| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6d348789-dcfa-4119-8005-5e3e128fc76f@intel.com>
Date: Wed, 12 Nov 2025 16:06:57 +0100
From: Cezary Rojewski <cezary.rojewski@...el.com>
To: David Laight <david.laight.linux@...il.com>, <hariconscious@...il.com>
CC: <liam.r.girdwood@...ux.intel.com>, <peter.ujfalusi@...ux.intel.com>,
<yung-chuan.liao@...ux.intel.com>, <ranjani.sridharan@...ux.intel.com>,
<kai.vehmanen@...ux.intel.com>, <pierre-louis.bossart@...ux.dev>,
<broonie@...nel.org>, <perex@...ex.cz>, <tiwai@...e.com>,
<amadeuszx.slawinski@...ux.intel.com>, <sakari.ailus@...ux.intel.com>,
<khalid@...nel.org>, <shuah@...nel.org>, <david.hunter.linux@...il.com>,
<linux-sound@...r.kernel.org>, <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] ASoC: Intel: avs: Replace snprintf() with scnprintf()
On 2025-11-12 2:50 PM, David Laight wrote:
> On Wed, 12 Nov 2025 17:32:35 +0530
> hariconscious@...il.com wrote:
>
>> From: HariKrishna Sagala <hariconscious@...il.com>
>>
>> As per the C99 standard snprintf() returns the length of the data
>> that *would have been* written if there were enough space for it.
>> It's generally considered safer to use the scnprintf() variant.
Thank you for patch, HariKrishna.
>
> Did you actually read the code?
> In this case the code is actually rather buggy and can read beyond
> the end of 'buf[]'.
>
> Neither snprintf() nor scnprintf() ever return -1 on error.
> So the existing code will attempt to write past the end of buf[]
> if there are a lot of entries.
> Fortunately there is a test for negative lengths - so nothing is
> written past the end - but the read can return data off the end.
>
> Changing to scnprintf() stops this happening, but the user will get
> truncated data.
Both may discard characters. Regardless, I agree, when building strings
in iterative fashion, scnprintf() shall be used over snprintf().
Essentially, this patch is a fix, so a proper 'Fixes: ' tag is required
along with update to the commit message.
I'd start with dropping "It's generally considered safer to use the
scnprintf() variant." No guessing here. If you're wondering how to word
it, I'd suggesting to use Takashi's message from commit ca3b7b9dc9bc
("ASoC: Intel: avs: Fix potential buffer overflow by snprintf()") as a
reference.
In fact, the existing code could be simplified, however, the
simplification does not need to be part of the fix.
(for those wondering about the entry count - ~10 tops, AudioDSP firmware
limitation, +/- 1 depending on the SoC generation)
>
> David
>
>
>>
>> Link: https://github.com/KSPP/linux/issues/105
>> Signed-off-by: HariKrishna Sagala <hariconscious@...il.com>
>> ---
>> This patch replaces snprintf() varaint with scnprintf() in
>> scenario to know the actual length of the data rather than *would
>> have been* written data of snprintf().
>> No functional changes intended.
>> Reference Links:
>> https://lwn.net/Articles/69419/
>> https://www.kernel.org/doc/html/latest/core-api/kernel-api.html#c.snprintf
>>
>> Note:
>> Compile & boot tested with necessary config parameters.
>> Other areas of AVS uses scnprintf() variant.
>>
>> sound/soc/intel/avs/debugfs.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/sound/soc/intel/avs/debugfs.c b/sound/soc/intel/avs/debugfs.c
>> index 3534de46f9e4..100b95bfcd78 100644
>> --- a/sound/soc/intel/avs/debugfs.c
>> +++ b/sound/soc/intel/avs/debugfs.c
>> @@ -119,7 +119,7 @@ static ssize_t probe_points_read(struct file *file, char __user *to, size_t coun
>> }
>>
>> for (i = 0; i < num_desc; i++) {
>> - ret = snprintf(buf + len, PAGE_SIZE - len,
>> + ret = scnprintf(buf + len, PAGE_SIZE - len,
>> "Id: %#010x Purpose: %d Node id: %#x\n",
>> desc[i].id.value, desc[i].purpose, desc[i].node_id.val);
Indentation is off, please adjust.
>> if (ret < 0)
>>
>> base-commit: 24172e0d79900908cf5ebf366600616d29c9b417
>
Powered by blists - more mailing lists