On Sat, Jan 12, 2019 at 7:28 AM Willy Tarreau <[email protected]> wrote: > > From: Silvio Cesare <[email protected]> > > Change snprintf to scnprintf. There are generally two cases where using > snprintf causes problems. > > 1) Uses of size += snprintf(buf, SIZE - size, fmt, ...) > In this case, if snprintf would have written more characters than what the > buffer size (SIZE) is, then size will end up larger than SIZE. In later > uses of snprintf, SIZE - size will result in a negative number, leading > to problems. Note that size might already be too large by using > size = snprintf before the code reaches a case of size += snprintf. > > 2) If size is ultimately used as a length parameter for a copy back to user > space, then it will potentially allow for a buffer overflow and information > disclosure when size is greater than SIZE. When the size is used to index > the buffer directly, we can have memory corruption. This also means when > size = snprintf... is used, it may also cause problems since size may become > large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel > configuration. > > The solution to these issues is to use scnprintf which returns the number of > characters actually written to the buffer, so the size variable will never > exceed SIZE. > > Signed-off-by: Silvio Cesare <[email protected]> > Cc: Mark Brown <[email protected]> > Cc: Dan Carpenter <[email protected]> > Cc: Kees Cook <[email protected]> > Cc: Will Deacon <[email protected]> > Cc: Greg KH <[email protected]> > Signed-off-by: Willy Tarreau <[email protected]>
Reviewed-by: Kees Cook <[email protected]> -Kees > > --- > drivers/spi/spi-dw.c | 36 ++++++++++++++++++------------------ > 1 file changed, 18 insertions(+), 18 deletions(-) > > diff --git a/drivers/spi/spi-dw.c b/drivers/spi/spi-dw.c > index b705f2bdb8b9..008d52d37439 100644 > --- a/drivers/spi/spi-dw.c > +++ b/drivers/spi/spi-dw.c > @@ -54,41 +54,41 @@ static ssize_t dw_spi_show_regs(struct file *file, char > __user *user_buf, > if (!buf) > return 0; > > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "%s registers:\n", dev_name(&dws->master->dev)); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "=================================\n"); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "CTRL0: \t\t0x%08x\n", dw_readl(dws, DW_SPI_CTRL0)); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "CTRL1: \t\t0x%08x\n", dw_readl(dws, DW_SPI_CTRL1)); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "SSIENR: \t0x%08x\n", dw_readl(dws, DW_SPI_SSIENR)); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "SER: \t\t0x%08x\n", dw_readl(dws, DW_SPI_SER)); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "BAUDR: \t\t0x%08x\n", dw_readl(dws, DW_SPI_BAUDR)); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "TXFTLR: \t0x%08x\n", dw_readl(dws, DW_SPI_TXFLTR)); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "RXFTLR: \t0x%08x\n", dw_readl(dws, DW_SPI_RXFLTR)); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "TXFLR: \t\t0x%08x\n", dw_readl(dws, DW_SPI_TXFLR)); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "RXFLR: \t\t0x%08x\n", dw_readl(dws, DW_SPI_RXFLR)); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "SR: \t\t0x%08x\n", dw_readl(dws, DW_SPI_SR)); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "IMR: \t\t0x%08x\n", dw_readl(dws, DW_SPI_IMR)); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "ISR: \t\t0x%08x\n", dw_readl(dws, DW_SPI_ISR)); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "DMACR: \t\t0x%08x\n", dw_readl(dws, DW_SPI_DMACR)); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "DMATDLR: \t0x%08x\n", dw_readl(dws, DW_SPI_DMATDLR)); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "DMARDLR: \t0x%08x\n", dw_readl(dws, DW_SPI_DMARDLR)); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "=================================\n"); > > ret = simple_read_from_buffer(user_buf, count, ppos, buf, len); > -- > 2.19.2 > -- Kees Cook
