drm: Fix potential overflow issue in event_string array

flynnjiang · rodrigovivi · commit b662b162c3d0 · 2025-05-02T09:34:22.000-04:00
When calling scnprintf() to append recovery method to event_string, the second argument should be `sizeof(event_string) - len`, otherwise there is a potential overflow problem. Fixes: b7cf9f4 ("drm: Introduce device wedged event") Signed-off-by: Feng Jiang <jiangfeng@kylinos.cn> Reviewed-by: André Almeida <andrealmeid@igalia.com> Reviewed-by: Raag Jadav <raag.jadav@intel.com> Link: https://lore.kernel.org/r/20250409014633.31303-1-jiangfeng@kylinos.cn Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
@@ -549,7 +549,7 @@ int drm_dev_wedged_event(struct drm_device *dev, unsigned long method)
 		if (drm_WARN_ONCE(dev, !recovery, "invalid recovery method %u\n", opt))
 			break;
 
-		len += scnprintf(event_string + len, sizeof(event_string), "%s,", recovery);
+		len += scnprintf(event_string + len, sizeof(event_string) - len, "%s,", recovery);
 	}
 
 	if (recovery)

Original file line number	Diff line number	Diff line change
`@@ -549,7 +549,7 @@ int drm_dev_wedged_event(struct drm_device *dev, unsigned long method)`
`549`	`549`	`if (drm_WARN_ONCE(dev, !recovery, "invalid recovery method %u\n", opt))`
`550`	`550`	`break;`
`551`	`551`
`552`		`- len += scnprintf(event_string + len, sizeof(event_string), "%s,", recovery);`
	`552`	`+ len += scnprintf(event_string + len, sizeof(event_string) - len, "%s,", recovery);`
`553`	`553`	`}`
`554`	`554`
`555`	`555`	`if (recovery)`