* [PATCH] crypto: bcm: Use scnprintf() for avoiding potential buffer overflow
@ 2020-03-11 7:15 Takashi Iwai
2020-03-19 16:00 ` Takashi Iwai
2020-03-20 3:50 ` Herbert Xu
0 siblings, 2 replies; 3+ messages in thread
From: Takashi Iwai @ 2020-03-11 7:15 UTC (permalink / raw)
To: Herbert Xu; +Cc: linux-crypto
Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit. Fix it by replacing with scnprintf().
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
drivers/crypto/bcm/util.c | 40 ++++++++++++++++++++--------------------
1 file changed, 20 insertions(+), 20 deletions(-)
diff --git a/drivers/crypto/bcm/util.c b/drivers/crypto/bcm/util.c
index cd7504101acd..2b304fc78059 100644
--- a/drivers/crypto/bcm/util.c
+++ b/drivers/crypto/bcm/util.c
@@ -366,88 +366,88 @@ static ssize_t spu_debugfs_read(struct file *filp, char __user *ubuf,
ipriv = filp->private_data;
out_offset = 0;
- out_offset += snprintf(buf + out_offset, out_count - out_offset,
+ out_offset += scnprintf(buf + out_offset, out_count - out_offset,
"Number of SPUs.........%u\n",
ipriv->spu.num_spu);
- out_offset += snprintf(buf + out_offset, out_count - out_offset,
+ out_offset += scnprintf(buf + out_offset, out_count - out_offset,
"Current sessions.......%u\n",
atomic_read(&ipriv->session_count));
- out_offset += snprintf(buf + out_offset, out_count - out_offset,
+ out_offset += scnprintf(buf + out_offset, out_count - out_offset,
"Session count..........%u\n",
atomic_read(&ipriv->stream_count));
- out_offset += snprintf(buf + out_offset, out_count - out_offset,
+ out_offset += scnprintf(buf + out_offset, out_count - out_offset,
"Cipher setkey..........%u\n",
atomic_read(&ipriv->setkey_cnt[SPU_OP_CIPHER]));
- out_offset += snprintf(buf + out_offset, out_count - out_offset,
+ out_offset += scnprintf(buf + out_offset, out_count - out_offset,
"Cipher Ops.............%u\n",
atomic_read(&ipriv->op_counts[SPU_OP_CIPHER]));
for (alg = 0; alg < CIPHER_ALG_LAST; alg++) {
for (mode = 0; mode < CIPHER_MODE_LAST; mode++) {
op_cnt = atomic_read(&ipriv->cipher_cnt[alg][mode]);
if (op_cnt) {
- out_offset += snprintf(buf + out_offset,
+ out_offset += scnprintf(buf + out_offset,
out_count - out_offset,
" %-13s%11u\n",
spu_alg_name(alg, mode), op_cnt);
}
}
}
- out_offset += snprintf(buf + out_offset, out_count - out_offset,
+ out_offset += scnprintf(buf + out_offset, out_count - out_offset,
"Hash Ops...............%u\n",
atomic_read(&ipriv->op_counts[SPU_OP_HASH]));
for (alg = 0; alg < HASH_ALG_LAST; alg++) {
op_cnt = atomic_read(&ipriv->hash_cnt[alg]);
if (op_cnt) {
- out_offset += snprintf(buf + out_offset,
+ out_offset += scnprintf(buf + out_offset,
out_count - out_offset,
" %-13s%11u\n",
hash_alg_name[alg], op_cnt);
}
}
- out_offset += snprintf(buf + out_offset, out_count - out_offset,
+ out_offset += scnprintf(buf + out_offset, out_count - out_offset,
"HMAC setkey............%u\n",
atomic_read(&ipriv->setkey_cnt[SPU_OP_HMAC]));
- out_offset += snprintf(buf + out_offset, out_count - out_offset,
+ out_offset += scnprintf(buf + out_offset, out_count - out_offset,
"HMAC Ops...............%u\n",
atomic_read(&ipriv->op_counts[SPU_OP_HMAC]));
for (alg = 0; alg < HASH_ALG_LAST; alg++) {
op_cnt = atomic_read(&ipriv->hmac_cnt[alg]);
if (op_cnt) {
- out_offset += snprintf(buf + out_offset,
+ out_offset += scnprintf(buf + out_offset,
out_count - out_offset,
" %-13s%11u\n",
hash_alg_name[alg], op_cnt);
}
}
- out_offset += snprintf(buf + out_offset, out_count - out_offset,
+ out_offset += scnprintf(buf + out_offset, out_count - out_offset,
"AEAD setkey............%u\n",
atomic_read(&ipriv->setkey_cnt[SPU_OP_AEAD]));
- out_offset += snprintf(buf + out_offset, out_count - out_offset,
+ out_offset += scnprintf(buf + out_offset, out_count - out_offset,
"AEAD Ops...............%u\n",
atomic_read(&ipriv->op_counts[SPU_OP_AEAD]));
for (alg = 0; alg < AEAD_TYPE_LAST; alg++) {
op_cnt = atomic_read(&ipriv->aead_cnt[alg]);
if (op_cnt) {
- out_offset += snprintf(buf + out_offset,
+ out_offset += scnprintf(buf + out_offset,
out_count - out_offset,
" %-13s%11u\n",
aead_alg_name[alg], op_cnt);
}
}
- out_offset += snprintf(buf + out_offset, out_count - out_offset,
+ out_offset += scnprintf(buf + out_offset, out_count - out_offset,
"Bytes of req data......%llu\n",
(u64)atomic64_read(&ipriv->bytes_out));
- out_offset += snprintf(buf + out_offset, out_count - out_offset,
+ out_offset += scnprintf(buf + out_offset, out_count - out_offset,
"Bytes of resp data.....%llu\n",
(u64)atomic64_read(&ipriv->bytes_in));
- out_offset += snprintf(buf + out_offset, out_count - out_offset,
+ out_offset += scnprintf(buf + out_offset, out_count - out_offset,
"Mailbox full...........%u\n",
atomic_read(&ipriv->mb_no_spc));
- out_offset += snprintf(buf + out_offset, out_count - out_offset,
+ out_offset += scnprintf(buf + out_offset, out_count - out_offset,
"Mailbox send failures..%u\n",
atomic_read(&ipriv->mb_send_fail));
- out_offset += snprintf(buf + out_offset, out_count - out_offset,
+ out_offset += scnprintf(buf + out_offset, out_count - out_offset,
"Check ICV errors.......%u\n",
atomic_read(&ipriv->bad_icv));
if (ipriv->spu.spu_type == SPU_TYPE_SPUM)
@@ -455,7 +455,7 @@ static ssize_t spu_debugfs_read(struct file *filp, char __user *ubuf,
spu_ofifo_ctrl = ioread32(ipriv->spu.reg_vbase[i] +
SPU_OFIFO_CTRL);
fifo_len = spu_ofifo_ctrl & SPU_FIFO_WATERMARK;
- out_offset += snprintf(buf + out_offset,
+ out_offset += scnprintf(buf + out_offset,
out_count - out_offset,
"SPU %d output FIFO high water.....%u\n",
i, fifo_len);
--
2.16.4
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH] crypto: bcm: Use scnprintf() for avoiding potential buffer overflow
2020-03-11 7:15 [PATCH] crypto: bcm: Use scnprintf() for avoiding potential buffer overflow Takashi Iwai
@ 2020-03-19 16:00 ` Takashi Iwai
2020-03-20 3:50 ` Herbert Xu
1 sibling, 0 replies; 3+ messages in thread
From: Takashi Iwai @ 2020-03-19 16:00 UTC (permalink / raw)
To: Herbert Xu; +Cc: linux-crypto
On Wed, 11 Mar 2020 08:15:06 +0100,
Takashi Iwai wrote:
>
> Since snprintf() returns the would-be-output size instead of the
> actual output size, the succeeding calls may go beyond the given
> buffer limit. Fix it by replacing with scnprintf().
>
> Signed-off-by: Takashi Iwai <tiwai@suse.de>
A gentle reminder for this forgotten patch.
Let me know if any further changes are needed.
thanks,
Takashi
> ---
> drivers/crypto/bcm/util.c | 40 ++++++++++++++++++++--------------------
> 1 file changed, 20 insertions(+), 20 deletions(-)
>
> diff --git a/drivers/crypto/bcm/util.c b/drivers/crypto/bcm/util.c
> index cd7504101acd..2b304fc78059 100644
> --- a/drivers/crypto/bcm/util.c
> +++ b/drivers/crypto/bcm/util.c
> @@ -366,88 +366,88 @@ static ssize_t spu_debugfs_read(struct file *filp, char __user *ubuf,
>
> ipriv = filp->private_data;
> out_offset = 0;
> - out_offset += snprintf(buf + out_offset, out_count - out_offset,
> + out_offset += scnprintf(buf + out_offset, out_count - out_offset,
> "Number of SPUs.........%u\n",
> ipriv->spu.num_spu);
> - out_offset += snprintf(buf + out_offset, out_count - out_offset,
> + out_offset += scnprintf(buf + out_offset, out_count - out_offset,
> "Current sessions.......%u\n",
> atomic_read(&ipriv->session_count));
> - out_offset += snprintf(buf + out_offset, out_count - out_offset,
> + out_offset += scnprintf(buf + out_offset, out_count - out_offset,
> "Session count..........%u\n",
> atomic_read(&ipriv->stream_count));
> - out_offset += snprintf(buf + out_offset, out_count - out_offset,
> + out_offset += scnprintf(buf + out_offset, out_count - out_offset,
> "Cipher setkey..........%u\n",
> atomic_read(&ipriv->setkey_cnt[SPU_OP_CIPHER]));
> - out_offset += snprintf(buf + out_offset, out_count - out_offset,
> + out_offset += scnprintf(buf + out_offset, out_count - out_offset,
> "Cipher Ops.............%u\n",
> atomic_read(&ipriv->op_counts[SPU_OP_CIPHER]));
> for (alg = 0; alg < CIPHER_ALG_LAST; alg++) {
> for (mode = 0; mode < CIPHER_MODE_LAST; mode++) {
> op_cnt = atomic_read(&ipriv->cipher_cnt[alg][mode]);
> if (op_cnt) {
> - out_offset += snprintf(buf + out_offset,
> + out_offset += scnprintf(buf + out_offset,
> out_count - out_offset,
> " %-13s%11u\n",
> spu_alg_name(alg, mode), op_cnt);
> }
> }
> }
> - out_offset += snprintf(buf + out_offset, out_count - out_offset,
> + out_offset += scnprintf(buf + out_offset, out_count - out_offset,
> "Hash Ops...............%u\n",
> atomic_read(&ipriv->op_counts[SPU_OP_HASH]));
> for (alg = 0; alg < HASH_ALG_LAST; alg++) {
> op_cnt = atomic_read(&ipriv->hash_cnt[alg]);
> if (op_cnt) {
> - out_offset += snprintf(buf + out_offset,
> + out_offset += scnprintf(buf + out_offset,
> out_count - out_offset,
> " %-13s%11u\n",
> hash_alg_name[alg], op_cnt);
> }
> }
> - out_offset += snprintf(buf + out_offset, out_count - out_offset,
> + out_offset += scnprintf(buf + out_offset, out_count - out_offset,
> "HMAC setkey............%u\n",
> atomic_read(&ipriv->setkey_cnt[SPU_OP_HMAC]));
> - out_offset += snprintf(buf + out_offset, out_count - out_offset,
> + out_offset += scnprintf(buf + out_offset, out_count - out_offset,
> "HMAC Ops...............%u\n",
> atomic_read(&ipriv->op_counts[SPU_OP_HMAC]));
> for (alg = 0; alg < HASH_ALG_LAST; alg++) {
> op_cnt = atomic_read(&ipriv->hmac_cnt[alg]);
> if (op_cnt) {
> - out_offset += snprintf(buf + out_offset,
> + out_offset += scnprintf(buf + out_offset,
> out_count - out_offset,
> " %-13s%11u\n",
> hash_alg_name[alg], op_cnt);
> }
> }
> - out_offset += snprintf(buf + out_offset, out_count - out_offset,
> + out_offset += scnprintf(buf + out_offset, out_count - out_offset,
> "AEAD setkey............%u\n",
> atomic_read(&ipriv->setkey_cnt[SPU_OP_AEAD]));
>
> - out_offset += snprintf(buf + out_offset, out_count - out_offset,
> + out_offset += scnprintf(buf + out_offset, out_count - out_offset,
> "AEAD Ops...............%u\n",
> atomic_read(&ipriv->op_counts[SPU_OP_AEAD]));
> for (alg = 0; alg < AEAD_TYPE_LAST; alg++) {
> op_cnt = atomic_read(&ipriv->aead_cnt[alg]);
> if (op_cnt) {
> - out_offset += snprintf(buf + out_offset,
> + out_offset += scnprintf(buf + out_offset,
> out_count - out_offset,
> " %-13s%11u\n",
> aead_alg_name[alg], op_cnt);
> }
> }
> - out_offset += snprintf(buf + out_offset, out_count - out_offset,
> + out_offset += scnprintf(buf + out_offset, out_count - out_offset,
> "Bytes of req data......%llu\n",
> (u64)atomic64_read(&ipriv->bytes_out));
> - out_offset += snprintf(buf + out_offset, out_count - out_offset,
> + out_offset += scnprintf(buf + out_offset, out_count - out_offset,
> "Bytes of resp data.....%llu\n",
> (u64)atomic64_read(&ipriv->bytes_in));
> - out_offset += snprintf(buf + out_offset, out_count - out_offset,
> + out_offset += scnprintf(buf + out_offset, out_count - out_offset,
> "Mailbox full...........%u\n",
> atomic_read(&ipriv->mb_no_spc));
> - out_offset += snprintf(buf + out_offset, out_count - out_offset,
> + out_offset += scnprintf(buf + out_offset, out_count - out_offset,
> "Mailbox send failures..%u\n",
> atomic_read(&ipriv->mb_send_fail));
> - out_offset += snprintf(buf + out_offset, out_count - out_offset,
> + out_offset += scnprintf(buf + out_offset, out_count - out_offset,
> "Check ICV errors.......%u\n",
> atomic_read(&ipriv->bad_icv));
> if (ipriv->spu.spu_type == SPU_TYPE_SPUM)
> @@ -455,7 +455,7 @@ static ssize_t spu_debugfs_read(struct file *filp, char __user *ubuf,
> spu_ofifo_ctrl = ioread32(ipriv->spu.reg_vbase[i] +
> SPU_OFIFO_CTRL);
> fifo_len = spu_ofifo_ctrl & SPU_FIFO_WATERMARK;
> - out_offset += snprintf(buf + out_offset,
> + out_offset += scnprintf(buf + out_offset,
> out_count - out_offset,
> "SPU %d output FIFO high water.....%u\n",
> i, fifo_len);
> --
> 2.16.4
>
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH] crypto: bcm: Use scnprintf() for avoiding potential buffer overflow
2020-03-11 7:15 [PATCH] crypto: bcm: Use scnprintf() for avoiding potential buffer overflow Takashi Iwai
2020-03-19 16:00 ` Takashi Iwai
@ 2020-03-20 3:50 ` Herbert Xu
1 sibling, 0 replies; 3+ messages in thread
From: Herbert Xu @ 2020-03-20 3:50 UTC (permalink / raw)
To: Takashi Iwai; +Cc: linux-crypto
On Wed, Mar 11, 2020 at 08:15:06AM +0100, Takashi Iwai wrote:
> Since snprintf() returns the would-be-output size instead of the
> actual output size, the succeeding calls may go beyond the given
> buffer limit. Fix it by replacing with scnprintf().
>
> Signed-off-by: Takashi Iwai <tiwai@suse.de>
> ---
> drivers/crypto/bcm/util.c | 40 ++++++++++++++++++++--------------------
> 1 file changed, 20 insertions(+), 20 deletions(-)
Patch applied. Thanks.
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-03-20 3:50 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-11 7:15 [PATCH] crypto: bcm: Use scnprintf() for avoiding potential buffer overflow Takashi Iwai
2020-03-19 16:00 ` Takashi Iwai
2020-03-20 3:50 ` Herbert Xu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).