: error: '%d' directive writing between 1 and 10 bytes into a region of size between 9 and 11 [-Werror=format-overflow=]
> sprintf(str, "BGX%d LMAC%d mode", bgx->bgx_id, lmacid);
> ^~~~~~~~~~~~~~~~~~~
> drivers/net/ethernet/cavium/thunder/thunder_bgx.c:1020:16: note: directive argument in the range [0, 2147483647]
> drivers/net/ethernet/cavium/thunder/thunder_bgx.c:1020:3: note: 'sprintf' output between 16 and 27 bytes into a destination of size 20
>
> This probably can't happen, but it can't hurt to make it long
> enough for the theoretical limit.
Probably indeed - both bgx_id and lmacid are u8 here, which would make
the maximum length of that string, including null terminator, exactly 20
characters.
So in this case the warning is not only silly, it's actively wrong;
sure, the arguments themselves are being promoted to ints at that point,
but GCC *knows* the original type, or it couldn't have generated the
correct code for the call :/
Robin.
> Signed-off-by: Arnd Bergmann <arnd@...db.de>
> ---
> drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
> index a0ca68ce3fbb..79112563a25a 100644
> --- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
> +++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
> @@ -1008,7 +1008,7 @@ static void bgx_print_qlm_mode(struct bgx *bgx, u8 lmacid)
> {
> struct device *dev = &bgx->pdev->dev;
> struct lmac *lmac;
> - char str[20];
> + char str[27];
>
> if (!bgx->is_dlm && lmacid)
> return;
>
Powered by blists - more mailing lists