tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

crypto: bcm - Use scnprintf() for avoiding potential buffer overflow

Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit. Fix it by replacing with scnprintf().

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

authored by

Takashi Iwai and committed by
Herbert Xu 7fe8e483 2638268f

+20 -20
+20 -20
drivers/crypto/bcm/util.c
··· 366 366 367 367 ipriv = filp->private_data; 368 368 out_offset = 0; 369 - out_offset += snprintf(buf + out_offset, out_count - out_offset, 369 + out_offset += scnprintf(buf + out_offset, out_count - out_offset, 370 370 "Number of SPUs.........%u\n", 371 371 ipriv->spu.num_spu); 372 - out_offset += snprintf(buf + out_offset, out_count - out_offset, 372 + out_offset += scnprintf(buf + out_offset, out_count - out_offset, 373 373 "Current sessions.......%u\n", 374 374 atomic_read(&ipriv->session_count)); 375 - out_offset += snprintf(buf + out_offset, out_count - out_offset, 375 + out_offset += scnprintf(buf + out_offset, out_count - out_offset, 376 376 "Session count..........%u\n", 377 377 atomic_read(&ipriv->stream_count)); 378 - out_offset += snprintf(buf + out_offset, out_count - out_offset, 378 + out_offset += scnprintf(buf + out_offset, out_count - out_offset, 379 379 "Cipher setkey..........%u\n", 380 380 atomic_read(&ipriv->setkey_cnt[SPU_OP_CIPHER])); 381 - out_offset += snprintf(buf + out_offset, out_count - out_offset, 381 + out_offset += scnprintf(buf + out_offset, out_count - out_offset, 382 382 "Cipher Ops.............%u\n", 383 383 atomic_read(&ipriv->op_counts[SPU_OP_CIPHER])); 384 384 for (alg = 0; alg < CIPHER_ALG_LAST; alg++) { 385 385 for (mode = 0; mode < CIPHER_MODE_LAST; mode++) { 386 386 op_cnt = atomic_read(&ipriv->cipher_cnt[alg][mode]); 387 387 if (op_cnt) { 388 - out_offset += snprintf(buf + out_offset, 388 + out_offset += scnprintf(buf + out_offset, 389 389 out_count - out_offset, 390 390 " %-13s%11u\n", 391 391 spu_alg_name(alg, mode), op_cnt); 392 392 } 393 393 } 394 394 } 395 - out_offset += snprintf(buf + out_offset, out_count - out_offset, 395 + out_offset += scnprintf(buf + out_offset, out_count - out_offset, 396 396 "Hash Ops...............%u\n", 397 397 atomic_read(&ipriv->op_counts[SPU_OP_HASH])); 398 398 for (alg = 0; alg < HASH_ALG_LAST; alg++) { 399 399 op_cnt = atomic_read(&ipriv->hash_cnt[alg]); 400 400 if (op_cnt) { 401 - out_offset += snprintf(buf + out_offset, 401 + out_offset += scnprintf(buf + out_offset, 402 402 out_count - out_offset, 403 403 " %-13s%11u\n", 404 404 hash_alg_name[alg], op_cnt); 405 405 } 406 406 } 407 - out_offset += snprintf(buf + out_offset, out_count - out_offset, 407 + out_offset += scnprintf(buf + out_offset, out_count - out_offset, 408 408 "HMAC setkey............%u\n", 409 409 atomic_read(&ipriv->setkey_cnt[SPU_OP_HMAC])); 410 - out_offset += snprintf(buf + out_offset, out_count - out_offset, 410 + out_offset += scnprintf(buf + out_offset, out_count - out_offset, 411 411 "HMAC Ops...............%u\n", 412 412 atomic_read(&ipriv->op_counts[SPU_OP_HMAC])); 413 413 for (alg = 0; alg < HASH_ALG_LAST; alg++) { 414 414 op_cnt = atomic_read(&ipriv->hmac_cnt[alg]); 415 415 if (op_cnt) { 416 - out_offset += snprintf(buf + out_offset, 416 + out_offset += scnprintf(buf + out_offset, 417 417 out_count - out_offset, 418 418 " %-13s%11u\n", 419 419 hash_alg_name[alg], op_cnt); 420 420 } 421 421 } 422 - out_offset += snprintf(buf + out_offset, out_count - out_offset, 422 + out_offset += scnprintf(buf + out_offset, out_count - out_offset, 423 423 "AEAD setkey............%u\n", 424 424 atomic_read(&ipriv->setkey_cnt[SPU_OP_AEAD])); 425 425 426 - out_offset += snprintf(buf + out_offset, out_count - out_offset, 426 + out_offset += scnprintf(buf + out_offset, out_count - out_offset, 427 427 "AEAD Ops...............%u\n", 428 428 atomic_read(&ipriv->op_counts[SPU_OP_AEAD])); 429 429 for (alg = 0; alg < AEAD_TYPE_LAST; alg++) { 430 430 op_cnt = atomic_read(&ipriv->aead_cnt[alg]); 431 431 if (op_cnt) { 432 - out_offset += snprintf(buf + out_offset, 432 + out_offset += scnprintf(buf + out_offset, 433 433 out_count - out_offset, 434 434 " %-13s%11u\n", 435 435 aead_alg_name[alg], op_cnt); 436 436 } 437 437 } 438 - out_offset += snprintf(buf + out_offset, out_count - out_offset, 438 + out_offset += scnprintf(buf + out_offset, out_count - out_offset, 439 439 "Bytes of req data......%llu\n", 440 440 (u64)atomic64_read(&ipriv->bytes_out)); 441 - out_offset += snprintf(buf + out_offset, out_count - out_offset, 441 + out_offset += scnprintf(buf + out_offset, out_count - out_offset, 442 442 "Bytes of resp data.....%llu\n", 443 443 (u64)atomic64_read(&ipriv->bytes_in)); 444 - out_offset += snprintf(buf + out_offset, out_count - out_offset, 444 + out_offset += scnprintf(buf + out_offset, out_count - out_offset, 445 445 "Mailbox full...........%u\n", 446 446 atomic_read(&ipriv->mb_no_spc)); 447 - out_offset += snprintf(buf + out_offset, out_count - out_offset, 447 + out_offset += scnprintf(buf + out_offset, out_count - out_offset, 448 448 "Mailbox send failures..%u\n", 449 449 atomic_read(&ipriv->mb_send_fail)); 450 - out_offset += snprintf(buf + out_offset, out_count - out_offset, 450 + out_offset += scnprintf(buf + out_offset, out_count - out_offset, 451 451 "Check ICV errors.......%u\n", 452 452 atomic_read(&ipriv->bad_icv)); 453 453 if (ipriv->spu.spu_type == SPU_TYPE_SPUM) ··· 455 455 spu_ofifo_ctrl = ioread32(ipriv->spu.reg_vbase[i] + 456 456 SPU_OFIFO_CTRL); 457 457 fifo_len = spu_ofifo_ctrl & SPU_FIFO_WATERMARK; 458 - out_offset += snprintf(buf + out_offset, 458 + out_offset += scnprintf(buf + out_offset, 459 459 out_count - out_offset, 460 460 "SPU %d output FIFO high water.....%u\n", 461 461 i, fifo_len);