Replace sprintf() with scnprintf() to prevent a potential buffer overflow
when writing to ring->name. The buffer size is 16 bytes. For compute rings,
the string format "compute_%d.%d.%d" can exceed this limit when the total
number of digits in the three numbers is greater than 5 (e.g., pasid=1234,
gang_id=0, queue_id=0). This can lead to memory corruption.
Using scnprintf() guarantees that the buffer is not overflowed, even if the
string is truncated. This is a minimal fix for the issue; the BUG() for
unknown queue types is left unchanged to avoid additional risk.
This code is only present in LTS kernels v6.12, v6.6, and v6.1, as it was
completely refactored in upstream. Therefore, this patch is specifically
intended for stable trees.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: d0c423b64765 ("drm/amdgpu/mes: use ring for kernel queue submission")
Signed-off-by: Evgenii Burenchev <[email protected]>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c
b/drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c
index 5e3abdd0805b..076d9069aa30 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c
@@ -1072,13 +1072,14 @@ int amdgpu_mes_add_ring(struct amdgpu_device *adev, int
gang_id,
ring->doorbell_index = qprops.doorbell_off;
if (queue_type == AMDGPU_RING_TYPE_GFX)
- sprintf(ring->name, "gfx_%d.%d.%d", pasid, gang_id, queue_id);
+ scnprintf(ring->name, sizeof(ring->name), "gfx_%d.%d.%d",
+ pasid, gang_id, queue_id);
else if (queue_type == AMDGPU_RING_TYPE_COMPUTE)
- sprintf(ring->name, "compute_%d.%d.%d", pasid, gang_id,
- queue_id);
+ scnprintf(ring->name, sizeof(ring->name), "compute_%d.%d.%d",
+ pasid, gang_id, queue_id);
else if (queue_type == AMDGPU_RING_TYPE_SDMA)
- sprintf(ring->name, "sdma_%d.%d.%d", pasid, gang_id,
- queue_id);
+ scnprintf(ring->name, sizeof(ring->name), "sdma_%d.%d.%d",
+ pasid, gang_id, queue_id);
else
BUG();
--
2.43.0