hwmon_pmu__for_each_event() formats description strings via:
len = snprintf(desc_buf, sizeof(desc_buf), "%s in unit %s named %s.", ...);
len += hwmon_pmu__describe_items(hwm, desc_buf + len, sizeof(desc_buf) - len, ...);
If value->label is long enough to cause snprintf() to truncate, it
returns the would-have-been-written count, making len exceed
sizeof(desc_buf). The subsequent sizeof(desc_buf) - len underflows
to a huge size_t value, disabling bounds checking in
hwmon_pmu__describe_items().
The alias_buf snprintf has the same issue. Switch both to scnprintf()
which returns actual bytes written.
Fixes: 53cc0b351ec99278 ("perf hwmon_pmu: Add a tool PMU exposing events from hwmon in sysfs")
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Cc: Ian Rogers <irogers@google.com>
Assisted-by: Claude:claude-opus-4.6
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
int ret;
size_t len;
- len = snprintf(alias_buf, sizeof(alias_buf), "%s%d",
- hwmon_type_strs[key.type], key.num);
+ scnprintf(alias_buf, sizeof(alias_buf), "%s%d",
+ hwmon_type_strs[key.type], key.num);
if (!info.name) {
info.name = info.alias;
info.alias = NULL;
}
- len = snprintf(desc_buf, sizeof(desc_buf), "%s in unit %s named %s.",
+ len = scnprintf(desc_buf, sizeof(desc_buf), "%s in unit %s named %s.",
hwmon_desc[key.type],
pmu->name + 6,
value->label ?: info.name);
projects / thirdparty / kernel / linux.git / commitdiff
