lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Mon, 4 Dec 2023 08:35:55 +0100
From:   Juergen Gross <jgross@...e.com>
To:     kernel test robot <lkp@...el.com>
Cc:     oe-kbuild-all@...ts.linux.dev, linux-kernel@...r.kernel.org,
        Paul Durrant <paul.durrant@...rix.com>
Subject: Re: drivers/xen/manage.c:337:60: warning: '%s' directive output may
 be truncated writing up to 95 bytes into a region of size 12

On 03.12.23 20:55, kernel test robot wrote:
> Hi Juergen,
> 
> FYI, the error/warning still remains.
> 
> tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
> head:   33cc938e65a98f1d29d0a18403dbbee050dcad9a
> commit: 44b3c7af02ca2701b6b90ee30c9d1d9c3ae07653 xenbus: advertise control feature flags
> date:   7 years ago
> config: x86_64-randconfig-015-20231009 (https://download.01.org/0day-ci/archive/20231204/202312040309.sACmAKoo-lkp@intel.com/config)
> compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
> reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20231204/202312040309.sACmAKoo-lkp@intel.com/reproduce)
> 
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <lkp@...el.com>
> | Closes: https://lore.kernel.org/oe-kbuild-all/202312040309.sACmAKoo-lkp@intel.com/
> 
> All warnings (new ones prefixed by >>):
> 
>     In file included from include/linux/kobject.h:21,
>                      from include/linux/device.h:17,
>                      from include/linux/node.h:17,
>                      from include/linux/cpu.h:16,
>                      from include/linux/stop_machine.h:4,
>                      from drivers/xen/manage.c:12:
>     include/linux/sysfs.h: In function 'sysfs_get_dirent':
>     include/linux/sysfs.h:517:44: warning: pointer targets in passing argument 2 of 'kernfs_find_and_get' differ in signedness [-Wpointer-sign]
>       517 |         return kernfs_find_and_get(parent, name);
>           |                                            ^~~~
>           |                                            |
>           |                                            const unsigned char *
>     In file included from include/linux/sysfs.h:15:
>     include/linux/kernfs.h:440:57: note: expected 'const char *' but argument is of type 'const unsigned char *'
>       440 | kernfs_find_and_get(struct kernfs_node *kn, const char *name)
>           |                                             ~~~~~~~~~~~~^~~~
>     drivers/xen/manage.c: In function 'shutdown_event':
>>> drivers/xen/manage.c:337:60: warning: '%s' directive output may be truncated writing up to 95 bytes into a region of size 12 [-Wformat-truncation=]
>       337 |                 snprintf(node, FEATURE_PATH_SIZE, "feature-%s",
>           |                                                            ^~
>     In function 'setup_shutdown_watcher',
>         inlined from 'shutdown_event' at drivers/xen/manage.c:349:2:
>     drivers/xen/manage.c:337:17: note: 'snprintf' output between 9 and 104 bytes into a destination of size 20
>       337 |                 snprintf(node, FEATURE_PATH_SIZE, "feature-%s",
>           |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>       338 |                          shutdown_handlers[idx].command);
>           |                          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

IMHO this is a false analysis.

shutdown_handlers[] is:

struct shutdown_handler {
#define SHUTDOWN_CMD_SIZE 11
         const char command[SHUTDOWN_CMD_SIZE];
         bool flag;
         void (*cb)(void);
};

static struct shutdown_handler shutdown_handlers[] = {
         { "poweroff",   true,   do_poweroff },
         { "halt",       false,  do_poweroff },
         { "reboot",     true,   do_reboot   },
#ifdef CONFIG_HIBERNATE_CALLBACKS
         { "suspend",    true,   do_suspend  },
#endif
};

And it is never changed.

We have:

#define FEATURE_PATH_SIZE (SHUTDOWN_CMD_SIZE + sizeof("feature-"))
         char node[FEATURE_PATH_SIZE];

So how on earth could the snprintf() destination not be large enough?

> vim +337 drivers/xen/manage.c
> 
>     333	
>     334		for (idx = 0; idx < ARRAY_SIZE(shutdown_handlers); idx++) {
>     335			if (!shutdown_handlers[idx].flag)
>     336				continue;
>   > 337			snprintf(node, FEATURE_PATH_SIZE, "feature-%s",
>     338				 shutdown_handlers[idx].command);
>     339			xenbus_printf(XBT_NIL, "control", node, "%u", 1);
>     340		}
>     341	
>     342		return 0;
>     343	}
>     344	
> 


Juergen

Download attachment "OpenPGP_0xB0DE9DD628BF132F.asc" of type "application/pgp-keys" (3684 bytes)

Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (496 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ