[PATCH] iommu/omap: fix buffer overflow in debugfs

[PATCH] iommu/omap: fix buffer overflow in debugfs

[Dan Carpenter]

There are two issues here:

1) The "len" variable needs to be checked before the very first write.
   Otherwise if omap2_iommu_dump_ctx() with "bytes" less than 32 it is a
   buffer overflow.
2) The snprintf() function returns the number of bytes that *would* have
   been copied if there were enough space.  But we want to know the
   number of bytes which were *actually* copied so use scnprintf()
   instead.

Fixes: bd4396f09a4a ("iommu/omap: Consolidate OMAP IOMMU modules")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/iommu/omap-iommu-debug.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/iommu/omap-iommu-debug.c b/drivers/iommu/omap-iommu-debug.c
index a99afb5d9011..259f65291d90 100644
--- a/drivers/iommu/omap-iommu-debug.c
+++ b/drivers/iommu/omap-iommu-debug.c
@@ -32,12 +32,12 @@ static inline bool is_omap_iommu_detached(struct omap_iommu *obj)
 		ssize_t bytes;						\
 		const char *str = "%20s: %08x\n";			\
 		const int maxcol = 32;					\
-		bytes = snprintf(p, maxcol, str, __stringify(name),	\
+		if (len < maxcol)					\
+			goto out;					\
+		bytes = scnprintf(p, maxcol, str, __stringify(name),	\
 				 iommu_read_reg(obj, MMU_##name));	\
 		p += bytes;						\
 		len -= bytes;						\
-		if (len < maxcol)					\
-			goto out;					\
 	} while (0)
 
 static ssize_t
-- 
2.35.1

Re: [PATCH] iommu/omap: fix buffer overflow in debugfs

[Laurent Pinchart]

Hi Dan,

Thank you for the patch.

On Thu, Aug 04, 2022 at 05:32:39PM +0300, Dan Carpenter wrote:
> There are two issues here:
> 
> 1) The "len" variable needs to be checked before the very first write.
>    Otherwise if omap2_iommu_dump_ctx() with "bytes" less than 32 it is a
>    buffer overflow.
> 2) The snprintf() function returns the number of bytes that *would* have
>    been copied if there were enough space.  But we want to know the
>    number of bytes which were *actually* copied so use scnprintf()
>    instead.
> 
> Fixes: bd4396f09a4a ("iommu/omap: Consolidate OMAP IOMMU modules")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
>  drivers/iommu/omap-iommu-debug.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/iommu/omap-iommu-debug.c b/drivers/iommu/omap-iommu-debug.c
> index a99afb5d9011..259f65291d90 100644
> --- a/drivers/iommu/omap-iommu-debug.c
> +++ b/drivers/iommu/omap-iommu-debug.c
> @@ -32,12 +32,12 @@ static inline bool is_omap_iommu_detached(struct omap_iommu *obj)
>  		ssize_t bytes;						\
>  		const char *str = "%20s: %08x\n";			\
>  		const int maxcol = 32;					\
> -		bytes = snprintf(p, maxcol, str, __stringify(name),	\
> +		if (len < maxcol)					\
> +			goto out;					\
> +		bytes = scnprintf(p, maxcol, str, __stringify(name),	\
>  				 iommu_read_reg(obj, MMU_##name));	\
>  		p += bytes;						\
>  		len -= bytes;						\
> -		if (len < maxcol)					\
> -			goto out;					\
>  	} while (0)

This could would really benefit from being rewritten using a static
table of register name and offset and a loop that iterates over it.
Still, this is a valid bug fix, so

Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>

>  static ssize_t

-- 
Regards,

Laurent Pinchart

Re: [PATCH] iommu/omap: fix buffer overflow in debugfs

[Robin Murphy]

On 04/08/2022 3:32 pm, Dan Carpenter wrote:
> There are two issues here:
> 
> 1) The "len" variable needs to be checked before the very first write.
>     Otherwise if omap2_iommu_dump_ctx() with "bytes" less than 32 it is a
>     buffer overflow.
> 2) The snprintf() function returns the number of bytes that *would* have
>     been copied if there were enough space.  But we want to know the
>     number of bytes which were *actually* copied so use scnprintf()
>     instead.
> 
> Fixes: bd4396f09a4a ("iommu/omap: Consolidate OMAP IOMMU modules")

FWIW I think this has actually been broken since day one back in 
14e0e6796a0d, but I'm also not inclined to care that much - 2014 is 
already plenty long ago.

> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
>   drivers/iommu/omap-iommu-debug.c | 6 +++---
>   1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/iommu/omap-iommu-debug.c b/drivers/iommu/omap-iommu-debug.c
> index a99afb5d9011..259f65291d90 100644
> --- a/drivers/iommu/omap-iommu-debug.c
> +++ b/drivers/iommu/omap-iommu-debug.c
> @@ -32,12 +32,12 @@ static inline bool is_omap_iommu_detached(struct omap_iommu *obj)
>   		ssize_t bytes;						\
>   		const char *str = "%20s: %08x\n";			\
>   		const int maxcol = 32;					\
> -		bytes = snprintf(p, maxcol, str, __stringify(name),	\
> +		if (len < maxcol)					\
> +			goto out;					\
> +		bytes = scnprintf(p, maxcol, str, __stringify(name),	\
>   				 iommu_read_reg(obj, MMU_##name));	\

I suppose snprintf is OK in practice since none of the names are 
anywhere near 20 characters long anyway, but I agree it's better to be 
obviously foolproof. Frankly this code is all kinds of horrible anyway, 
and deserves ripping out and replacing with a simple seq_file, but for 
this fix as a fix,

Reviewed-by: Robin Murphy <robin.murphy@arm.com>

Cheers,
Robin.

>   		p += bytes;						\
>   		len -= bytes;						\
> -		if (len < maxcol)					\
> -			goto out;					\
>   	} while (0)
>   
>   static ssize_t

Re: [PATCH] iommu/omap: fix buffer overflow in debugfs

[Dan Carpenter]

On Thu, Aug 04, 2022 at 05:31:39PM +0100, Robin Murphy wrote:
> On 04/08/2022 3:32 pm, Dan Carpenter wrote:
> > There are two issues here:
> > 
> > 1) The "len" variable needs to be checked before the very first write.
> >     Otherwise if omap2_iommu_dump_ctx() with "bytes" less than 32 it is a
> >     buffer overflow.
> > 2) The snprintf() function returns the number of bytes that *would* have
> >     been copied if there were enough space.  But we want to know the
> >     number of bytes which were *actually* copied so use scnprintf()
> >     instead.
> > 
> > Fixes: bd4396f09a4a ("iommu/omap: Consolidate OMAP IOMMU modules")
> 
> FWIW I think this has actually been broken since day one back in
> 14e0e6796a0d, but I'm also not inclined to care that much - 2014 is already
> plenty long ago.
> 

I don't know how I didn't see that.  It's like my eyeballs are broken
sometimes.  Possibly it should be:

Fixes: 14e0e6796a0d ("OMAP: iommu: add initial debugfs support")

Althought that's debatable as well...


> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > ---
> >   drivers/iommu/omap-iommu-debug.c | 6 +++---
> >   1 file changed, 3 insertions(+), 3 deletions(-)
> > 
> > diff --git a/drivers/iommu/omap-iommu-debug.c b/drivers/iommu/omap-iommu-debug.c
> > index a99afb5d9011..259f65291d90 100644
> > --- a/drivers/iommu/omap-iommu-debug.c
> > +++ b/drivers/iommu/omap-iommu-debug.c
> > @@ -32,12 +32,12 @@ static inline bool is_omap_iommu_detached(struct omap_iommu *obj)
> >   		ssize_t bytes;						\
> >   		const char *str = "%20s: %08x\n";			\
> >   		const int maxcol = 32;					\
> > -		bytes = snprintf(p, maxcol, str, __stringify(name),	\
> > +		if (len < maxcol)					\
> > +			goto out;					\
> > +		bytes = scnprintf(p, maxcol, str, __stringify(name),	\
> >   				 iommu_read_reg(obj, MMU_##name));	\
> 
> I suppose snprintf is OK in practice since none of the names are anywhere
> near 20 characters long anyway, but I agree it's better to be obviously
> foolproof.

The issue with scnprintf() vs snprintf() is not the 32 character limit.
The issue is the "p - buf" math in omap2_iommu_dump_ctx().  The "p"
variable is past the end of the buffer.  The user decides the size of
the buffer so it's a real bug.

regards,
dan carpenter

Re: [PATCH] iommu/omap: fix buffer overflow in debugfs

[Joerg Roedel]

On Thu, Aug 04, 2022 at 05:32:39PM +0300, Dan Carpenter wrote:
>  drivers/iommu/omap-iommu-debug.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)

Applied, thanks.