s390/zcrypt: Use scnprintf() for avoiding potential buffer overflow

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit. Fix it by replacing with scnprintf().

Message-Id: <20200311090915.21059-1-tiwai@suse.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>

authored by

Takashi Iwai and committed by

Vasily Gorbik 6 years ago eb3e064b 52aeda7a

+21 -19

1 changed file

expand all

drivers

s390

crypto

zcrypt_cex4.c

+21 -19

drivers/s390/crypto/zcrypt_cex4.c

··· 128 128 n = snprintf(buf, PAGE_SIZE, "AES NEW: - -\n"); 129 129 130 130 if (ci.cur_mk_state >= '1' && ci.cur_mk_state <= '2') 131 - n += snprintf(buf + n, PAGE_SIZE - n, "AES CUR: %s 0x%016llx\n", 132 - cao_state[ci.cur_mk_state - '1'], ci.cur_mkvp); 131 + n += scnprintf(buf + n, PAGE_SIZE - n, 132 + "AES CUR: %s 0x%016llx\n", 133 + cao_state[ci.cur_mk_state - '1'], ci.cur_mkvp); 133 134 else 134 - n += snprintf(buf + n, PAGE_SIZE - n, "AES CUR: - -\n"); 135 + n += scnprintf(buf + n, PAGE_SIZE - n, "AES CUR: - -\n"); 135 136 136 137 if (ci.old_mk_state >= '1' && ci.old_mk_state <= '2') 137 - n += snprintf(buf + n, PAGE_SIZE - n, "AES OLD: %s 0x%016llx\n", 138 - cao_state[ci.old_mk_state - '1'], ci.old_mkvp); 138 + n += scnprintf(buf + n, PAGE_SIZE - n, 139 + "AES OLD: %s 0x%016llx\n", 140 + cao_state[ci.old_mk_state - '1'], ci.old_mkvp); 139 141 else 140 - n += snprintf(buf + n, PAGE_SIZE - n, "AES OLD: - -\n"); 142 + n += scnprintf(buf + n, PAGE_SIZE - n, "AES OLD: - -\n"); 141 143 142 144 return n; 143 145 } ··· 253 251 if (ci.op_mode & (1 << ep11_op_modes[i].mode_bit)) { 254 252 if (n > 0) 255 253 buf[n++] = ' '; 256 - n += snprintf(buf + n, PAGE_SIZE - n, 257 - "%s", ep11_op_modes[i].mode_txt); 254 + n += scnprintf(buf + n, PAGE_SIZE - n, 255 + "%s", ep11_op_modes[i].mode_txt); 258 256 } 259 257 } 260 - n += snprintf(buf + n, PAGE_SIZE - n, "\n"); 258 + n += scnprintf(buf + n, PAGE_SIZE - n, "\n"); 261 259 262 260 return n; 263 261 } ··· 307 305 cwk_state[di.cur_wk_state - '0']); 308 306 bin2hex(buf + n, di.cur_wkvp, sizeof(di.cur_wkvp)); 309 307 n += 2 * sizeof(di.cur_wkvp); 310 - n += snprintf(buf + n, PAGE_SIZE - n, "\n"); 308 + n += scnprintf(buf + n, PAGE_SIZE - n, "\n"); 311 309 } else 312 310 n = snprintf(buf, PAGE_SIZE, "WK CUR: - -\n"); 313 311 314 312 if (di.new_wk_state == '0') { 315 - n += snprintf(buf + n, PAGE_SIZE - n, "WK NEW: %s -\n", 316 - nwk_state[di.new_wk_state - '0']); 313 + n += scnprintf(buf + n, PAGE_SIZE - n, "WK NEW: %s -\n", 314 + nwk_state[di.new_wk_state - '0']); 317 315 } else if (di.new_wk_state >= '1' && di.new_wk_state <= '2') { 318 - n += snprintf(buf + n, PAGE_SIZE - n, "WK NEW: %s 0x", 319 - nwk_state[di.new_wk_state - '0']); 316 + n += scnprintf(buf + n, PAGE_SIZE - n, "WK NEW: %s 0x", 317 + nwk_state[di.new_wk_state - '0']); 320 318 bin2hex(buf + n, di.new_wkvp, sizeof(di.new_wkvp)); 321 319 n += 2 * sizeof(di.new_wkvp); 322 - n += snprintf(buf + n, PAGE_SIZE - n, "\n"); 320 + n += scnprintf(buf + n, PAGE_SIZE - n, "\n"); 323 321 } else 324 - n += snprintf(buf + n, PAGE_SIZE - n, "WK NEW: - -\n"); 322 + n += scnprintf(buf + n, PAGE_SIZE - n, "WK NEW: - -\n"); 325 323 326 324 return n; 327 325 } ··· 348 346 if (di.op_mode & (1 << ep11_op_modes[i].mode_bit)) { 349 347 if (n > 0) 350 348 buf[n++] = ' '; 351 - n += snprintf(buf + n, PAGE_SIZE - n, 352 - "%s", ep11_op_modes[i].mode_txt); 349 + n += scnprintf(buf + n, PAGE_SIZE - n, 350 + "%s", ep11_op_modes[i].mode_txt); 353 351 } 354 352 } 355 - n += snprintf(buf + n, PAGE_SIZE - n, "\n"); 353 + n += scnprintf(buf + n, PAGE_SIZE - n, "\n"); 356 354 357 355 return n; 358 356 }