diff mbox

[for-2.11,04/26] spapr_drc: use g_strdup_printf() instead of snprintf()

Message ID 150100553345.27487.10049014405920351882.stgit@bahia
State New
Headers show

Commit Message

Greg Kurz July 25, 2017, 5:58 p.m. UTC 
Passing a stack allocated buffer of arbitrary length to snprintf()
without checking the return value can cause the resultant strings
to be silently truncated.

Signed-off-by: Greg Kurz <groug@kaod.org>
---
 hw/ppc/spapr_drc.c |   15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

Comments

David Gibson July 26, 2017, 3:58 a.m. UTC | #1 
On Tue, Jul 25, 2017 at 07:58:53PM +0200, Greg Kurz wrote:
> Passing a stack allocated buffer of arbitrary length to snprintf()
> without checking the return value can cause the resultant strings
> to be silently truncated.
> 
> Signed-off-by: Greg Kurz <groug@kaod.org>

Applied to ppc-for-2.11.

> ---
>  hw/ppc/spapr_drc.c |   15 +++++++++------
>  1 file changed, 9 insertions(+), 6 deletions(-)
> 
> diff --git a/hw/ppc/spapr_drc.c b/hw/ppc/spapr_drc.c
> index 15bae5c216a9..e4e8383ec7b5 100644
> --- a/hw/ppc/spapr_drc.c
> +++ b/hw/ppc/spapr_drc.c
> @@ -488,7 +488,7 @@ static void realize(DeviceState *d, Error **errp)
>  {
>      sPAPRDRConnector *drc = SPAPR_DR_CONNECTOR(d);
>      Object *root_container;
> -    char link_name[256];
> +    gchar *link_name;
>      gchar *child_name;
>      Error *err = NULL;
>  
> @@ -501,11 +501,12 @@ static void realize(DeviceState *d, Error **errp)
>       * existing in the composition tree
>       */
>      root_container = container_get(object_get_root(), DRC_CONTAINER_PATH);
> -    snprintf(link_name, sizeof(link_name), "%x", spapr_drc_index(drc));
> +    link_name = g_strdup_printf("%x", spapr_drc_index(drc));
>      child_name = object_get_canonical_path_component(OBJECT(drc));
>      trace_spapr_drc_realize_child(spapr_drc_index(drc), child_name);
>      object_property_add_alias(root_container, link_name,
>                                drc->owner, child_name, &err);
> +    g_free(link_name);
>      if (err) {
>          error_report_err(err);
>          object_unref(OBJECT(drc));
> @@ -521,13 +522,14 @@ static void unrealize(DeviceState *d, Error **errp)
>  {
>      sPAPRDRConnector *drc = SPAPR_DR_CONNECTOR(d);
>      Object *root_container;
> -    char name[256];
> +    gchar *name;
>      Error *err = NULL;
>  
>      trace_spapr_drc_unrealize(spapr_drc_index(drc));
>      root_container = container_get(object_get_root(), DRC_CONTAINER_PATH);
> -    snprintf(name, sizeof(name), "%x", spapr_drc_index(drc));
> +    name = g_strdup_printf("%x", spapr_drc_index(drc));
>      object_property_del(root_container, name, &err);
> +    g_free(name);
>      if (err) {
>          error_report_err(err);
>          object_unref(OBJECT(drc));
> @@ -729,10 +731,11 @@ static const TypeInfo spapr_drc_lmb_info = {
>  sPAPRDRConnector *spapr_drc_by_index(uint32_t index)
>  {
>      Object *obj;
> -    char name[256];
> +    gchar *name;
>  
> -    snprintf(name, sizeof(name), "%s/%x", DRC_CONTAINER_PATH, index);
> +    name = g_strdup_printf("%s/%x", DRC_CONTAINER_PATH, index);
>      obj = object_resolve_path(name, NULL);
> +    g_free(name);
>  
>      return !obj ? NULL : SPAPR_DR_CONNECTOR(obj);
>  }
>
Philippe Mathieu-Daudé July 31, 2017, 10:11 a.m. UTC | #2 
Hi David,

On 07/26/2017 12:58 AM, David Gibson wrote:
> On Tue, Jul 25, 2017 at 07:58:53PM +0200, Greg Kurz wrote:
>> Passing a stack allocated buffer of arbitrary length to snprintf()
>> without checking the return value can cause the resultant strings
>> to be silently truncated.
>>
>> Signed-off-by: Greg Kurz <groug@kaod.org>
> 
> Applied to ppc-for-2.11.

Isn't it 2.10 material?

Regards,

Phil.

> 
>> ---
>>   hw/ppc/spapr_drc.c |   15 +++++++++------
>>   1 file changed, 9 insertions(+), 6 deletions(-)
>>
>> diff --git a/hw/ppc/spapr_drc.c b/hw/ppc/spapr_drc.c
>> index 15bae5c216a9..e4e8383ec7b5 100644
>> --- a/hw/ppc/spapr_drc.c
>> +++ b/hw/ppc/spapr_drc.c
>> @@ -488,7 +488,7 @@ static void realize(DeviceState *d, Error **errp)
>>   {
>>       sPAPRDRConnector *drc = SPAPR_DR_CONNECTOR(d);
>>       Object *root_container;
>> -    char link_name[256];
>> +    gchar *link_name;
>>       gchar *child_name;
>>       Error *err = NULL;
>>   
>> @@ -501,11 +501,12 @@ static void realize(DeviceState *d, Error **errp)
>>        * existing in the composition tree
>>        */
>>       root_container = container_get(object_get_root(), DRC_CONTAINER_PATH);
>> -    snprintf(link_name, sizeof(link_name), "%x", spapr_drc_index(drc));
>> +    link_name = g_strdup_printf("%x", spapr_drc_index(drc));
>>       child_name = object_get_canonical_path_component(OBJECT(drc));
>>       trace_spapr_drc_realize_child(spapr_drc_index(drc), child_name);
>>       object_property_add_alias(root_container, link_name,
>>                                 drc->owner, child_name, &err);
>> +    g_free(link_name);
>>       if (err) {
>>           error_report_err(err);
>>           object_unref(OBJECT(drc));
>> @@ -521,13 +522,14 @@ static void unrealize(DeviceState *d, Error **errp)
>>   {
>>       sPAPRDRConnector *drc = SPAPR_DR_CONNECTOR(d);
>>       Object *root_container;
>> -    char name[256];
>> +    gchar *name;
>>       Error *err = NULL;
>>   
>>       trace_spapr_drc_unrealize(spapr_drc_index(drc));
>>       root_container = container_get(object_get_root(), DRC_CONTAINER_PATH);
>> -    snprintf(name, sizeof(name), "%x", spapr_drc_index(drc));
>> +    name = g_strdup_printf("%x", spapr_drc_index(drc));
>>       object_property_del(root_container, name, &err);
>> +    g_free(name);
>>       if (err) {
>>           error_report_err(err);
>>           object_unref(OBJECT(drc));
>> @@ -729,10 +731,11 @@ static const TypeInfo spapr_drc_lmb_info = {
>>   sPAPRDRConnector *spapr_drc_by_index(uint32_t index)
>>   {
>>       Object *obj;
>> -    char name[256];
>> +    gchar *name;
>>   
>> -    snprintf(name, sizeof(name), "%s/%x", DRC_CONTAINER_PATH, index);
>> +    name = g_strdup_printf("%s/%x", DRC_CONTAINER_PATH, index);
>>       obj = object_resolve_path(name, NULL);
>> +    g_free(name);
>>   
>>       return !obj ? NULL : SPAPR_DR_CONNECTOR(obj);
>>   }
>>
>
Greg Kurz July 31, 2017, 10:34 a.m. UTC | #3 
On Mon, 31 Jul 2017 07:11:45 -0300
Philippe Mathieu-Daudé <f4bug@amsat.org> wrote:

> Hi David,
> 
> On 07/26/2017 12:58 AM, David Gibson wrote:
> > On Tue, Jul 25, 2017 at 07:58:53PM +0200, Greg Kurz wrote:  
> >> Passing a stack allocated buffer of arbitrary length to snprintf()
> >> without checking the return value can cause the resultant strings
> >> to be silently truncated.
> >>
> >> Signed-off-by: Greg Kurz <groug@kaod.org>  
> > 
> > Applied to ppc-for-2.11.  
> 
> Isn't it 2.10 material?
> 

Hi Philippe,

Well... this patch doesn't fix any bug actually since the stack buffers
are large enough. It is more a question of coding style.

Something like below would have been more appropriate I guess:

"Building strings with g_strdup_printf() is a QEMU common practice."

No big deal.

Cheers,

--
Greg

> Regards,
> 
> Phil.
> 
> >   
> >> ---
> >>   hw/ppc/spapr_drc.c |   15 +++++++++------
> >>   1 file changed, 9 insertions(+), 6 deletions(-)
> >>
> >> diff --git a/hw/ppc/spapr_drc.c b/hw/ppc/spapr_drc.c
> >> index 15bae5c216a9..e4e8383ec7b5 100644
> >> --- a/hw/ppc/spapr_drc.c
> >> +++ b/hw/ppc/spapr_drc.c
> >> @@ -488,7 +488,7 @@ static void realize(DeviceState *d, Error **errp)
> >>   {
> >>       sPAPRDRConnector *drc = SPAPR_DR_CONNECTOR(d);
> >>       Object *root_container;
> >> -    char link_name[256];
> >> +    gchar *link_name;
> >>       gchar *child_name;
> >>       Error *err = NULL;
> >>   
> >> @@ -501,11 +501,12 @@ static void realize(DeviceState *d, Error **errp)
> >>        * existing in the composition tree
> >>        */
> >>       root_container = container_get(object_get_root(), DRC_CONTAINER_PATH);
> >> -    snprintf(link_name, sizeof(link_name), "%x", spapr_drc_index(drc));
> >> +    link_name = g_strdup_printf("%x", spapr_drc_index(drc));
> >>       child_name = object_get_canonical_path_component(OBJECT(drc));
> >>       trace_spapr_drc_realize_child(spapr_drc_index(drc), child_name);
> >>       object_property_add_alias(root_container, link_name,
> >>                                 drc->owner, child_name, &err);
> >> +    g_free(link_name);
> >>       if (err) {
> >>           error_report_err(err);
> >>           object_unref(OBJECT(drc));
> >> @@ -521,13 +522,14 @@ static void unrealize(DeviceState *d, Error **errp)
> >>   {
> >>       sPAPRDRConnector *drc = SPAPR_DR_CONNECTOR(d);
> >>       Object *root_container;
> >> -    char name[256];
> >> +    gchar *name;
> >>       Error *err = NULL;
> >>   
> >>       trace_spapr_drc_unrealize(spapr_drc_index(drc));
> >>       root_container = container_get(object_get_root(), DRC_CONTAINER_PATH);
> >> -    snprintf(name, sizeof(name), "%x", spapr_drc_index(drc));
> >> +    name = g_strdup_printf("%x", spapr_drc_index(drc));
> >>       object_property_del(root_container, name, &err);
> >> +    g_free(name);
> >>       if (err) {
> >>           error_report_err(err);
> >>           object_unref(OBJECT(drc));
> >> @@ -729,10 +731,11 @@ static const TypeInfo spapr_drc_lmb_info = {
> >>   sPAPRDRConnector *spapr_drc_by_index(uint32_t index)
> >>   {
> >>       Object *obj;
> >> -    char name[256];
> >> +    gchar *name;
> >>   
> >> -    snprintf(name, sizeof(name), "%s/%x", DRC_CONTAINER_PATH, index);
> >> +    name = g_strdup_printf("%s/%x", DRC_CONTAINER_PATH, index);
> >>       obj = object_resolve_path(name, NULL);
> >> +    g_free(name);
> >>   
> >>       return !obj ? NULL : SPAPR_DR_CONNECTOR(obj);
> >>   }
> >>  
> >
David Gibson July 31, 2017, 12:53 p.m. UTC | #4 
On Mon, Jul 31, 2017 at 12:34:41PM +0200, Greg Kurz wrote:
> On Mon, 31 Jul 2017 07:11:45 -0300
> Philippe Mathieu-Daudé <f4bug@amsat.org> wrote:
> 
> > Hi David,
> > 
> > On 07/26/2017 12:58 AM, David Gibson wrote:
> > > On Tue, Jul 25, 2017 at 07:58:53PM +0200, Greg Kurz wrote:  
> > >> Passing a stack allocated buffer of arbitrary length to snprintf()
> > >> without checking the return value can cause the resultant strings
> > >> to be silently truncated.
> > >>
> > >> Signed-off-by: Greg Kurz <groug@kaod.org>  
> > > 
> > > Applied to ppc-for-2.11.  
> > 
> > Isn't it 2.10 material?
> > 
> 
> Hi Philippe,
> 
> Well... this patch doesn't fix any bug actually since the stack buffers
> are large enough. It is more a question of coding style.
> 
> Something like below would have been more appropriate I guess:
> 
> "Building strings with g_strdup_printf() is a QEMU common practice."
> 
> No big deal.

Exactly.  It's not a bugfix, so it doesn't go into 2.10 - we've passed
the hard freeze.
Philippe Mathieu-Daudé July 31, 2017, 2:57 p.m. UTC | #5 
On 07/31/2017 09:53 AM, David Gibson wrote:
> On Mon, Jul 31, 2017 at 12:34:41PM +0200, Greg Kurz wrote:
>> On Mon, 31 Jul 2017 07:11:45 -0300
>> Philippe Mathieu-Daudé <f4bug@amsat.org> wrote:
>>
>>> Hi David,
>>>
>>> On 07/26/2017 12:58 AM, David Gibson wrote:
>>>> On Tue, Jul 25, 2017 at 07:58:53PM +0200, Greg Kurz wrote:
>>>>> Passing a stack allocated buffer of arbitrary length to snprintf()
>>>>> without checking the return value can cause the resultant strings
>>>>> to be silently truncated.
>>>>>
>>>>> Signed-off-by: Greg Kurz <groug@kaod.org>
>>>>
>>>> Applied to ppc-for-2.11.
>>>
>>> Isn't it 2.10 material?
>>>
>>
>> Hi Philippe,
>>
>> Well... this patch doesn't fix any bug actually since the stack buffers
>> are large enough. It is more a question of coding style.
>>
>> Something like below would have been more appropriate I guess:
>>
>> "Building strings with g_strdup_printf() is a QEMU common practice."
>>
>> No big deal.
> 
> Exactly.  It's not a bugfix, so it doesn't go into 2.10 - we've passed
> the hard freeze.

Fair enough :)
diff mbox

Patch

diff --git a/hw/ppc/spapr_drc.c b/hw/ppc/spapr_drc.c
index 15bae5c216a9..e4e8383ec7b5 100644
--- a/hw/ppc/spapr_drc.c
+++ b/hw/ppc/spapr_drc.c
@@ -488,7 +488,7 @@  static void realize(DeviceState *d, Error **errp)
 {
     sPAPRDRConnector *drc = SPAPR_DR_CONNECTOR(d);
     Object *root_container;
-    char link_name[256];
+    gchar *link_name;
     gchar *child_name;
     Error *err = NULL;
 
@@ -501,11 +501,12 @@  static void realize(DeviceState *d, Error **errp)
      * existing in the composition tree
      */
     root_container = container_get(object_get_root(), DRC_CONTAINER_PATH);
-    snprintf(link_name, sizeof(link_name), "%x", spapr_drc_index(drc));
+    link_name = g_strdup_printf("%x", spapr_drc_index(drc));
     child_name = object_get_canonical_path_component(OBJECT(drc));
     trace_spapr_drc_realize_child(spapr_drc_index(drc), child_name);
     object_property_add_alias(root_container, link_name,
                               drc->owner, child_name, &err);
+    g_free(link_name);
     if (err) {
         error_report_err(err);
         object_unref(OBJECT(drc));
@@ -521,13 +522,14 @@  static void unrealize(DeviceState *d, Error **errp)
 {
     sPAPRDRConnector *drc = SPAPR_DR_CONNECTOR(d);
     Object *root_container;
-    char name[256];
+    gchar *name;
     Error *err = NULL;
 
     trace_spapr_drc_unrealize(spapr_drc_index(drc));
     root_container = container_get(object_get_root(), DRC_CONTAINER_PATH);
-    snprintf(name, sizeof(name), "%x", spapr_drc_index(drc));
+    name = g_strdup_printf("%x", spapr_drc_index(drc));
     object_property_del(root_container, name, &err);
+    g_free(name);
     if (err) {
         error_report_err(err);
         object_unref(OBJECT(drc));
@@ -729,10 +731,11 @@  static const TypeInfo spapr_drc_lmb_info = {
 sPAPRDRConnector *spapr_drc_by_index(uint32_t index)
 {
     Object *obj;
-    char name[256];
+    gchar *name;
 
-    snprintf(name, sizeof(name), "%s/%x", DRC_CONTAINER_PATH, index);
+    name = g_strdup_printf("%s/%x", DRC_CONTAINER_PATH, index);
     obj = object_resolve_path(name, NULL);
+    g_free(name);
 
     return !obj ? NULL : SPAPR_DR_CONNECTOR(obj);
 }