1. Patchew
  2. linux
  3. View series

[PATCH RESEND] m68k: emu: Replace unbounded sprintf in nfhd_init_one

Thorsten Blum posted 1 patch 2 weeks, 5 days ago 
arch/m68k/emu/nfblock.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
[PATCH RESEND] m68k: emu: Replace unbounded sprintf in nfhd_init_one
Posted by Thorsten Blum 2 weeks, 5 days ago 
Replace unbounded sprintf() with the safer snprintf().

Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
---
 arch/m68k/emu/nfblock.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/m68k/emu/nfblock.c b/arch/m68k/emu/nfblock.c
index 93536cf2a38e..fa6256c5af22 100644
--- a/arch/m68k/emu/nfblock.c
+++ b/arch/m68k/emu/nfblock.c
@@ -132,7 +132,8 @@ static int __init nfhd_init_one(int id, u32 blocks, u32 bsize)
 	dev->disk->minors = 16;
 	dev->disk->fops = &nfhd_ops;
 	dev->disk->private_data = dev;
-	sprintf(dev->disk->disk_name, "nfhd%u", dev_id);
+	snprintf(dev->disk->disk_name, sizeof(dev->disk->disk_name), "nfhd%u",
+		 dev_id);
 	set_capacity(dev->disk, (sector_t)blocks * (bsize / 512));
 	err = add_disk(dev->disk);
 	if (err)
Re: [PATCH RESEND] m68k: emu: Replace unbounded sprintf in nfhd_init_one
Posted by Geert Uytterhoeven 1 week ago 
On Wed, 18 Mar 2026 at 01:17, Thorsten Blum <thorsten.blum@linux.dev> wrote:
> Replace unbounded sprintf() with the safer snprintf().
>
> Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>

Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
i.e. will queue in the m68k tree for v7.1.

Gr{oetje,eeting}s,

                        Geert

-- 
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds
Re: [PATCH RESEND] m68k: emu: Replace unbounded sprintf in nfhd_init_one
Posted by Kees Cook 2 weeks, 2 days ago 
On Wed, Mar 18, 2026 at 01:16:33AM +0100, Thorsten Blum wrote:
> Replace unbounded sprintf() with the safer snprintf().
> 
> Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
> ---
>  arch/m68k/emu/nfblock.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/m68k/emu/nfblock.c b/arch/m68k/emu/nfblock.c
> index 93536cf2a38e..fa6256c5af22 100644
> --- a/arch/m68k/emu/nfblock.c
> +++ b/arch/m68k/emu/nfblock.c
> @@ -132,7 +132,8 @@ static int __init nfhd_init_one(int id, u32 blocks, u32 bsize)
>  	dev->disk->minors = 16;
>  	dev->disk->fops = &nfhd_ops;
>  	dev->disk->private_data = dev;
> -	sprintf(dev->disk->disk_name, "nfhd%u", dev_id);
> +	snprintf(dev->disk->disk_name, sizeof(dev->disk->disk_name), "nfhd%u",
> +		 dev_id);
>  	set_capacity(dev->disk, (sector_t)blocks * (bsize / 512));
>  	err = add_disk(dev->disk);
>  	if (err)

This one falls into a "currently impossible" category:

        for (i = NFHD_DEV_OFFSET; i < 24; i++) {
                if (nfhd_get_capacity(i, 0, &blocks, &bsize))
                        continue;
                nfhd_init_one(i, blocks, bsize);

static int __init nfhd_init_one(int id, u32 blocks, u32 bsize)
{
	...
        int dev_id = id - NFHD_DEV_OFFSET;
	...
        sprintf(dev->disk->disk_name, "nfhd%u", dev_id);

I'd almost prefer to see "id" bounds checked prior to the dev_id
calculation (in some unlikely future where "id" isn't
NFHD_DEV_OFFSET-based).

#define DISK_NAME_LEN                   32
...
        char disk_name[DISK_NAME_LEN];  /* name of major driver */

The largest the %u could get would be 10 digits, so it'll always be in
bounds.

But there's no harm in the change:

Reviewed-by: Kees Cook <kees@kernel.org>


-- 
Kees Cook

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.