RE: [Intel-wired-lan] [PATCH] i40e: replace snprintf() with scnprintf()

From: Loktionov, Aleksandr
Date: Tue Jul 22 2025 - 11:57:34 EST

Next message: Yu Zhang(Yuriy): "Re: [PATCH v4 2/2] arm64: dts: qcom: qcs615-ride: add WiFi/BT nodes"
Previous message: Thomas Gleixner: "Re: [PATCH v3 1/3] vdso: Switch get/put unaligned from packed struct to memcpy"
In reply to: Amir Mohammad Jahangirzad: "[PATCH] i40e: replace snprintf() with scnprintf()"
Next in thread: Tony Nguyen: "Re: [PATCH] i40e: replace snprintf() with scnprintf()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> -----Original Message-----
> From: Intel-wired-lan <intel-wired-lan-bounces@xxxxxxxxxx> On Behalf
> Of Amir Mohammad Jahangirzad
> Sent: Tuesday, July 22, 2025 1:50 PM
> To: Nguyen, Anthony L <anthony.l.nguyen@xxxxxxxxx>; Kitszel,
> Przemyslaw <przemyslaw.kitszel@xxxxxxxxx>; andrew+netdev@xxxxxxx;
> davem@xxxxxxxxxxxxx; edumazet@xxxxxxxxxx; kuba@xxxxxxxxxx;
> pabeni@xxxxxxxxxx
> Cc: intel-wired-lan@xxxxxxxxxxxxxxxx; netdev@xxxxxxxxxxxxxxx; linux-
> kernel@xxxxxxxxxxxxxxx; Amir Mohammad Jahangirzad
> <a.jahangirzad@xxxxxxxxx>
> Subject: [Intel-wired-lan] [PATCH] i40e: replace snprintf() with
> scnprintf()
>
> In i40e_dbg_command_read(), a 256-byte buffer is allocated and filled
> using snprintf(), then copied to userspace via copy_to_user().
>
> The issue is that snprintf() returns the number of characters that
> *Would* have been written, not the number that actually fit in the
> buffer.
> If the combined length of the netdev name and i40e_dbg_command_buf is
> long (e.g. 288 + 3 bytes), snprintf() still returns 291 - even though
> only
> 256 bytes were written.
>
> This value is passed to copy_to_user(), which may read past the end of
> the buffer and leak kernel memory to userspace.
>
> Replacing snprintf() with scnprintf() fixes this. It returns the
> actual number of bytes written, ensuring we only copy valid data.
>
Can you add 'Fixes:' tag?
And I think this patch should be directed to [Intel-wired-lan] [PATCH iwl-net]
To be backported to all LTS kernels.

> Signed-off-by: Amir Mohammad Jahangirzad <a.jahangirzad@xxxxxxxxx>
> ---
> drivers/net/ethernet/intel/i40e/i40e_debugfs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/ethernet/intel/i40e/i40e_debugfs.c
> b/drivers/net/ethernet/intel/i40e/i40e_debugfs.c
> index 6cd9da662ae1..19a78052800f 100644
> --- a/drivers/net/ethernet/intel/i40e/i40e_debugfs.c
> +++ b/drivers/net/ethernet/intel/i40e/i40e_debugfs.c
> @@ -70,7 +70,7 @@ static ssize_t i40e_dbg_command_read(struct file
> *filp, char __user *buffer,
> return -ENOSPC;
>
> main_vsi = i40e_pf_get_main_vsi(pf);
> - len = snprintf(buf, buf_size, "%s: %s\n", main_vsi->netdev-
> >name,
> + len = scnprintf(buf, buf_size, "%s: %s\n", main_vsi->netdev-
> >name,
> i40e_dbg_command_buf);
>
> bytes_not_copied = copy_to_user(buffer, buf, len);
> --
> 2.43.0

Next message: Yu Zhang(Yuriy): "Re: [PATCH v4 2/2] arm64: dts: qcom: qcs615-ride: add WiFi/BT nodes"
Previous message: Thomas Gleixner: "Re: [PATCH v3 1/3] vdso: Switch get/put unaligned from packed struct to memcpy"
In reply to: Amir Mohammad Jahangirzad: "[PATCH] i40e: replace snprintf() with scnprintf()"
Next in thread: Tony Nguyen: "Re: [PATCH] i40e: replace snprintf() with scnprintf()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]