shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-06-06 02:50:49 +09:00
Code Issues Packages Projects Releases Wiki Activity

iommu/omap: Fix buffer overflow in debugfs

Browse Source 
[ Upstream commit 184233a520 ]

There are two issues here:

1) The "len" variable needs to be checked before the very first write.
   Otherwise if omap2_iommu_dump_ctx() with "bytes" less than 32 it is a
   buffer overflow.
2) The snprintf() function returns the number of bytes that *would* have
   been copied if there were enough space.  But we want to know the
   number of bytes which were *actually* copied so use scnprintf()
   instead.

Fixes: bd4396f09a ("iommu/omap: Consolidate OMAP IOMMU modules")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Robin Murphy <robin.murphy@arm.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Link: https://lore.kernel.org/r/YuvYh1JbE3v+abd5@kili
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
Dan Carpenter
2022-08-04 17:32:39 +03:00
committed by Greg Kroah-Hartman
parent cfde58a8e4
commit 2fee0dbfae
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
drivers/iommu/omap-iommu-debug.c
View File

@@ -32,12 +32,12 @@ static inline bool is_omap_iommu_detached(struct omap_iommu *obj)
ssize_t bytes; \ ssize_t bytes; \
const char *str = "%20s: %08x\n"; \ const char *str = "%20s: %08x\n"; \
const int maxcol = 32; \ const int maxcol = 32; \
bytes = snprintf(p, maxcol, str, __stringify(name), \ if (len < maxcol) \
goto out; \
bytes = scnprintf(p, maxcol, str, __stringify(name), \
iommu_read_reg(obj, MMU_##name)); \ iommu_read_reg(obj, MMU_##name)); \
p += bytes; \ p += bytes; \
len -= bytes; \ len -= bytes; \
if (len < maxcol) \
goto out; \
} while (0) } while (0)
static ssize_t static ssize_t