[PATCH v2 3/3] lockdown: Use snprintf in lockdown_read
From: Nikolay Borisov
Date: Mon Jul 28 2025 - 07:16:20 EST
Since individual features are now locked down separately ensure that if
the printing code is change to list them a buffer overrun won't be
introduced. As per Serge's recommendation switch from using sprintf to
using snprintf and return EINVAL in case longer than 80 char string hasi
to be printed.
Signed-off-by: Nikolay Borisov <nik.borisov@xxxxxxxx>
---
security/lockdown/lockdown.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 412184121279..ed1dde41d7d3 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -112,11 +112,19 @@ static ssize_t lockdown_read(struct file *filp, char __user *buf, size_t count,
if (lockdown_reasons[level]) {
const char *label = lockdown_reasons[level];
+ int ret = 0;
+ int write_len = 80-offset;
+
if (test_bit(level, kernel_locked_down))
- offset += sprintf(temp+offset, "[%s] ", label);
+ ret = snprintf(temp+offset, write_len, "[%s] ", label);
else
- offset += sprintf(temp+offset, "%s ", label);
+ ret = snprintf(temp+offset, write_len, "%s ", label);
+
+ if (ret < 0 || ret >= write_len)
+ return -ENOMEM;
+
+ offset += ret;
}
}
--
2.34.1