Re: [PATCH v2] drm/msm: Replace unsafe snprintf usage with scnprintf

From: Dmitry Baryshkov
Date: Wed Dec 24 2025 - 10:39:20 EST

Next message: joaopeixoto: "[PATCH 1/5] dt-bindings: Add Bao IPC shared memory driver binding"
Previous message: Dmitry Baryshkov: "[PATCH v4 0/2] drm/msm/dpu: fix vsync source programming on DPU >= 8.0"
In reply to: veygax: "[PATCH v2] drm/msm: Replace unsafe snprintf usage with scnprintf"
Next in thread: Dmitry Baryshkov: "Re: [PATCH v2] drm/msm: Replace unsafe snprintf usage with scnprintf"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Dec 24, 2025 at 12:44:22PM +0000, veygax wrote:
> From: Evan Lambert <veyga@xxxxxxxxxx>
>
> The refill_buf function uses snprintf to append to a fixed-size buffer.
> snprintf returns the length that would have been written, which can
> exceed the remaining buffer size. If this happens, ptr advances beyond
> the buffer and rem becomes negative. In the 2nd iteration, rem is
> treated as a large unsigned integer, causing snprintf to write oob.
>
> While this behavior is technically mitigated by num_perfcntrs being
> locked at 5, it's still unsafe if num_perfcntrs were ever to change/a
> second source was added.
>
> Signed-off-by: Evan Lambert <veyga@xxxxxxxxxx>
> ---
> v2: Use real name in Signed-off-by as requested by Dmitry Baryshkov.

Thanks!

Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@xxxxxxxxxxxxxxxx>

>
> drivers/gpu/drm/msm/msm_perf.c | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
>

--
With best wishes
Dmitry

Next message: joaopeixoto: "[PATCH 1/5] dt-bindings: Add Bao IPC shared memory driver binding"
Previous message: Dmitry Baryshkov: "[PATCH v4 0/2] drm/msm/dpu: fix vsync source programming on DPU >= 8.0"
In reply to: veygax: "[PATCH v2] drm/msm: Replace unsafe snprintf usage with scnprintf"
Next in thread: Dmitry Baryshkov: "Re: [PATCH v2] drm/msm: Replace unsafe snprintf usage with scnprintf"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]