perf tools: Use scnprintf() in cpu_map__snprint() to prevent overflow

cpu_map__snprint() accumulates snprintf() return values in ret.
snprintf() returns the number of characters that *would have been
written* on truncation, not the actual count.  When a fragmented CPU
list exceeds the buffer, ret grows past size, causing `size - ret` to
underflow (both are size_t), and subsequent snprintf() calls write
past the end of the caller's stack buffer.

Switch to scnprintf() which returns the actual number of characters
written, making ret accumulation safe by construction.

Fixes: a24020e6b7cf6eb8 ("perf tools: Change cpu_map__fprintf output")
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Reviewed-by: Ian Rogers <irogers@google.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Ian Rogers <irogers@google.com>
Assisted-by: Claude:claude-opus-4.6
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>

diff --git a/tools/perf/util/cpumap.c b/tools/perf/util/cpumap.c
index 1fab00ec4a59a0c719a170be7413a7f3cf1c2cc8..23ebe9b97f8e58af5ebcfab43dd30132b59d121c 100644 (file)
--- a/tools/perf/util/cpumap.c
+++ b/tools/perf/util/cpumap.c
@@ -692,21 +692,21 @@ size_t cpu_map__snprint(struct perf_cpu_map *map, char *buf, size_t size)
                if (start == -1) {
                        start = i;
                        if (last) {
-                               ret += snprintf(buf + ret, size - ret,
-                                               "%s%d", COMMA,
-                                               perf_cpu_map__cpu(map, i).cpu);
+                               ret += scnprintf(buf + ret, size - ret,
+                                                "%s%d", COMMA,
+                                                perf_cpu_map__cpu(map, i).cpu);
                        }
                } else if (((i - start) != (cpu.cpu - perf_cpu_map__cpu(map, start).cpu)) || last) {
                        int end = i - 1;
 
                        if (start == end) {
-                               ret += snprintf(buf + ret, size - ret,
-                                               "%s%d", COMMA,
-                                               perf_cpu_map__cpu(map, start).cpu);
+                               ret += scnprintf(buf + ret, size - ret,
+                                                "%s%d", COMMA,
+                                                perf_cpu_map__cpu(map, start).cpu);
                        } else {
-                               ret += snprintf(buf + ret, size - ret,
-                                               "%s%d-%d", COMMA,
-                                               perf_cpu_map__cpu(map, start).cpu, perf_cpu_map__cpu(map, end).cpu);
+                               ret += scnprintf(buf + ret, size - ret,
+                                                "%s%d-%d", COMMA,
+                                                perf_cpu_map__cpu(map, start).cpu, perf_cpu_map__cpu(map, end).cpu);
                        }
                        first = false;
                        start = i;