[PATCH 2/5] kallsyms: replace sprintf with scnprintf

(off-list ancestor, not in this archive)
[PATCH 0/5] kallsyms: make kallsym APIs more safe with scnprintf · Maninder Singh <hidden> · 2022-05-20
[PATCH 1/5] kallsyms: pass buffer size in sprint_* APIs · Maninder Singh <hidden> · 2022-05-20
Re: [PATCH 1/5] kallsyms: pass buffer size in sprint_* APIs · Waiman Long <longman@redhat.com> · 2022-05-20
Re: [PATCH 1/5] kallsyms: pass buffer size in sprint_* APIs · Andy Shevchenko <andriy.shevchenko@linux.intel.com> · 2022-05-22
[PATCH 5/5] kallsyms: remove unsed API lookup_symbol_attrs · Maninder Singh <hidden> · 2022-05-20
[PATCH 4/5] kallsyms: pass buffer size argument in *lookup* APIs · Maninder Singh <hidden> · 2022-05-20
[PATCH 3/5] arch:hexagon/powerpc: use KSYM_NAME_LEN as array size · Maninder Singh <hidden> · 2022-05-20
[PATCH 2/5] kallsyms: replace sprintf with scnprintf · Maninder Singh <hidden> · 2022-05-20
Re: [PATCH 0/5] kallsyms: make kallsym APIs more safe with scnprintf · Christoph Hellwig <hch@infradead.org> · 2022-05-22
Re: [PATCH 0/5] kallsyms: make kallsym APIs more safe with scnprintf · Kees Cook <hidden> · 2022-05-23
Re: [PATCH 0/5] kallsyms: make kallsym APIs more safe with scnprintf · Petr Mladek <pmladek@suse.com> · 2022-06-15

STALE1453d

From: Maninder Singh <hidden>
Date: 2022-05-20 08:40:00
Also in: linux-fsdevel, linux-modules, linux-s390, linux-scsi, lkml
Subsystem: the rest · Maintainer: Linus Torvalds

replace sprintf API with scnprintf which prevents buffer overflow.

Co-developed-by: Onkarnath <redacted>
Signed-off-by: Onkarnath <redacted>
Signed-off-by: Maninder Singh <redacted>
---
 kernel/kallsyms.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c
index f354378e241f..9e4316fe0ba1 100644
--- a/kernel/kallsyms.c
+++ b/kernel/kallsyms.c

@@ -472,28 +472,29 @@ static int __sprint_symbol(char *buffer, size_t buf_size, unsigned long address,
 	name = kallsyms_lookup_buildid(address, &size, &offset, &modname, &buildid,
 				       buffer);
 	if (!name)
-		return sprintf(buffer, "0x%lx", address - symbol_offset);
+		return scnprintf(buffer, buf_size, "0x%lx", address - symbol_offset);
 
 	if (name != buffer)
-		strcpy(buffer, name);
+		strncpy(buffer, name, buf_size);
+
 	len = strlen(buffer);
 	offset -= symbol_offset;
 
 	if (add_offset)
-		len += sprintf(buffer + len, "+%#lx/%#lx", offset, size);
+		len += scnprintf(buffer + len, buf_size - len, "+%#lx/%#lx", offset, size);
 
 	if (modname) {
-		len += sprintf(buffer + len, " [%s", modname);
+		len += scnprintf(buffer + len, buf_size - len, " [%s", modname);
 #if IS_ENABLED(CONFIG_STACKTRACE_BUILD_ID)
 		if (add_buildid && buildid) {
 			/* build ID should match length of sprintf */
 #if IS_ENABLED(CONFIG_MODULES)
 			static_assert(sizeof(typeof_member(struct module, build_id)) == 20);
 #endif
-			len += sprintf(buffer + len, " %20phN", buildid);
+			len += scnprintf(buffer + len, buf_size - len, " %20phN", buildid);
 		}
 #endif
-		len += sprintf(buffer + len, "]");
+		len += scnprintf(buffer + len, buf_size - len, "]");
 	}
 
 	return len;

-- 
2.17.1

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help