tty: serial: pch_uart: Use scnprintf() for avoiding potential buffer overflow

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit. Fix it by replacing with scnprintf().

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://lore.kernel.org/r/20200311092930.24433-1-tiwai@suse.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Takashi Iwai and committed by

Greg Kroah-Hartman 6 years ago e39c0ffe e2c2e798

+11 -11

1 changed file

expand all

drivers

tty

serial

pch_uart.c

+11 -11

drivers/tty/serial/pch_uart.c

··· 310 310 if (!buf) 311 311 return 0; 312 312 313 - len += snprintf(buf + len, PCH_REGS_BUFSIZE - len, 313 + len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len, 314 314 "PCH EG20T port[%d] regs:\n", priv->port.line); 315 315 316 - len += snprintf(buf + len, PCH_REGS_BUFSIZE - len, 316 + len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len, 317 317 "=================================\n"); 318 - len += snprintf(buf + len, PCH_REGS_BUFSIZE - len, 318 + len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len, 319 319 "IER: \t0x%02x\n", ioread8(priv->membase + UART_IER)); 320 - len += snprintf(buf + len, PCH_REGS_BUFSIZE - len, 320 + len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len, 321 321 "IIR: \t0x%02x\n", ioread8(priv->membase + UART_IIR)); 322 - len += snprintf(buf + len, PCH_REGS_BUFSIZE - len, 322 + len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len, 323 323 "LCR: \t0x%02x\n", ioread8(priv->membase + UART_LCR)); 324 - len += snprintf(buf + len, PCH_REGS_BUFSIZE - len, 324 + len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len, 325 325 "MCR: \t0x%02x\n", ioread8(priv->membase + UART_MCR)); 326 - len += snprintf(buf + len, PCH_REGS_BUFSIZE - len, 326 + len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len, 327 327 "LSR: \t0x%02x\n", ioread8(priv->membase + UART_LSR)); 328 - len += snprintf(buf + len, PCH_REGS_BUFSIZE - len, 328 + len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len, 329 329 "MSR: \t0x%02x\n", ioread8(priv->membase + UART_MSR)); 330 - len += snprintf(buf + len, PCH_REGS_BUFSIZE - len, 330 + len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len, 331 331 "BRCSR: \t0x%02x\n", 332 332 ioread8(priv->membase + PCH_UART_BRCSR)); 333 333 334 334 lcr = ioread8(priv->membase + UART_LCR); 335 335 iowrite8(PCH_UART_LCR_DLAB, priv->membase + UART_LCR); 336 - len += snprintf(buf + len, PCH_REGS_BUFSIZE - len, 336 + len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len, 337 337 "DLL: \t0x%02x\n", ioread8(priv->membase + UART_DLL)); 338 - len += snprintf(buf + len, PCH_REGS_BUFSIZE - len, 338 + len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len, 339 339 "DLM: \t0x%02x\n", ioread8(priv->membase + UART_DLM)); 340 340 iowrite8(lcr, priv->membase + UART_LCR); 341 341