From nobody Sun Feb 8 06:56:15 2026 Received: from mail-10627.protonmail.ch (mail-10627.protonmail.ch [79.135.106.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 24C1B1F9F7A for ; Wed, 24 Dec 2025 12:44:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=79.135.106.27 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766580279; cv=none; b=N/vCYiSQ+82XUsNzCW+/nyPS0bJTs9C+i5kRGLuwj2qLgktWEheQ35RMr0PKeHgJNJaF9KxpODSHH6KAeoUwzVbUv0UW2HSB1dTdb3D+9zKNWHDAWsToNtxEqR0wxkjSCZiMgu4F5Arv13gQWbqv4lzEqU3RvKjigBSSUbt+8lQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766580279; c=relaxed/simple; bh=2sZ7EePl0Km8ZZ6VCZeQZ8B20phYvLCN3Eb1KFitrug=; h=Date:To:From:Cc:Subject:Message-ID:MIME-Version:Content-Type; b=LWza+hUDbDbi+H2Zt1BNuyCkJSs7+xyhWTZ9kgUGq/76dc5r8qOPiS0dXreCjmeLgQLgPn5dOBLUittJeBaaTe7AvWYpn15KFmL1BJ2VYX2I8UUntlDfZqRwUl+PeLnmtDAyb2GUVQvr7ySJUpaoDnzkfDerDeVHlbHn7BaifK0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=veygax.dev; spf=pass smtp.mailfrom=veygax.dev; dkim=pass (2048-bit key) header.d=veygax.dev header.i=@veygax.dev header.b=LUBjCdzy; arc=none smtp.client-ip=79.135.106.27 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=veygax.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=veygax.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=veygax.dev header.i=@veygax.dev header.b="LUBjCdzy" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=veygax.dev; s=protonmail; t=1766580268; x=1766839468; bh=2sZ7EePl0Km8ZZ6VCZeQZ8B20phYvLCN3Eb1KFitrug=; h=Date:To:From:Cc:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector; b=LUBjCdzy/7AB7CGwAJEeqzQTUY0jrR572BWG16BkbiQCm6CMJEnizBx4h3AaGE0U8 UnDn5wl6J8/dj1hbaeF6iTK7AYUbu+1Z7lODurTfaEGGSAO5lJhYnTqqyl8M9GN45N EO2CRFjJWHJHBnP63lltOv8pOiZUSwBloCmVmAzjjGG2aafVXDj4eV4DsZVnC3jIjE 4ljYkA/+Y31HwU6fFc6r+18XbdttHh1VsEX0SdpV9FUFKBGFnmdux1jcBuerEI74c0 ncpBb6IK7Gf2Zz8+BsBlA05/bczTvvaz5XClGCN1WjSW0AYn8ZSEENXbdv7GeSmKtK 5NXUMeVWlcDUg== Date: Wed, 24 Dec 2025 12:44:22 +0000 To: Dmitry Baryshkov , Rob Clark From: veygax Cc: Abhinav Kumar , Jessica Zhang , Sean Paul , Marijn Suijten , David Airlie , Simona Vetter , "linux-arm-msm@vger.kernel.org" , "dri-devel@lists.freedesktop.org" , "freedreno@lists.freedesktop.org" , "linux-kernel@vger.kernel.org" , Evan Lambert Subject: [PATCH v2] drm/msm: Replace unsafe snprintf usage with scnprintf Message-ID: <20251224124254.17920-3-veyga@veygax.dev> Feedback-ID: 160365411:user:proton X-Pm-Message-ID: fb9dac0185e4df4e70d9833718ea91cf66b2ae6a Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Evan Lambert The refill_buf function uses snprintf to append to a fixed-size buffer. snprintf returns the length that would have been written, which can exceed the remaining buffer size. If this happens, ptr advances beyond the buffer and rem becomes negative. In the 2nd iteration, rem is treated as a large unsigned integer, causing snprintf to write oob. While this behavior is technically mitigated by num_perfcntrs being locked at 5, it's still unsafe if num_perfcntrs were ever to change/a second source was added. Signed-off-by: Evan Lambert Reviewed-by: Dmitry Baryshkov --- v2: Use real name in Signed-off-by as requested by Dmitry Baryshkov. drivers/gpu/drm/msm/msm_perf.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/msm/msm_perf.c b/drivers/gpu/drm/msm/msm_perf.c index d3c7889aaf26..c369d4acc378 100644 --- a/drivers/gpu/drm/msm/msm_perf.c +++ b/drivers/gpu/drm/msm/msm_perf.c @@ -65,13 +65,13 @@ static int refill_buf(struct msm_perf_state *perf) =20 if ((perf->cnt++ % 32) =3D=3D 0) { /* Header line: */ - n =3D snprintf(ptr, rem, "%%BUSY"); + n =3D scnprintf(ptr, rem, "%%BUSY"); ptr +=3D n; rem -=3D n; =20 for (i =3D 0; i < gpu->num_perfcntrs; i++) { const struct msm_gpu_perfcntr *perfcntr =3D &gpu->perfcntrs[i]; - n =3D snprintf(ptr, rem, "\t%s", perfcntr->name); + n =3D scnprintf(ptr, rem, "\t%s", perfcntr->name); ptr +=3D n; rem -=3D n; } @@ -93,21 +93,21 @@ static int refill_buf(struct msm_perf_state *perf) return ret; =20 val =3D totaltime ? 1000 * activetime / totaltime : 0; - n =3D snprintf(ptr, rem, "%3d.%d%%", val / 10, val % 10); + n =3D scnprintf(ptr, rem, "%3d.%d%%", val / 10, val % 10); ptr +=3D n; rem -=3D n; =20 for (i =3D 0; i < ret; i++) { /* cycle counters (I think).. convert to MHz.. */ val =3D cntrs[i] / 10000; - n =3D snprintf(ptr, rem, "\t%5d.%02d", + n =3D scnprintf(ptr, rem, "\t%5d.%02d", val / 100, val % 100); ptr +=3D n; rem -=3D n; } } =20 - n =3D snprintf(ptr, rem, "\n"); + n =3D scnprintf(ptr, rem, "\n"); ptr +=3D n; rem -=3D n; =20 --=20 2.52.0