[PATCH 17/23] tools lib api: Fix filename__write_int() writing uninitialized stack data

Next message: Arnaldo Carvalho de Melo: "[PATCH 22/23] perf symbols: Add bounds checks to elf_read_build_id() note iteration"
Previous message: Kees Cook: "Re: [PATCH] x86/cfi: add __init_or_module annotations for fineibt"
In reply to: Arnaldo Carvalho de Melo: "[PATCH 19/23] perf bpf: Add NULL check for btf__type_by_id() in synthesize_bpf_prog_name()"
Next in thread: Arnaldo Carvalho de Melo: "[PATCH 22/23] perf symbols: Add bounds checks to elf_read_build_id() note iteration"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Arnaldo Carvalho de Melo

Date: Wed Jun 10 2026 - 15:57:09 EST

From: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>

filename__write_int() formats an integer into a 64-byte buffer with
sprintf() then passes sizeof(buf) (64) as the write length. This
writes all 64 bytes including uninitialized stack data past the
formatted string. Most sysfs files reject the oversized write,
making the function always return -1.

Fix by capturing the sprintf() return value and using it as the
write length.

Reported-by: sashiko-bot <sashiko-bot@xxxxxxxxxx>
Fixes: 3b00ea938653d136 ("tools lib api fs: Add sysfs__write_int function")
Cc: Kan Liang <kan.liang@xxxxxxxxx>
Assisted-by: Claude Opus 4.6 <noreply@xxxxxxxxxxxxx>
Signed-off-by: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>
---
tools/lib/api/fs/fs.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/tools/lib/api/fs/fs.c b/tools/lib/api/fs/fs.c
index 3cc302d4c47b1669..d16911818d4d3569 100644
--- a/tools/lib/api/fs/fs.c
+++ b/tools/lib/api/fs/fs.c
@@ -376,12 +376,13 @@ int filename__write_int(const char *filename, int value)
{
int fd = open(filename, O_WRONLY), err = -1;
char buf[64];
+ int len;

if (fd < 0)
return -errno;

- sprintf(buf, "%d", value);
- if (write(fd, buf, sizeof(buf)) == sizeof(buf))
+ len = sprintf(buf, "%d", value);
+ if (write(fd, buf, len) == len)
err = 0;

close(fd);
--
2.54.0