diff options
| author | Dan Carpenter <dan.carpenter@oracle.com> | 2022-08-04 16:32:39 +0200 |
|---|---|---|
| committer | Joerg Roedel <jroedel@suse.de> | 2022-09-07 10:42:28 +0200 |
| commit | 184233a5202786b20220acd2d04ddf909ef18f29 (patch) | |
| tree | 87e2ab8062ecb66030ab910f7bac198a8623ae56 /drivers/iommu | |
| parent | Linux 6.0-rc4 (diff) | |
| download | linux-184233a5202786b20220acd2d04ddf909ef18f29.tar.xz linux-184233a5202786b20220acd2d04ddf909ef18f29.zip | |
iommu/omap: Fix buffer overflow in debugfs
There are two issues here:
1) The "len" variable needs to be checked before the very first write.
Otherwise if omap2_iommu_dump_ctx() with "bytes" less than 32 it is a
buffer overflow.
2) The snprintf() function returns the number of bytes that *would* have
been copied if there were enough space. But we want to know the
number of bytes which were *actually* copied so use scnprintf()
instead.
Fixes: bd4396f09a4a ("iommu/omap: Consolidate OMAP IOMMU modules")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Robin Murphy <robin.murphy@arm.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Link: https://lore.kernel.org/r/YuvYh1JbE3v+abd5@kili
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Diffstat (limited to 'drivers/iommu')
| -rw-r--r-- | drivers/iommu/omap-iommu-debug.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/drivers/iommu/omap-iommu-debug.c b/drivers/iommu/omap-iommu-debug.c index a99afb5d9011..259f65291d90 100644 --- a/drivers/iommu/omap-iommu-debug.c +++ b/drivers/iommu/omap-iommu-debug.c @@ -32,12 +32,12 @@ static inline bool is_omap_iommu_detached(struct omap_iommu *obj) ssize_t bytes; \ const char *str = "%20s: %08x\n"; \ const int maxcol = 32; \ - bytes = snprintf(p, maxcol, str, __stringify(name), \ + if (len < maxcol) \ + goto out; \ + bytes = scnprintf(p, maxcol, str, __stringify(name), \ iommu_read_reg(obj, MMU_##name)); \ p += bytes; \ len -= bytes; \ - if (len < maxcol) \ - goto out; \ } while (0) static ssize_t |