From patchwork Mon Nov 28 21:04:14 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arnd Bergmann <arnd@arndb.de>
X-Patchwork-Id: 101449
Delivered-To: patch@linaro.org
Received: by 10.182.1.168 with SMTP id 8csp1906058obn;
 Mon, 28 Nov 2016 13:04:59 -0800 (PST)
X-Received: by 10.84.178.195 with SMTP id z61mr54939326plb.176.1480367099824; 
 Mon, 28 Nov 2016 13:04:59 -0800 (PST)
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id
 w17si31595974pge.203.2016.11.28.13.04.59; 
 Mon, 28 Nov 2016 13:04:59 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
 linux-kernel-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender) client-ip=209.132.180.67; 
Authentication-Results: mx.google.com;
 spf=pass (google.com: best guess record for domain of
 linux-kernel-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1755301AbcK1VE4 (ORCPT <rfc822;julien.grall@linaro.org>
 + 25 others); Mon, 28 Nov 2016 16:04:56 -0500
Received: from mout.kundenserver.de ([212.227.17.10]:64205 "EHLO
 mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S1754243AbcK1VEr (ORCPT
 <rfc822;linux-kernel@vger.kernel.org>);
 Mon, 28 Nov 2016 16:04:47 -0500
Received: from wuerfel.lan ([78.43.21.235]) by mrelayeu.kundenserver.de
 (mreue103 [212.227.15.145]) with ESMTPA (Nemesis) id
 0MQ8It-1c7sCl0gYl-005DyV; Mon, 28 Nov 2016 22:04:36 +0100
From: Arnd Bergmann <arnd@arndb.de>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Jiri Slaby <jslaby@suse.com>
Cc: Arnd Bergmann <arnd@arndb.de>, Peter Hurley <peter@hurleysoftware.com>,
 linux-kernel@vger.kernel.org
Subject: [PATCH] tty: nozomi: avoid sprintf buffer overflow
Date: Mon, 28 Nov 2016 22:04:14 +0100
Message-Id: <20161128210433.2291532-1-arnd@arndb.de>
X-Mailer: git-send-email 2.9.0
X-Provags-ID: V03:K0:fKnY99q/PvTmP1TxZnIN887Gu8nessf3j3Kht4VUp9QOTtDCmvr
 EMoSYAZkafUAlQrboyQSsIhJHBlx8ppGGeNSwi+gAEuZwAak2vIar9K0SAthBP90kaIiQhb
 5v/bMvwlJzJyYLCsEaE9c/WgXfBLdrX0f3dy3lzFxvrsN8wUpjaqvmwuoFMK4JQ2/5KxPpR
 FPyDwMEFS0tGIoBx6DOXg==
X-UI-Out-Filterresults: notjunk:1; V01:K0:2PWdlZBJKtY=:sIfeQQCzQgEBukLcOiturM
 Y7ARjH65NBmOCnpL9C2RxMs3nCXssQfFC7hbkieh7lv7nJOHhb9pzfVBCMMfHf+oCr9qNUQVL
 GUH7w2Sw8nbaBsmRlkFu9R6/1QTreCujtDj2gO8zW2lbGSHsDR1DQTjkqi2RWtdIkyIZwO0bR
 iaPyy3tEdzVVUrH4vC0css4BdnF5Io6MMhq30/Zw5dm2o/ejN8Qgfe8P39PBGeR/uhvgeB/Vm
 9wj9GOfblUNcHNoyVCfEgpu0YCMzmk3g0NKJHP5UzdN4JS2h+pSgwRLm8BeQjykLpYQLkp//g
 jPMOipPm+k6wUO35ZMyzQs/TKx5bb91M3IM0gXyiCHQRJ8/qi0rXD9FwxA1d5Tkt78FCHwoxY
 w1bLV0sWDAfvTOGC28PDQacFuhoDsO/yi6DS+KMubejWtZKIl08R00y4su9+Icw8SKTLrP6b4
 woUOE2tYWUrAhKlJHJ18mPojeYkdfgZ9BF3smavsrKZ7dsB19AcchjJmuQ3MUXKQPLr1hAeJI
 t/aU2NQ6j6pLv7CWi8VpGbD8U0lTRjrMWQ4mJHrhQmptTYRkme30vYCdGab8qyqZtvDxN281r
 WxARZO4fHiTIhXqKpGHmIUvCWwuUP52uGn44wIlRluRVzJUGPwz60tCv/gdWWSykCJCLOvhnu
 8lOKcnsxG9SRAykjKfgGT+JYeSYI0cuMNMAhvad60exbe8awKGLMmtsKXWKCAmqucI+w=
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Testing with a gcc-7 snapshot produced an internal compiler error
for this file:

drivers/tty/nozomi.c: In function 'receive_flow_control':
drivers/tty/nozomi.c:919:12: internal compiler error: in get_substring_ranges_for_loc, at input.c:1388
 static int receive_flow_control(struct nozomi *dc)

I've reported this at https://gcc.gnu.org/bugzilla/show_bug.cgi?id=78569
but also noticed that the code line contains a stack overflow, as it prints
a string into a slightly shorter fixed-length 'tmp' variable.

I don't see any point in the temporary variable, we can simply use
pr_debug() to print the output directly. This change should not change
any of the output but avoids both the stack overflow and the gcc
crash.

The stack overflow will not happen unless a module load parameter is
also set to enable the debug messages.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
 drivers/tty/nozomi.c | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

-- 
2.9.0

diff --git a/drivers/tty/nozomi.c b/drivers/tty/nozomi.c
index e2020a691058..17a182b28d52 100644
--- a/drivers/tty/nozomi.c
+++ b/drivers/tty/nozomi.c
@@ -69,13 +69,8 @@
 #define NOZOMI_DEBUG_LEVEL 0x00
 
 #define P_BUF_SIZE 128
-#define NFO(_err_flag_, args...)				\
-do {								\
-	char tmp[P_BUF_SIZE];					\
-	snprintf(tmp, sizeof(tmp), ##args);			\
-	printk(_err_flag_ "[%d] %s(): %s\n", __LINE__,		\
-		__func__, tmp);				\
-} while (0)
+#define NFO(_err_flag_, fmt, args...)					\
+	pr_debug("[%d] %s(): " fmt "\n", __LINE__, __func__,  ##args);
 
 #define DBG1(args...) D_(0x01, ##args)
 #define DBG2(args...) D_(0x02, ##args)