s390/extmem: Replace sprintf() with snprintf() for buffer safety

Replace unsafe sprintf() calls with snprintf() in segment_save() to
prevent potential buffer overflows. The function builds command strings
by repeatedly appending to a fixed-size buffer, which could overflow if
segment ranges are numerous or values are large.

Signed-off-by: Josephine Pfeiffer <hi@josie.lol>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>

diff --git a/arch/s390/mm/extmem.c b/arch/s390/mm/extmem.c
index f7da53e212f554d545c8b06a1d3382e59fbf9253..b6464a322eb14a0db414a1ce73f1ae44f4a44fcf 100644 (file)
--- a/arch/s390/mm/extmem.c
+++ b/arch/s390/mm/extmem.c
@@ -598,14 +598,16 @@ segment_save(char *name)
                goto out;
        }
 
-       sprintf(cmd1, "DEFSEG %s", name);
+       snprintf(cmd1, sizeof(cmd1), "DEFSEG %s", name);
        for (i=0; i<seg->segcnt; i++) {
-               sprintf(cmd1+strlen(cmd1), " %lX-%lX %s",
-                       seg->range[i].start >> PAGE_SHIFT,
-                       seg->range[i].end >> PAGE_SHIFT,
-                       segtype_string[seg->range[i].start & 0xff]);
+               size_t len = strlen(cmd1);
+
+               snprintf(cmd1 + len, sizeof(cmd1) - len, " %lX-%lX %s",
+                        seg->range[i].start >> PAGE_SHIFT,
+                        seg->range[i].end >> PAGE_SHIFT,
+                        segtype_string[seg->range[i].start & 0xff]);
        }
-       sprintf(cmd2, "SAVESEG %s", name);
+       snprintf(cmd2, sizeof(cmd2), "SAVESEG %s", name);
        response = 0;
        cpcmd(cmd1, NULL, 0, &response);
        if (response) {