selftests/resctrl: Protect against array overflow when reading strings

rchatre · gregkh · commit 8b6752909058 · 2024-12-14T20:03:41.000+01:00
[ Upstream commit 4605843 ] resctrl selftests discover system properties via a variety of sysfs files. The MBM and MBA tests need to discover the event and umask with which to configure the performance event used to measure read memory bandwidth. This is done by parsing the contents of /sys/bus/event_source/devices/uncore_imc_<imc instance>/events/cas_count_read Similarly, the resctrl selftests discover the cache size via /sys/bus/cpu/devices/cpu<id>/cache/index<index>/size. Take care to do bounds checking when using fscanf() to read the contents of files into a string buffer because by default fscanf() assumes arbitrarily long strings. If the file contains more bytes than the array can accommodate then an overflow will occur. Provide a maximum field width to the conversion specifier to protect against array overflow. The maximum is one less than the array size because string input stores a terminating null byte that is not covered by the maximum field width. Signed-off-by: Reinette Chatre <reinette.chatre@intel.com> Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
diff --git a/tools/testing/selftests/resctrl/resctrl_val.c b/tools/testing/selftests/resctrl/resctrl_val.c
@@ -159,7 +159,7 @@ static int read_from_imc_dir(char *imc_dir, int count)
 
 		return -1;
 	}
-	if (fscanf(fp, "%s", cas_count_cfg) <= 0) {
+	if (fscanf(fp, "%1023s", cas_count_cfg) <= 0) {
 		ksft_perror("Could not get iMC cas count read");
 		fclose(fp);
 
@@ -177,7 +177,7 @@ static int read_from_imc_dir(char *imc_dir, int count)
 
 		return -1;
 	}
-	if  (fscanf(fp, "%s", cas_count_cfg) <= 0) {
+	if  (fscanf(fp, "%1023s", cas_count_cfg) <= 0) {
 		ksft_perror("Could not get iMC cas count write");
 		fclose(fp);
 
diff --git a/tools/testing/selftests/resctrl/resctrlfs.c b/tools/testing/selftests/resctrl/resctrlfs.c
@@ -182,7 +182,7 @@ int get_cache_size(int cpu_no, const char *cache_type, unsigned long *cache_size
 
 		return -1;
 	}
-	if (fscanf(fp, "%s", cache_str) <= 0) {
+	if (fscanf(fp, "%63s", cache_str) <= 0) {
 		ksft_perror("Could not get cache_size");
 		fclose(fp);
 

Original file line number	Diff line number	Diff line change
`@@ -159,7 +159,7 @@ static int read_from_imc_dir(char *imc_dir, int count)`
`159`	`159`
`160`	`160`	`return -1;`
`161`	`161`	`}`
`162`		`- if (fscanf(fp, "%s", cas_count_cfg) <= 0) {`
	`162`	`+ if (fscanf(fp, "%1023s", cas_count_cfg) <= 0) {`
`163`	`163`	`ksft_perror("Could not get iMC cas count read");`
`164`	`164`	`fclose(fp);`
`165`	`165`
`@@ -177,7 +177,7 @@ static int read_from_imc_dir(char *imc_dir, int count)`
`177`	`177`
`178`	`178`	`return -1;`
`179`	`179`	`}`
`180`		`- if (fscanf(fp, "%s", cas_count_cfg) <= 0) {`
	`180`	`+ if (fscanf(fp, "%1023s", cas_count_cfg) <= 0) {`
`181`	`181`	`ksft_perror("Could not get iMC cas count write");`
`182`	`182`	`fclose(fp);`
`183`	`183`
Original file line number	Diff line number	Diff line change
`@@ -182,7 +182,7 @@ int get_cache_size(int cpu_no, const char cache_type, unsigned long cache_size`
`182`	`182`
`183`	`183`	`return -1;`
`184`	`184`	`}`
`185`		`- if (fscanf(fp, "%s", cache_str) <= 0) {`
	`185`	`+ if (fscanf(fp, "%63s", cache_str) <= 0) {`
`186`	`186`	`ksft_perror("Could not get cache_size");`
`187`	`187`	`fclose(fp);`
`188`	`188`