tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

mmc: core: use sysfs_emit() instead of sprintf()

sprintf() (still used in the MMC core for the sysfs output) is vulnerable
to the buffer overflow. Use the new-fangled sysfs_emit() instead.

Found by Linux Verification Center (linuxtesting.org) with the SVACE static
analysis tool.

Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/717729b2-d65b-c72e-9fac-471d28d00b5a@omp.ru
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>

authored by

Sergey Shtylyov and committed by
Ulf Hansson f5d8a5fe 75a2f412

+33 -30
+5 -4
drivers/mmc/core/bus.c
··· 15 15 #include <linux/stat.h> 16 16 #include <linux/of.h> 17 17 #include <linux/pm_runtime.h> 18 + #include <linux/sysfs.h> 18 19 19 20 #include <linux/mmc/card.h> 20 21 #include <linux/mmc/host.h> ··· 35 34 36 35 switch (card->type) { 37 36 case MMC_TYPE_MMC: 38 - return sprintf(buf, "MMC\n"); 37 + return sysfs_emit(buf, "MMC\n"); 39 38 case MMC_TYPE_SD: 40 - return sprintf(buf, "SD\n"); 39 + return sysfs_emit(buf, "SD\n"); 41 40 case MMC_TYPE_SDIO: 42 - return sprintf(buf, "SDIO\n"); 41 + return sysfs_emit(buf, "SDIO\n"); 43 42 case MMC_TYPE_SD_COMBO: 44 - return sprintf(buf, "SDcombo\n"); 43 + return sysfs_emit(buf, "SDcombo\n"); 45 44 default: 46 45 return -EFAULT; 47 46 }
+2 -1
drivers/mmc/core/bus.h
··· 9 9 #define _MMC_CORE_BUS_H 10 10 11 11 #include <linux/device.h> 12 + #include <linux/sysfs.h> 12 13 13 14 struct mmc_host; 14 15 struct mmc_card; ··· 18 17 static ssize_t mmc_##name##_show (struct device *dev, struct device_attribute *attr, char *buf) \ 19 18 { \ 20 19 struct mmc_card *card = mmc_dev_to_card(dev); \ 21 - return sprintf(buf, fmt, args); \ 20 + return sysfs_emit(buf, fmt, args); \ 22 21 } \ 23 22 static DEVICE_ATTR(name, S_IRUGO, mmc_##name##_show, NULL) 24 23
+8 -8
drivers/mmc/core/mmc.c
··· 12 12 #include <linux/slab.h> 13 13 #include <linux/stat.h> 14 14 #include <linux/pm_runtime.h> 15 + #include <linux/sysfs.h> 15 16 16 17 #include <linux/mmc/host.h> 17 18 #include <linux/mmc/card.h> ··· 813 812 { 814 813 struct mmc_card *card = mmc_dev_to_card(dev); 815 814 816 - if (card->ext_csd.rev < 7) { 817 - return sprintf(buf, "0x%x\n", card->cid.fwrev); 818 - } else { 819 - return sprintf(buf, "0x%*phN\n", MMC_FIRMWARE_LEN, 820 - card->ext_csd.fwrev); 821 - } 815 + if (card->ext_csd.rev < 7) 816 + return sysfs_emit(buf, "0x%x\n", card->cid.fwrev); 817 + else 818 + return sysfs_emit(buf, "0x%*phN\n", MMC_FIRMWARE_LEN, 819 + card->ext_csd.fwrev); 822 820 } 823 821 824 822 static DEVICE_ATTR(fwrev, S_IRUGO, mmc_fwrev_show, NULL); ··· 830 830 struct mmc_host *host = card->host; 831 831 832 832 if (card->csd.dsr_imp && host->dsr_req) 833 - return sprintf(buf, "0x%x\n", host->dsr); 833 + return sysfs_emit(buf, "0x%x\n", host->dsr); 834 834 else 835 835 /* return default DSR value */ 836 - return sprintf(buf, "0x%x\n", 0x404); 836 + return sysfs_emit(buf, "0x%x\n", 0x404); 837 837 } 838 838 839 839 static DEVICE_ATTR(dsr, S_IRUGO, mmc_dsr_show, NULL);
+11 -12
drivers/mmc/core/sd.c
··· 13 13 #include <linux/stat.h> 14 14 #include <linux/pm_runtime.h> 15 15 #include <linux/scatterlist.h> 16 + #include <linux/sysfs.h> 16 17 17 18 #include <linux/mmc/host.h> 18 19 #include <linux/mmc/card.h> ··· 709 708 MMC_DEV_ATTR(rca, "0x%04x\n", card->rca); 710 709 711 710 712 - static ssize_t mmc_dsr_show(struct device *dev, 713 - struct device_attribute *attr, 714 - char *buf) 711 + static ssize_t mmc_dsr_show(struct device *dev, struct device_attribute *attr, 712 + char *buf) 715 713 { 716 - struct mmc_card *card = mmc_dev_to_card(dev); 717 - struct mmc_host *host = card->host; 714 + struct mmc_card *card = mmc_dev_to_card(dev); 715 + struct mmc_host *host = card->host; 718 716 719 - if (card->csd.dsr_imp && host->dsr_req) 720 - return sprintf(buf, "0x%x\n", host->dsr); 721 - else 722 - /* return default DSR value */ 723 - return sprintf(buf, "0x%x\n", 0x404); 717 + if (card->csd.dsr_imp && host->dsr_req) 718 + return sysfs_emit(buf, "0x%x\n", host->dsr); 719 + /* return default DSR value */ 720 + return sysfs_emit(buf, "0x%x\n", 0x404); 724 721 } 725 722 726 723 static DEVICE_ATTR(dsr, S_IRUGO, mmc_dsr_show, NULL); ··· 734 735 \ 735 736 if (num > card->num_info) \ 736 737 return -ENODATA; \ 737 - if (!card->info[num-1][0]) \ 738 + if (!card->info[num - 1][0]) \ 738 739 return 0; \ 739 - return sprintf(buf, "%s\n", card->info[num-1]); \ 740 + return sysfs_emit(buf, "%s\n", card->info[num - 1]); \ 740 741 } \ 741 742 static DEVICE_ATTR_RO(info##num) 742 743
+3 -2
drivers/mmc/core/sdio.c
··· 7 7 8 8 #include <linux/err.h> 9 9 #include <linux/pm_runtime.h> 10 + #include <linux/sysfs.h> 10 11 11 12 #include <linux/mmc/host.h> 12 13 #include <linux/mmc/card.h> ··· 41 40 \ 42 41 if (num > card->num_info) \ 43 42 return -ENODATA; \ 44 - if (!card->info[num-1][0]) \ 43 + if (!card->info[num - 1][0]) \ 45 44 return 0; \ 46 - return sprintf(buf, "%s\n", card->info[num-1]); \ 45 + return sysfs_emit(buf, "%s\n", card->info[num - 1]); \ 47 46 } \ 48 47 static DEVICE_ATTR_RO(info##num) 49 48
+4 -3
drivers/mmc/core/sdio_bus.c
··· 14 14 #include <linux/pm_runtime.h> 15 15 #include <linux/pm_domain.h> 16 16 #include <linux/acpi.h> 17 + #include <linux/sysfs.h> 17 18 18 19 #include <linux/mmc/card.h> 19 20 #include <linux/mmc/host.h> ··· 36 35 struct sdio_func *func; \ 37 36 \ 38 37 func = dev_to_sdio_func (dev); \ 39 - return sprintf(buf, format_string, args); \ 38 + return sysfs_emit(buf, format_string, args); \ 40 39 } \ 41 40 static DEVICE_ATTR_RO(field) 42 41 ··· 53 52 \ 54 53 if (num > func->num_info) \ 55 54 return -ENODATA; \ 56 - if (!func->info[num-1][0]) \ 55 + if (!func->info[num - 1][0]) \ 57 56 return 0; \ 58 - return sprintf(buf, "%s\n", func->info[num-1]); \ 57 + return sysfs_emit(buf, "%s\n", func->info[num - 1]); \ 59 58 } \ 60 59 static DEVICE_ATTR_RO(info##num) 61 60