lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20240705-bnxt-str-v1-2-bafc769ed89e@kernel.org>
Date: Fri, 05 Jul 2024 12:26:48 +0100
From: Simon Horman <horms@...nel.org>
To: "David S. Miller" <davem@...emloft.net>, 
 Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, 
 Paolo Abeni <pabeni@...hat.com>
Cc: Michael Chan <michael.chan@...adcom.com>, netdev@...r.kernel.org
Subject: [PATCH net-next 2/3] bnxt_en: check for irq name truncation

Given the sizes of the buffers involved, it is theoretically
possible for irq names to be truncated. Detect this and
propagate an error if this occurs.

Flagged by gcc-14:

  .../bnxt.c: In function 'bnxt_setup_int_mode':
  .../bnxt.c:10584:48: warning: '%s' directive output may be truncated writing 4 bytes into a region of size between 2 and 17 [-Wformat-truncation=]
  10584 |         snprintf(bp->irq_tbl[0].name, len, "%s-%s-%d", bp->dev->name, "TxRx",
        |                                                ^~                     ~~~~~~
  In function 'bnxt_setup_inta',
      inlined from 'bnxt_setup_int_mode' at .../bnxt.c:10604:3:
  .../bnxt.c:10584:9: note: 'snprintf' output between 8 and 23 bytes into a destination of size 18
  10584 |         snprintf(bp->irq_tbl[0].name, len, "%s-%s-%d", bp->dev->name, "TxRx",
        |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  10585 |                  0);
        |                  ~~
  .../bnxt.c: In function 'bnxt_setup_int_mode':
  .../bnxt.c:10569:62: warning: '%s' directive output may be truncated writing between 2 and 4 bytes into a region of size between 2 and 17 [-Wformat-truncation=]
  10569 |                 snprintf(bp->irq_tbl[map_idx].name, len, "%s-%s-%d", dev->name,
        |                                                              ^~
  In function 'bnxt_setup_msix',
      inlined from 'bnxt_setup_int_mode' at .../bnxt.c:10602:3:
  .../bnxt.c:10569:58: note: directive argument in the range [-2147483643, 2147483646]
  10569 |                 snprintf(bp->irq_tbl[map_idx].name, len, "%s-%s-%d", dev->name,
        |                                                          ^~~~~~~~~~
  .../bnxt.c:10569:17: note: 'snprintf' output between 6 and 33 bytes into a destination of size 18
  10569 |                 snprintf(bp->irq_tbl[map_idx].name, len, "%s-%s-%d", dev->name,
        |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  10570 |                          attr, i);
        |                          ~~~~~~~~

Compile tested only.

Signed-off-by: Simon Horman <horms@...nel.org>
---
 drivers/net/ethernet/broadcom/bnxt/bnxt.c | 30 ++++++++++++++++++++++--------
 1 file changed, 22 insertions(+), 8 deletions(-)

diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index 220d05e2f6fa..15e68c8e599d 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -10538,7 +10538,7 @@ static int bnxt_trim_rings(struct bnxt *bp, int *rx, int *tx, int max,
 	return __bnxt_trim_rings(bp, rx, tx, max, sh);
 }
 
-static void bnxt_setup_msix(struct bnxt *bp)
+static int bnxt_setup_msix(struct bnxt *bp)
 {
 	const int len = sizeof(bp->irq_tbl[0].name);
 	struct net_device *dev = bp->dev;
@@ -10558,6 +10558,7 @@ static void bnxt_setup_msix(struct bnxt *bp)
 	for (i = 0; i < bp->cp_nr_rings; i++) {
 		int map_idx = bnxt_cp_num_to_irq_num(bp, i);
 		char *attr;
+		int rc;
 
 		if (bp->flags & BNXT_FLAG_SHARED_RINGS)
 			attr = "TxRx";
@@ -10566,24 +10567,35 @@ static void bnxt_setup_msix(struct bnxt *bp)
 		else
 			attr = "tx";
 
-		snprintf(bp->irq_tbl[map_idx].name, len, "%s-%s-%d", dev->name,
-			 attr, i);
+		rc = snprintf(bp->irq_tbl[map_idx].name, len, "%s-%s-%d",
+			      dev->name, attr, i);
+		if (rc >= len)
+			return -E2BIG;
 		bp->irq_tbl[map_idx].handler = bnxt_msix;
 	}
+
+	return 0;
 }
 
-static void bnxt_setup_inta(struct bnxt *bp)
+static int bnxt_setup_inta(struct bnxt *bp)
 {
 	const int len = sizeof(bp->irq_tbl[0].name);
+	int rc;
+
 
 	if (bp->num_tc) {
 		netdev_reset_tc(bp->dev);
 		bp->num_tc = 0;
 	}
 
-	snprintf(bp->irq_tbl[0].name, len, "%s-%s-%d", bp->dev->name, "TxRx",
-		 0);
+	rc = snprintf(bp->irq_tbl[0].name, len, "%s-%s-%d", bp->dev->name,
+		      "TxRx", 0);
+	if (rc >= len)
+		return -E2BIG;
+
 	bp->irq_tbl[0].handler = bnxt_inta;
+
+	return 0;
 }
 
 static int bnxt_init_int_mode(struct bnxt *bp);
@@ -10599,9 +10611,11 @@ static int bnxt_setup_int_mode(struct bnxt *bp)
 	}
 
 	if (bp->flags & BNXT_FLAG_USING_MSIX)
-		bnxt_setup_msix(bp);
+		rc = bnxt_setup_msix(bp);
 	else
-		bnxt_setup_inta(bp);
+		rc = bnxt_setup_inta(bp);
+	if (rc)
+		return rc;
 
 	rc = bnxt_set_real_num_queues(bp);
 	return rc;

-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ