[21/22] fscache: fix fscache_objlist_show format processing

Message ID 20170714120720.906842-22-arnd@arndb.de
State Accepted
Commit ebfddb3d447f5267c76680ea4d242e6f9bcafa87
Headers show
Series
  • gcc-7 -Wformat-* warnings
Related show

Commit Message

Arnd Bergmann July 14, 2017, 12:07 p.m.
gcc points out a minor bug in the handling of unknown
cookie types, which could result in a string overflow
when the integer is copied into a 3-byte string:

fs/fscache/object-list.c: In function 'fscache_objlist_show':
fs/fscache/object-list.c:265:19: error: 'sprintf' may write a terminating nul past the end of the destination [-Werror=format-overflow=]
 sprintf(_type, "%02u", cookie->def->type);
                ^~~~~~
fs/fscache/object-list.c:265:4: note: 'sprintf' output between 3 and 4 bytes into a destination of size 3

This is currently harmless as no code sets a type other
than 0 or 1, but it makes sense to use snprintf() here
to avoid overflowing the array if that changes.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>

---
 fs/fscache/object-list.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

-- 
2.9.0

Comments

Jérémy Lefaure Sept. 4, 2017, 6:29 p.m. | #1
> gcc points out a minor bug in the handling of unknown

> cookie types, which could result in a string overflow

> when the integer is copied into a 3-byte string:

> 

> fs/fscache/object-list.c: In function 'fscache_objlist_show':

> fs/fscache/object-list.c:265:19: error: 'sprintf' may write a

> terminating nul past the end of the destination

> [-Werror=format-overflow=] sprintf(_type, "%02u", cookie->def->type);

> ^~~~~~ fs/fscache/object-list.c:265:4: note: 'sprintf' output between

> 3 and 4 bytes into a destination of size 3

> 

> This is currently harmless as no code sets a type other

> than 0 or 1, but it makes sense to use snprintf() here

> to avoid overflowing the array if that changes.

> 

> Signed-off-by: Arnd Bergmann <arnd@arndb.de>

> ---

Hi,
I sent a patch to fix this issue in April [1]. It was accepted by David
Howells [2]. I don't know why it wasn't upstreamed.

>  fs/fscache/object-list.c | 3 ++-

>  1 file changed, 2 insertions(+), 1 deletion(-)

> 

> diff --git a/fs/fscache/object-list.c b/fs/fscache/object-list.c

> index 67f940892ef8..b5ab06fabc60 100644

> --- a/fs/fscache/object-list.c

> +++ b/fs/fscache/object-list.c

> @@ -262,7 +262,8 @@ static int fscache_objlist_show(struct seq_file

> *m, void *v) type = "DT";

>  			break;

>  		default:

> -			sprintf(_type, "%02u", cookie->def->type);

> +			snprintf(_type, sizeof(_type), "%02u",

> +				 cookie->def->type);

>  			type = _type;

>  			break;

>  		}

In my patch I didn't use snprintf (which is fine) but I used the
hexadecimal value (as it is in the documentation [3]). Is it too late
to change this patch ? If it is, I can send a patch to use an hex value.

Thank you,
Jérémy

[1]: https://marc.info/?l=linux-kernel&m=149263432022839&w=4
[2]: https://marc.info/?l=linux-kernel&m=149330544916184&w=4
[3]: see Documentation/filesystems/caching/fscache.txt

Patch

diff --git a/fs/fscache/object-list.c b/fs/fscache/object-list.c
index 67f940892ef8..b5ab06fabc60 100644
--- a/fs/fscache/object-list.c
+++ b/fs/fscache/object-list.c
@@ -262,7 +262,8 @@  static int fscache_objlist_show(struct seq_file *m, void *v)
 			type = "DT";
 			break;
 		default:
-			sprintf(_type, "%02u", cookie->def->type);
+			snprintf(_type, sizeof(_type), "%02u",
+				 cookie->def->type);
 			type = _type;
 			break;
 		}