[PATCH 1/5] drm/amdgpu/pm: Use scnprintf() for avoiding potential buffer overflow

Takashi Iwai tiwai at suse.de
Wed Mar 11 07:32:28 UTC 2020


BTW, please ignore the subject prefix '[1/5]', which was added
mistakenly while extracting a patch from the commit list.
This is a single patch.


thanks,

Takashi

On Wed, 11 Mar 2020 08:29:04 +0100,
Takashi Iwai wrote:
> 
> Since snprintf() returns the would-be-output size instead of the
> actual output size, the succeeding calls may go beyond the given
> buffer limit.  Fix it by replacing with scnprintf().
> 
> Also adjust the size argument passed to scnprintf() so that it really
> cuts off at the right remaining buffer length.
> 
> Signed-off-by: Takashi Iwai <tiwai at suse.de>
> ---
>  drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c
> index bc3cf04a1a94..4a737d074f4b 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c
> @@ -448,7 +448,7 @@ static ssize_t amdgpu_get_pp_num_states(struct device *dev,
>  
>  	buf_len = snprintf(buf, PAGE_SIZE, "states: %d\n", data.nums);
>  	for (i = 0; i < data.nums; i++)
> -		buf_len += snprintf(buf + buf_len, PAGE_SIZE, "%d %s\n", i,
> +		buf_len += scnprintf(buf + buf_len, PAGE_SIZE - buf_len, "%d %s\n", i,
>  				(data.states[i] == POWER_STATE_TYPE_INTERNAL_BOOT) ? "boot" :
>  				(data.states[i] == POWER_STATE_TYPE_BATTERY) ? "battery" :
>  				(data.states[i] == POWER_STATE_TYPE_BALANCED) ? "balanced" :
> -- 
> 2.16.4
> 


More information about the amd-gfx mailing list