On Mon, Oct 11, 2010 at 09:45:02PM +0200, Dan Carpenter wrote:
On Mon, Oct 11, 2010 at 07:51:48PM +0100, Mark Brown wrote:
In actual fact quite a few devices have enough registers to be truncated, meaning that it's not only possible but likely we'll exercise the cases that deal with the end of buffer. If snprintf() is returning values larger than buffer size it was given we're likely to have an issue but it seems that there's something missing in your analysis since we're never seeing WARN_ON()s and are instead seeing the behaviour the code is intended to give, which is to truncate the output when we run out of space.
Could you re-check your analysis, please?
That's odd. I'm sorry, I can't explain why you wouldn't see a stack trace... The code is straight forward:
/* Reject out-of-range values early. Large positive sizes are used for unknown buffer sizes. */ if (WARN_ON_ONCE((int) size < 0)) return 0;It would still give you truncated output but after the NULL terminator there would be information leaked from the kernel. If the reader program had allocated a large enough buffer to handle the extra information it wouldn't cause a problem.
Actually it will never cause a problem with userspace because we pass the size of the userspace buffer to the kernel. The only issues are the information leak if the user passes in a 8k buffer and the also the WARN_ON_ONCE()
regards, dan carpenter