iommu/omap: Fix buffer overflow in debugfs

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

There are two issues here:

1) The "len" variable needs to be checked before the very first write.
Otherwise if omap2_iommu_dump_ctx() with "bytes" less than 32 it is a
buffer overflow.
2) The snprintf() function returns the number of bytes that *would* have
been copied if there were enough space. But we want to know the
number of bytes which were *actually* copied so use scnprintf()
instead.

Fixes: bd4396f09a4a ("iommu/omap: Consolidate OMAP IOMMU modules")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Robin Murphy <robin.murphy@arm.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Link: https://lore.kernel.org/r/YuvYh1JbE3v+abd5@kili
Signed-off-by: Joerg Roedel <jroedel@suse.de>

authored by

Dan Carpenter and committed by

Joerg Roedel 3 years ago 184233a5 7e18e42e

+3 -3

1 changed file

expand all

drivers

iommu

omap-iommu-debug.c

+3 -3

drivers/iommu/omap-iommu-debug.c

··· 32 32 ssize_t bytes; \ 33 33 const char *str = "%20s: %08x\n"; \ 34 34 const int maxcol = 32; \ 35 - bytes = snprintf(p, maxcol, str, __stringify(name), \ 35 + if (len < maxcol) \ 36 + goto out; \ 37 + bytes = scnprintf(p, maxcol, str, __stringify(name), \ 36 38 iommu_read_reg(obj, MMU_##name)); \ 37 39 p += bytes; \ 38 40 len -= bytes; \ 39 - if (len < maxcol) \ 40 - goto out; \ 41 41 } while (0) 42 42 43 43 static ssize_t