From nobody Mon Dec 1 22:06:15 2025 Received: from mail-106105.protonmail.ch (mail-106105.protonmail.ch [79.135.106.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A8E0535950 for ; Sun, 30 Nov 2025 01:29:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=79.135.106.105 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764466153; cv=none; b=Ew9Erwn8HKgnW3MGD3lhYddwMFHlSOK4THolu6SLd7hYKgJKzHBqa8FQOsISPYd3rST7RWuETljZ4v/0yDRHIwn/0gxcwW6M6fZTdNzuHrqsPVMxHYX/vqto9KUZGDt0ZJneJ0XbHhWakmkr7l2ixaCUi8UBxx6qxY9Wh9XeFMA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764466153; c=relaxed/simple; bh=ozUsX/bT64HY1yGl9o4Rpp0gGQHX5PlMeVLIyIxsBkU=; h=Date:To:From:Cc:Subject:Message-ID:MIME-Version:Content-Type; b=uQle7gdyxezaxOCrrvl2a88pWpj7zUvxy1WFSWQazlBLlroZyjHBOYxeYvkhfl+HzV+N8VtFsrJlEv6oCoyVu5IPe0uMZwI7mTX7LOSbSCo/ccMUcxgzBtXNjbUbijD+056cz0cMC9RqYaeaoDlaFTjkWChg8uLklY9SqCCCeOc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=veygax.dev; spf=pass smtp.mailfrom=veygax.dev; dkim=pass (2048-bit key) header.d=veygax.dev header.i=@veygax.dev header.b=b3vQdMF/; arc=none smtp.client-ip=79.135.106.105 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=veygax.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=veygax.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=veygax.dev header.i=@veygax.dev header.b="b3vQdMF/" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=veygax.dev; s=protonmail; t=1764466141; x=1764725341; bh=ozUsX/bT64HY1yGl9o4Rpp0gGQHX5PlMeVLIyIxsBkU=; h=Date:To:From:Cc:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector; b=b3vQdMF/u924WT4HLmCIb7P6XrxvgsnJdHtRNfzfkTHI32Tsb39jENadWnJVPoLu7 LLTLbQ3TAPXAi+LOcyegMSLC1v8hM+Vw/3L1NvUPe1ZrfF1nIEtZ/i6f4EYpg8vDYR 1F0p1up2drNRAY0gIBgK7AvhGr4DB68KcL8S+mXXUzeB0ghUndEgb4sKhoFpO5/PBW oCUsBjErYBhWun7dXsCvUo8awmOs5vMGbfgbDgGrFgg4gAXdx1HqlP0hkgrFZqnMxx ArsJEuximdYjc5f6OatEE8BCi0QD8esPmffmq1BB6jUfcICcKqD5qtlWfdAMoTqDp+ C8c778nWV/vkw== Date: Sun, 30 Nov 2025 01:28:54 +0000 To: robin.clark@oss.qualcomm.com, lumag@kernel.org From: veygax Cc: abhinav.kumar@linux.dev, jessica.zhang@oss.qualcomm.com, sean@poorly.run, marijn.suijten@somainline.org, airlied@gmail.com, simona@ffwll.ch, linux-arm-msm@vger.kernel.org, dri-devel@lists.freedesktop.org, freedreno@lists.freedesktop.org, linux-kernel@vger.kernel.org, veygax Subject: [PATCH] drm/msm: Replace unsafe snprintf usage with scnprintf Message-ID: <20251130012834.142585-2-veyga@veygax.dev> Feedback-ID: 160365411:user:proton X-Pm-Message-ID: e0373c99e967915a910429b8886ef243b72b1be0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The refill_buf function uses snprintf to append to a fixed-size buffer. snprintf returns the length that would have been written, which can exceed the remaining buffer size. If this happens, ptr advances beyond the buffer and rem becomes negative. In the 2nd iteration, rem is treated as a large unsigned integer, causing snprintf to write oob. While this behavior is technically mitigated by num_perfcntrs being locked at 5, it's still unsafe if num_perfcntrs were ever to change/a second source was added. Signed-off-by: veygax --- drivers/gpu/drm/msm/msm_perf.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/msm/msm_perf.c b/drivers/gpu/drm/msm/msm_perf.c index d3c7889aaf26..c369d4acc378 100644 --- a/drivers/gpu/drm/msm/msm_perf.c +++ b/drivers/gpu/drm/msm/msm_perf.c @@ -65,13 +65,13 @@ static int refill_buf(struct msm_perf_state *perf) =20 if ((perf->cnt++ % 32) =3D=3D 0) { /* Header line: */ - n =3D snprintf(ptr, rem, "%%BUSY"); + n =3D scnprintf(ptr, rem, "%%BUSY"); ptr +=3D n; rem -=3D n; =20 for (i =3D 0; i < gpu->num_perfcntrs; i++) { const struct msm_gpu_perfcntr *perfcntr =3D &gpu->perfcntrs[i]; - n =3D snprintf(ptr, rem, "\t%s", perfcntr->name); + n =3D scnprintf(ptr, rem, "\t%s", perfcntr->name); ptr +=3D n; rem -=3D n; } @@ -93,21 +93,21 @@ static int refill_buf(struct msm_perf_state *perf) return ret; =20 val =3D totaltime ? 1000 * activetime / totaltime : 0; - n =3D snprintf(ptr, rem, "%3d.%d%%", val / 10, val % 10); + n =3D scnprintf(ptr, rem, "%3d.%d%%", val / 10, val % 10); ptr +=3D n; rem -=3D n; =20 for (i =3D 0; i < ret; i++) { /* cycle counters (I think).. convert to MHz.. */ val =3D cntrs[i] / 10000; - n =3D snprintf(ptr, rem, "\t%5d.%02d", + n =3D scnprintf(ptr, rem, "\t%5d.%02d", val / 100, val % 100); ptr +=3D n; rem -=3D n; } } =20 - n =3D snprintf(ptr, rem, "\n"); + n =3D scnprintf(ptr, rem, "\n"); ptr +=3D n; rem -=3D n; =20 --=20 2.52.0