projects / thirdparty / kernel / stable-queue.git / blame
| Commit | Line | Data |
|---|---|---|
| f867df69 SL |
1 | From d9c85adb8b70dcd43f973edc4b097d18f97f9fdf Mon Sep 17 00:00:00 2001 |
| 2 | From: Silvio Cesare <silvio.cesare@gmail.com> | |
| 3 | Date: Tue, 15 Jan 2019 04:27:27 +0100 | |
| 4 | Subject: ASoC: imx-audmux: change snprintf to scnprintf for possible overflow | |
| 5 | ||
| 6 | [ Upstream commit c407cd008fd039320d147088b52d0fa34ed3ddcb ] | |
| 7 | ||
| 8 | Change snprintf to scnprintf. There are generally two cases where using | |
| 9 | snprintf causes problems. | |
| 10 | ||
| 11 | 1) Uses of size += snprintf(buf, SIZE - size, fmt, ...) | |
| 12 | In this case, if snprintf would have written more characters than what the | |
| 13 | buffer size (SIZE) is, then size will end up larger than SIZE. In later | |
| 14 | uses of snprintf, SIZE - size will result in a negative number, leading | |
| 15 | to problems. Note that size might already be too large by using | |
| 16 | size = snprintf before the code reaches a case of size += snprintf. | |
| 17 | ||
| 18 | 2) If size is ultimately used as a length parameter for a copy back to user | |
| 19 | space, then it will potentially allow for a buffer overflow and information | |
| 20 | disclosure when size is greater than SIZE. When the size is used to index | |
| 21 | the buffer directly, we can have memory corruption. This also means when | |
| 22 | size = snprintf... is used, it may also cause problems since size may become | |
| 23 | large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel | |
| 24 | configuration. | |
| 25 | ||
| 26 | The solution to these issues is to use scnprintf which returns the number of | |
| 27 | characters actually written to the buffer, so the size variable will never | |
| 28 | exceed SIZE. | |
| 29 | ||
| 30 | Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com> | |
| 31 | Cc: Timur Tabi <timur@kernel.org> | |
| 32 | Cc: Nicolin Chen <nicoleotsuka@gmail.com> | |
| 33 | Cc: Mark Brown <broonie@kernel.org> | |
| 34 | Cc: Xiubo Li <Xiubo.Lee@gmail.com> | |
| 35 | Cc: Fabio Estevam <fabio.estevam@nxp.com> | |
| 36 | Cc: Dan Carpenter <dan.carpenter@oracle.com> | |
| 37 | Cc: Kees Cook <keescook@chromium.org> | |
| 38 | Cc: Will Deacon <will.deacon@arm.com> | |
| 39 | Cc: Greg KH <greg@kroah.com> | |
| 40 | Signed-off-by: Willy Tarreau <w@1wt.eu> | |
| 41 | Acked-by: Nicolin Chen <nicoleotsuka@gmail.com> | |
| 42 | Reviewed-by: Kees Cook <keescook@chromium.org> | |
| 43 | Signed-off-by: Mark Brown <broonie@kernel.org> | |
| 44 | Signed-off-by: Sasha Levin <sashal@kernel.org> | |
| 45 | --- | |
| 46 | sound/soc/fsl/imx-audmux.c | 24 ++++++++++++------------ | |
| 47 | 1 file changed, 12 insertions(+), 12 deletions(-) | |
| 48 | ||
| 49 | diff --git a/sound/soc/fsl/imx-audmux.c b/sound/soc/fsl/imx-audmux.c | |
| 50 | index fc57da341d610..136df38c4536c 100644 | |
| 51 | --- a/sound/soc/fsl/imx-audmux.c | |
| 52 | +++ b/sound/soc/fsl/imx-audmux.c | |
| 53 | @@ -86,49 +86,49 @@ static ssize_t audmux_read_file(struct file *file, char __user *user_buf, | |
| 54 | if (!buf) | |
| 55 | return -ENOMEM; | |
| 56 | ||
| 57 | - ret = snprintf(buf, PAGE_SIZE, "PDCR: %08x\nPTCR: %08x\n", | |
| 58 | + ret = scnprintf(buf, PAGE_SIZE, "PDCR: %08x\nPTCR: %08x\n", | |
| 59 | pdcr, ptcr); | |
| 60 | ||
| 61 | if (ptcr & IMX_AUDMUX_V2_PTCR_TFSDIR) | |
| 62 | - ret += snprintf(buf + ret, PAGE_SIZE - ret, | |
| 63 | + ret += scnprintf(buf + ret, PAGE_SIZE - ret, | |
| 64 | "TxFS output from %s, ", | |
| 65 | audmux_port_string((ptcr >> 27) & 0x7)); | |
| 66 | else | |
| 67 | - ret += snprintf(buf + ret, PAGE_SIZE - ret, | |
| 68 | + ret += scnprintf(buf + ret, PAGE_SIZE - ret, | |
| 69 | "TxFS input, "); | |
| 70 | ||
| 71 | if (ptcr & IMX_AUDMUX_V2_PTCR_TCLKDIR) | |
| 72 | - ret += snprintf(buf + ret, PAGE_SIZE - ret, | |
| 73 | + ret += scnprintf(buf + ret, PAGE_SIZE - ret, | |
| 74 | "TxClk output from %s", | |
| 75 | audmux_port_string((ptcr >> 22) & 0x7)); | |
| 76 | else | |
| 77 | - ret += snprintf(buf + ret, PAGE_SIZE - ret, | |
| 78 | + ret += scnprintf(buf + ret, PAGE_SIZE - ret, | |
| 79 | "TxClk input"); | |
| 80 | ||
| 81 | - ret += snprintf(buf + ret, PAGE_SIZE - ret, "\n"); | |
| 82 | + ret += scnprintf(buf + ret, PAGE_SIZE - ret, "\n"); | |
| 83 | ||
| 84 | if (ptcr & IMX_AUDMUX_V2_PTCR_SYN) { | |
| 85 | - ret += snprintf(buf + ret, PAGE_SIZE - ret, | |
| 86 | + ret += scnprintf(buf + ret, PAGE_SIZE - ret, | |
| 87 | "Port is symmetric"); | |
| 88 | } else { | |
| 89 | if (ptcr & IMX_AUDMUX_V2_PTCR_RFSDIR) | |
| 90 | - ret += snprintf(buf + ret, PAGE_SIZE - ret, | |
| 91 | + ret += scnprintf(buf + ret, PAGE_SIZE - ret, | |
| 92 | "RxFS output from %s, ", | |
| 93 | audmux_port_string((ptcr >> 17) & 0x7)); | |
| 94 | else | |
| 95 | - ret += snprintf(buf + ret, PAGE_SIZE - ret, | |
| 96 | + ret += scnprintf(buf + ret, PAGE_SIZE - ret, | |
| 97 | "RxFS input, "); | |
| 98 | ||
| 99 | if (ptcr & IMX_AUDMUX_V2_PTCR_RCLKDIR) | |
| 100 | - ret += snprintf(buf + ret, PAGE_SIZE - ret, | |
| 101 | + ret += scnprintf(buf + ret, PAGE_SIZE - ret, | |
| 102 | "RxClk output from %s", | |
| 103 | audmux_port_string((ptcr >> 12) & 0x7)); | |
| 104 | else | |
| 105 | - ret += snprintf(buf + ret, PAGE_SIZE - ret, | |
| 106 | + ret += scnprintf(buf + ret, PAGE_SIZE - ret, | |
| 107 | "RxClk input"); | |
| 108 | } | |
| 109 | ||
| 110 | - ret += snprintf(buf + ret, PAGE_SIZE - ret, | |
| 111 | + ret += scnprintf(buf + ret, PAGE_SIZE - ret, | |
| 112 | "\nData received from %s\n", | |
| 113 | audmux_port_string((pdcr >> 13) & 0x7)); | |
| 114 | ||
| 115 | -- | |
| 116 | 2.19.1 | |
| 117 |