| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <d1b19770-dbee-47d0-a146-409de76dee42@kernel.org>
Date: Fri, 13 Jun 2025 17:46:38 +0200
From: Danilo Krummrich <dakr@...nel.org>
To: Jacob Keller <jacob.e.keller@...el.com>
Cc: Lyude Paul <lyude@...hat.com>, David Airlie <airlied@...il.com>,
Simona Vetter <simona@...ll.ch>, Ben Skeggs <bskeggs@...hat.com>,
Pierre Moreau <pierre.morrow@...e.fr>,
Christophe JAILLET <christophe.jaillet@...adoo.fr>,
Philip Li <philip.li@...el.com>, dri-devel@...ts.freedesktop.org,
nouveau@...ts.freedesktop.org, linux-kernel@...r.kernel.org,
kernel test robot <lkp@...el.com>, Timur Tabi <ttabi@...dia.com>
Subject: Re: [PATCH v2] drm/nouveau/bl: increase buffer size to avoid truncate
warning
On 6/10/25 11:54 PM, Jacob Keller wrote:
> The nouveau_get_backlight_name() function generates a unique name for the
> backlight interface, appending an id from 1 to 99 for all backlight devices
> after the first.
>
> GCC 15 (and likely other compilers) produce the following
> -Wformat-truncation warning:
>
> nouveau_backlight.c: In function ‘nouveau_backlight_init’:
> nouveau_backlight.c:56:69: error: ‘%d’ directive output may be truncated writing between 1 and 10 bytes into a region of size 3 [-Werror=format-truncation=]
> 56 | snprintf(backlight_name, BL_NAME_SIZE, "nv_backlight%d", nb);
> | ^~
> In function ‘nouveau_get_backlight_name’,
> inlined from ‘nouveau_backlight_init’ at nouveau_backlight.c:351:7:
> nouveau_backlight.c:56:56: note: directive argument in the range [1, 2147483647]
> 56 | snprintf(backlight_name, BL_NAME_SIZE, "nv_backlight%d", nb);
> | ^~~~~~~~~~~~~~~~
> nouveau_backlight.c:56:17: note: ‘snprintf’ output between 14 and 23 bytes into a destination of size 15
> 56 | snprintf(backlight_name, BL_NAME_SIZE, "nv_backlight%d", nb);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> The warning started appearing after commit ab244be47a8f ("drm/nouveau:
> Fix a potential theorical leak in nouveau_get_backlight_name()") This fix
> for the ida usage removed the explicit value check for ids larger than 99.
> The compiler is unable to intuit that the ida_alloc_max() limits the
> returned value range between 0 and 99.
>
> Because the compiler can no longer infer that the number ranges from 0 to
> 99, it thinks that it could use as many as 11 digits (10 + the potential -
> sign for negative numbers).
>
> The warning has gone unfixed for some time, with at least one kernel test
> robot report. The code breaks W=1 builds, which is especially frustrating
> with the introduction of CONFIG_WERROR.
>
> The string is stored temporarily on the stack and then copied into the
> device name. Its not a big deal to use 11 more bytes of stack rounding out
> to an even 24 bytes. Increase BL_NAME_SIZE to 24 to avoid the truncation
> warning. This fixes the W=1 builds that include this driver.
>
> Compile tested only.
>
> Fixes: ab244be47a8f ("drm/nouveau: Fix a potential theorical leak in nouveau_get_backlight_name()")
> Reported-by: kernel test robot <lkp@...el.com>
> Closes: https://lore.kernel.org/oe-kbuild-all/202312050324.0kv4PnfZ-lkp@intel.com/
> Suggested-by: Timur Tabi <ttabi@...dia.com>
> Signed-off-by: Jacob Keller <jacob.e.keller@...el.com>
Applied to drm-misc-fixes, thanks!
Powered by blists - more mailing lists