Re: drivers/xen/manage.c:337:60: warning: '%s' directive output may be truncated writing up to 95 bytes into a region of size 12

From: Juergen Gross
Date: Mon Dec 04 2023 - 02:36:03 EST

On 03.12.23 20:55, kernel test robot wrote:
Hi Juergen,

FYI, the error/warning still remains.

tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 33cc938e65a98f1d29d0a18403dbbee050dcad9a
commit: 44b3c7af02ca2701b6b90ee30c9d1d9c3ae07653 xenbus: advertise control feature flags
date: 7 years ago
config: x86_64-randconfig-015-20231009 (https://download.01.org/0day-ci/archive/20231204/202312040309.sACmAKoo-lkp@xxxxxxxxx/config)
compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20231204/202312040309.sACmAKoo-lkp@xxxxxxxxx/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@xxxxxxxxx>
| Closes: https://lore.kernel.org/oe-kbuild-all/202312040309.sACmAKoo-lkp@xxxxxxxxx/

All warnings (new ones prefixed by >>):

In file included from include/linux/kobject.h:21,
from include/linux/device.h:17,
from include/linux/node.h:17,
from include/linux/cpu.h:16,
from include/linux/stop_machine.h:4,
from drivers/xen/manage.c:12:
include/linux/sysfs.h: In function 'sysfs_get_dirent':
include/linux/sysfs.h:517:44: warning: pointer targets in passing argument 2 of 'kernfs_find_and_get' differ in signedness [-Wpointer-sign]
517 | return kernfs_find_and_get(parent, name);
| ^~~~
| |
| const unsigned char *
In file included from include/linux/sysfs.h:15:
include/linux/kernfs.h:440:57: note: expected 'const char *' but argument is of type 'const unsigned char *'
440 | kernfs_find_and_get(struct kernfs_node *kn, const char *name)
| ~~~~~~~~~~~~^~~~
drivers/xen/manage.c: In function 'shutdown_event':
drivers/xen/manage.c:337:60: warning: '%s' directive output may be truncated writing up to 95 bytes into a region of size 12 [-Wformat-truncation=]
337 | snprintf(node, FEATURE_PATH_SIZE, "feature-%s",
| ^~
In function 'setup_shutdown_watcher',
inlined from 'shutdown_event' at drivers/xen/manage.c:349:2:
drivers/xen/manage.c:337:17: note: 'snprintf' output between 9 and 104 bytes into a destination of size 20
337 | snprintf(node, FEATURE_PATH_SIZE, "feature-%s",
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
338 | shutdown_handlers[idx].command);
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

IMHO this is a false analysis.

shutdown_handlers[] is:

struct shutdown_handler {
#define SHUTDOWN_CMD_SIZE 11
const char command[SHUTDOWN_CMD_SIZE];
bool flag;
void (*cb)(void);
};

static struct shutdown_handler shutdown_handlers[] = {
{ "poweroff", true, do_poweroff },
{ "halt", false, do_poweroff },
{ "reboot", true, do_reboot },
#ifdef CONFIG_HIBERNATE_CALLBACKS
{ "suspend", true, do_suspend },
#endif
};

And it is never changed.

We have:

#define FEATURE_PATH_SIZE (SHUTDOWN_CMD_SIZE + sizeof("feature-"))
char node[FEATURE_PATH_SIZE];

So how on earth could the snprintf() destination not be large enough?

vim +337 drivers/xen/manage.c

333
334 for (idx = 0; idx < ARRAY_SIZE(shutdown_handlers); idx++) {
335 if (!shutdown_handlers[idx].flag)
336 continue;
> 337 snprintf(node, FEATURE_PATH_SIZE, "feature-%s",
338 shutdown_handlers[idx].command);
339 xenbus_printf(XBT_NIL, "control", node, "%u", 1);
340 }
341
342 return 0;
343 }
344



Juergen

Attachment: OpenPGP_0xB0DE9DD628BF132F.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature