build_id__snprintf() and hwmon_pmu__read_events() accumulate formatted
output via snprintf(), which returns the would-have-been-written count
on truncation. In build_id__snprintf(), this inflates the return
value beyond the buffer size. In hwmon_pmu__read_events(), len
overshoots out_buf_len and the next 'out_buf_len - len' underflows.
Switch both to scnprintf() which returns actual bytes written.
In build_id__snprintf(), also tighten the loop guard from
'offs < bf_size' to 'offs + 1 < bf_size': since scnprintf() returns
at most size-1, offs never reaches bf_size, and the original condition
would spin doing zero-byte writes once the buffer fills.
Fixes: fccaaf6fbbc59910 ("perf build-id: Change sprintf functions to snprintf")
Fixes: 53cc0b351ec99278 ("perf hwmon_pmu: Add a tool PMU exposing events from hwmon in sysfs")
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Reviewed-by: Ian Rogers <irogers@google.com>
Cc: Ian Rogers <irogers@google.com>
Assisted-by: Claude:claude-opus-4.6
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
return 0;
}
- for (size_t i = 0; i < build_id->size && offs < bf_size; ++i)
- offs += snprintf(bf + offs, bf_size - offs, "%02x", build_id->data[i]);
+ if (bf_size > 0)
+ bf[0] = '\0';
+
+ for (size_t i = 0; i < build_id->size && offs + 1 < bf_size; ++i)
+ offs += scnprintf(bf + offs, bf_size - offs, "%02x", build_id->data[i]);
return offs;
}
buf[read_len] = '\0';
val = strtoll(buf, /*endptr=*/NULL, 10);
- len += snprintf(out_buf + len, out_buf_len - len, "%s%s%s=%g%s",
- len == 0 ? " " : ", ",
- hwmon_item_strs[bit],
- is_alarm ? "_alarm" : "",
- (double)val / 1000.0,
- hwmon_units[key.type]);
+ len += scnprintf(out_buf + len, out_buf_len - len, "%s%s%s=%g%s",
+ len == 0 ? " " : ", ",
+ hwmon_item_strs[bit],
+ is_alarm ? "_alarm" : "",
+ (double)val / 1000.0,
+ hwmon_units[key.type]);
}
close(fd);
}
projects / thirdparty / kernel / linux.git / commitdiff
