io_uring/io-wq: protect against sprintf overflow

task_pid may be large enough to not fit into the left space of TASK_COMM_LEN-sized buffers and overflow in sprintf. We not so care about uniqueness, so replace it with safer snprintf(). Reported-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> Link: https://lore.kernel.org/r/1702c6145d7e1c46fbc382f28334c02e1a3d3994.1617267273.git.asml.silence@gmail.comSigned-off-by: Jens Axboe <axboe@kernel.dk>

io_uring/io-wq: protect against sprintf overflow
task_pid may be large enough to not fit into the left space of TASK_COMM_LEN-sized buffers and overflow in sprintf. We not so care about uniqueness, so replace it with safer snprintf(). Reported-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> Link: https://lore.kernel.org/r/1702c6145d7e1c46fbc382f28334c02e1a3d3994.1617267273.git.asml.silence@gmail.comSigned-off-by: Jens Axboe <axboe@kernel.dk>
696ee88a · Pavel Begunkov · Jens Axboe · 4b982bd0 · 696ee88a · 696ee88a
Commit 696ee88a authored Apr 01, 2021 by Pavel Begunkov Committed by Jens Axboe Apr 01, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 3 deletions

fs/io-wq.c fs/io-wq.c +2 -2

fs/io_uring.c fs/io_uring.c +1 -1

No files found.
--- a/fs/io-wq.c
+++ b/fs/io-wq.c
@@ -484,7 +484,7 @@ static int io_wqe_worker(void *data)
 	worker->flags |= (IO_WORKER_F_UP | IO_WORKER_F_RUNNING);
 	io_wqe_inc_running(worker);

-	sprintf(buf, "iou-wrk-%d", wq->task_pid);
+	snprintf(buf, sizeof(buf), "iou-wrk-%d", wq->task_pid);
 	set_task_comm(current, buf);

 	while (!test_bit(IO_WQ_BIT_EXIT, &wq->state)) {
@@ -711,7 +711,7 @@ static int io_wq_manager(void *data)
 	char buf[TASK_COMM_LEN];
 	int node;

-	sprintf(buf, "iou-mgr-%d", wq->task_pid);
+	snprintf(buf, sizeof(buf), "iou-mgr-%d", wq->task_pid);
 	set_task_comm(current, buf);

 	do {

--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -6718,7 +6718,7 @@ static int io_sq_thread(void *data)
 	char buf[TASK_COMM_LEN];
 	DEFINE_WAIT(wait);

-	sprintf(buf, "iou-sqp-%d", sqd->task_pid);
+	snprintf(buf, sizeof(buf), "iou-sqp-%d", sqd->task_pid);
 	set_task_comm(current, buf);
 	current->pf_io_worker = NULL;