[PATCH 1/5] usb: mtu3: fix coverity of string buffer

Chunfeng Yun chunfeng.yun at mediatek.com
Sun Jul 10 23:39:10 PDT 2022


On Fri, 2022-07-08 at 09:26 +0200, Greg Kroah-Hartman wrote:
> On Fri, Jul 08, 2022 at 03:18:59PM +0800, Chunfeng Yun wrote:
> > Use snprintf instead of sprintf which could cause buffer overflow.
> 
> How can it cause an overflow?
Maybe I didn't describe it clearly, this patch is used to fix coverity
check warning of string buffer, in fact no overflow happens.

> 
> > 
> > Signed-off-by: Chunfeng Yun <chunfeng.yun at mediatek.com>
> > ---
> >  drivers/usb/mtu3/mtu3.h         | 4 +++-
> >  drivers/usb/mtu3/mtu3_debugfs.c | 2 +-
> >  drivers/usb/mtu3/mtu3_gadget.c  | 4 ++--
> >  3 files changed, 6 insertions(+), 4 deletions(-)
> > 
> > diff --git a/drivers/usb/mtu3/mtu3.h b/drivers/usb/mtu3/mtu3.h
> > index 8408e1b1a24a..9893dd1bafbb 100644
> > --- a/drivers/usb/mtu3/mtu3.h
> > +++ b/drivers/usb/mtu3/mtu3.h
> > @@ -92,6 +92,8 @@ struct mtu3_request;
> >  
> >  #define BULK_CLKS_CNT	4
> >  
> > +#define MTU3_EP_NAME_LEN	12
> > +
> >  /* device operated link and speed got from DEVICE_CONF register */
> >  enum mtu3_speed {
> >  	MTU3_SPEED_INACTIVE = 0,
> > @@ -272,7 +274,7 @@ struct ssusb_mtk {
> >   */
> >  struct mtu3_ep {
> >  	struct usb_ep ep;
> > -	char name[12];
> > +	char name[MTU3_EP_NAME_LEN];
> >  	struct mtu3 *mtu;
> >  	u8 epnum;
> >  	u8 type;
> > diff --git a/drivers/usb/mtu3/mtu3_debugfs.c
> > b/drivers/usb/mtu3/mtu3_debugfs.c
> > index d27de647c86a..a6f72494b819 100644
> > --- a/drivers/usb/mtu3/mtu3_debugfs.c
> > +++ b/drivers/usb/mtu3/mtu3_debugfs.c
> > @@ -132,7 +132,7 @@ static void mtu3_debugfs_regset(struct mtu3
> > *mtu, void __iomem *base,
> >  	if (!mregs)
> >  		return;
> >  
> > -	sprintf(mregs->name, "%s", name);
> > +	snprintf(mregs->name, MTU3_DEBUGFS_NAME_LEN, "%s", name);
> 
> Where does name come from?  It looks like you control this string, so
> there is no overflow anywhere.
Yes, don't encounter overflow at all, but there is warning when scanned
by coverity in our internal project branches.

> 
> >  	regset = &mregs->regset;
> >  	regset->regs = regs;
> >  	regset->nregs = nregs;
> > diff --git a/drivers/usb/mtu3/mtu3_gadget.c
> > b/drivers/usb/mtu3/mtu3_gadget.c
> > index 30999b4debb8..a751e0533c2d 100644
> > --- a/drivers/usb/mtu3/mtu3_gadget.c
> > +++ b/drivers/usb/mtu3/mtu3_gadget.c
> > @@ -635,8 +635,8 @@ static void init_hw_ep(struct mtu3 *mtu, struct
> > mtu3_ep *mep,
> >  
> >  	INIT_LIST_HEAD(&mep->req_list);
> >  
> > -	sprintf(mep->name, "ep%d%s", epnum,
> > -		!epnum ? "" : (is_in ? "in" : "out"));
> > +	snprintf(mep->name, MTU3_EP_NAME_LEN, "ep%d%s", epnum,
> > +		 !epnum ? "" : (is_in ? "in" : "out"));
> 
> Same here, you already control this string size, so where is the
> issue?
Just fix coverity warning.

Thanks a lot

> 
> thanks,
> 
> greg k-h


More information about the Linux-mediatek mailing list