lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20240705-bnxt-str-v1-3-bafc769ed89e@kernel.org>
Date: Fri, 05 Jul 2024 12:26:49 +0100
From: Simon Horman <horms@...nel.org>
To: "David S. Miller" <davem@...emloft.net>, 
 Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, 
 Paolo Abeni <pabeni@...hat.com>
Cc: Michael Chan <michael.chan@...adcom.com>, netdev@...r.kernel.org
Subject: [PATCH net-next 3/3] bnxt_en: avoid truncation of per rx run
 debugfs filename

Although it seems unlikely in practice - there would need to be
rx ring indexes greater than 10^10 - it is theoretically possible
for the filename of per rx ring debugfs files to be truncated.

This is because although a 16 byte buffer is provided, the length
of the filename is restricted to 10 bytes. Remove this restriction
and allow the entire buffer to be used.

Also reduce the buffer to 12 bytes, which is sufficient.

Given that the range of rx ring indexes likely much smaller than the
maximum range of a 32-bit signed integer, a smaller buffer could be
used, with some further changes.  But this change seems simple, robust,
and has minimal stack overhead.

Flagged by gcc-14:

  .../bnxt_debugfs.c: In function 'bnxt_debug_dev_init':
  drivers/net/ethernet/broadcom/bnxt/bnxt_debugfs.c:69:30: warning: '%d' directive output may be truncated writing between 1 and 11 bytes into a region of size 10 [-Wformat-truncation=]
     69 |         snprintf(qname, 10, "%d", ring_idx);
        |                              ^~
  In function 'debugfs_dim_ring_init',
      inlined from 'bnxt_debug_dev_init' at .../bnxt_debugfs.c:87:4:
  .../bnxt_debugfs.c:69:29: note: directive argument in the range [-2147483643, 2147483646]
     69 |         snprintf(qname, 10, "%d", ring_idx);
        |                             ^~~~
  .../bnxt_debugfs.c:69:9: note: 'snprintf' output between 2 and 12 bytes into a destination of size 10
     69 |         snprintf(qname, 10, "%d", ring_idx);
        |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Compile tested only

Signed-off-by: Simon Horman <horms@...nel.org>
---
 drivers/net/ethernet/broadcom/bnxt/bnxt_debugfs.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_debugfs.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_debugfs.c
index 156c2404854f..127b7015f676 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_debugfs.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_debugfs.c
@@ -64,9 +64,9 @@ static const struct file_operations debugfs_dim_fops = {
 static void debugfs_dim_ring_init(struct dim *dim, int ring_idx,
 				  struct dentry *dd)
 {
-	static char qname[16];
+	static char qname[12];
 
-	snprintf(qname, 10, "%d", ring_idx);
+	snprintf(qname, sizeof(qname), "%d", ring_idx);
 	debugfs_create_file(qname, 0600, dd, dim, &debugfs_dim_fops);
 }
 

-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ