lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20251013181620.2026326-1-hi@josie.lol>
Date: Mon, 13 Oct 2025 20:16:20 +0200
From: Josephine Pfeiffer <hi@...ie.lol>
To: Koby Elbaz <koby.elbaz@...el.com>,
	Konstantin Sinyuk <konstantin.sinyuk@...el.com>
Cc: Oded Gabbay <ogabbay@...nel.org>,
	dri-devel@...ts.freedesktop.org,
	linux-kernel@...r.kernel.org
Subject: [PATCH] accel/habanalabs: Replace sprintf with snprintf for buffer safety

Replace unbounded sprintf() calls with snprintf() in the RAZWI error
handler function gaudi2_ack_module_razwi_event_handler() to prevent
potential buffer overflows. The initiator_name buffer has a fixed size
of 64 bytes, and using snprintf() ensures writes cannot exceed this
boundary.

This change affects error reporting for different accelerator components
(TPC, MME, EDMA, PDMA, NIC, DEC, ROT, ARC_FARM) when Router AXI Write
Initiator errors occur on the Gaudi2 AI accelerator.

All 8 sprintf() calls in the switch statement have been converted to use
snprintf() with sizeof(initiator_name) as the size parameter.

Signed-off-by: Josephine Pfeiffer <hi@...ie.lol>
---
 drivers/accel/habanalabs/gaudi2/gaudi2.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/drivers/accel/habanalabs/gaudi2/gaudi2.c b/drivers/accel/habanalabs/gaudi2/gaudi2.c
index b8c0689dba64..367902ac17a9 100644
--- a/drivers/accel/habanalabs/gaudi2/gaudi2.c
+++ b/drivers/accel/habanalabs/gaudi2/gaudi2.c
@@ -8479,7 +8479,7 @@ static void gaudi2_ack_module_razwi_event_handler(struct hl_device *hdev,
 
 	switch (module) {
 	case RAZWI_TPC:
-		sprintf(initiator_name, "TPC_%u", module_idx);
+		snprintf(initiator_name, sizeof(initiator_name), "TPC_%u", module_idx);
 		if (hdev->tpc_binning) {
 			binned_idx = __ffs(hdev->tpc_binning);
 			if (binned_idx == module_idx)
@@ -8490,7 +8490,7 @@ static void gaudi2_ack_module_razwi_event_handler(struct hl_device *hdev,
 		lbw_rtr_id = gaudi2_tpc_initiator_lbw_rtr_id[module_idx];
 		break;
 	case RAZWI_MME:
-		sprintf(initiator_name, "MME_%u", module_idx);
+		snprintf(initiator_name, sizeof(initiator_name), "MME_%u", module_idx);
 		switch (module_sub_idx) {
 		case MME_WAP0:
 			hbw_rtr_id = gaudi2_mme_initiator_rtr_id[module_idx].wap0;
@@ -8533,20 +8533,20 @@ static void gaudi2_ack_module_razwi_event_handler(struct hl_device *hdev,
 		lbw_rtr_mstr_if_base_addr = mmSFT0_LBW_RTR_IF_MSTR_IF_RR_SHRD_HBW_BASE +
 								dcore_id * SFT_DCORE_OFFSET;
 		via_sft = true;
-		sprintf(initiator_name, "EDMA_%u", module_idx);
+		snprintf(initiator_name, sizeof(initiator_name), "EDMA_%u", module_idx);
 		break;
 	case RAZWI_PDMA:
 		hbw_rtr_id = gaudi2_pdma_initiator_hbw_rtr_id[module_idx];
 		lbw_rtr_id = gaudi2_pdma_initiator_lbw_rtr_id[module_idx];
-		sprintf(initiator_name, "PDMA_%u", module_idx);
+		snprintf(initiator_name, sizeof(initiator_name), "PDMA_%u", module_idx);
 		break;
 	case RAZWI_NIC:
 		hbw_rtr_id = gaudi2_nic_initiator_hbw_rtr_id[module_idx];
 		lbw_rtr_id = gaudi2_nic_initiator_lbw_rtr_id[module_idx];
-		sprintf(initiator_name, "NIC_%u", module_idx);
+		snprintf(initiator_name, sizeof(initiator_name), "NIC_%u", module_idx);
 		break;
 	case RAZWI_DEC:
-		sprintf(initiator_name, "DEC_%u", module_idx);
+		snprintf(initiator_name, sizeof(initiator_name), "DEC_%u", module_idx);
 		if (hdev->decoder_binning) {
 			binned_idx = __ffs(hdev->decoder_binning);
 			if (binned_idx == module_idx)
@@ -8558,12 +8558,12 @@ static void gaudi2_ack_module_razwi_event_handler(struct hl_device *hdev,
 	case RAZWI_ROT:
 		hbw_rtr_id = gaudi2_rot_initiator_hbw_rtr_id[module_idx];
 		lbw_rtr_id = gaudi2_rot_initiator_lbw_rtr_id[module_idx];
-		sprintf(initiator_name, "ROT_%u", module_idx);
+		snprintf(initiator_name, sizeof(initiator_name), "ROT_%u", module_idx);
 		break;
 	case RAZWI_ARC_FARM:
 		lbw_rtr_id = DCORE1_RTR5;
 		hbw_rtr_id = DCORE1_RTR7;
-		sprintf(initiator_name, "ARC_FARM_%u", module_idx);
+		snprintf(initiator_name, sizeof(initiator_name), "ARC_FARM_%u", module_idx);
 		break;
 	default:
 		return;
-- 
2.51.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ