[PATCH V2 3/6] drm/i915/gvt: Use snprintf() to prevent possible buffer overflow.

Colin Xu Colin.Xu at intel.com
Fri Apr 12 01:32:29 UTC 2019


On 2019-04-11 18:46, Aleksei Gimbitskii wrote:
> For printing the intel_vgpu->id, a buffer with fixed length is allocated
> on the stack. But if vgpu->id is greater than 6 characters, the buffer
> overflow will happen. Even the string of the amount of max vgpu is less
> that the length buffer right now, it's better to replace sprintf() with
> snprintf().
>
> v2:
> - Increase the size of the buffer. (Colin Xu)
>
> This patch fixed the critical issue #673 reported by klocwork.
>
> Signed-off-by: Aleksei Gimbitskii <aleksei.gimbitskii at intel.com>
> Cc: Zhenyu Wang <zhenyuw at linux.intel.com>
> Cc: Zhi Wang <zhi.a.wang at intel.com>
> Cc: Colin Xu <colin.xu at intel.com>
> ---
Reviewed-by: Colin Xu <colin.xu at intel.com>

Thanks for the fix!
>   drivers/gpu/drm/i915/gvt/debugfs.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/gvt/debugfs.c b/drivers/gpu/drm/i915/gvt/debugfs.c
> index 2ec89bcb59f1..8a9606f91e68 100644
> --- a/drivers/gpu/drm/i915/gvt/debugfs.c
> +++ b/drivers/gpu/drm/i915/gvt/debugfs.c
> @@ -196,9 +196,9 @@ DEFINE_SIMPLE_ATTRIBUTE(vgpu_scan_nonprivbb_fops,
>   int intel_gvt_debugfs_add_vgpu(struct intel_vgpu *vgpu)
>   {
>   	struct dentry *ent;
> -	char name[10] = "";
> +	char name[16] = "";
>   
> -	sprintf(name, "vgpu%d", vgpu->id);
> +	snprintf(name, 16, "vgpu%d", vgpu->id);
>   	vgpu->debugfs = debugfs_create_dir(name, vgpu->gvt->debugfs_root);
>   	if (!vgpu->debugfs)
>   		return -ENOMEM;

-- 
Best Regards,
Colin Xu



More information about the intel-gvt-dev mailing list