* [PATCH v2 4/8] ASoC: imx-audmux: change snprintf to scnprintf for possible overflow
@ 2019-01-15 3:27 Willy Tarreau
2019-01-15 4:53 ` Gustavo A. R. Silva
2019-01-15 19:08 ` Applied "ASoC: imx-audmux: change snprintf to scnprintf for possible overflow" to the asoc tree Mark Brown
0 siblings, 2 replies; 3+ messages in thread
From: Willy Tarreau @ 2019-01-15 3:27 UTC (permalink / raw)
To: Silvio Cesare
Cc: linux-kernel, Timur Tabi, Mark Brown, Nicolin Chen, alsa-devel,
Xiubo Li, Fabio Estevam, Dan Carpenter, Kees Cook, Will Deacon,
Greg KH
From: Silvio Cesare <silvio.cesare@gmail.com>
Change snprintf to scnprintf. There are generally two cases where using
snprintf causes problems.
1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
In this case, if snprintf would have written more characters than what the
buffer size (SIZE) is, then size will end up larger than SIZE. In later
uses of snprintf, SIZE - size will result in a negative number, leading
to problems. Note that size might already be too large by using
size = snprintf before the code reaches a case of size += snprintf.
2) If size is ultimately used as a length parameter for a copy back to user
space, then it will potentially allow for a buffer overflow and information
disclosure when size is greater than SIZE. When the size is used to index
the buffer directly, we can have memory corruption. This also means when
size = snprintf... is used, it may also cause problems since size may become
large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
configuration.
The solution to these issues is to use scnprintf which returns the number of
characters actually written to the buffer, so the size variable will never
exceed SIZE.
Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
Cc: Timur Tabi <timur@kernel.org>
Cc: Nicolin Chen <nicoleotsuka@gmail.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: Xiubo Li <Xiubo.Lee@gmail.com>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Greg KH <greg@kroah.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Acked-by: Nicolin Chen <nicoleotsuka@gmail.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
--
v2:
- adjust subject line
- added alsa-devel & Mark
- added acked-by
- added reviewed-by
The patches in this series were sent by Silvio to the security list
to fix a minor memory disclosure issue after this article was published:
http://blog.infosectcbr.com.au/2018/11/memory-bugs-in-multiple-linux-kernel.html
sound/soc/fsl/imx-audmux.c | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/sound/soc/fsl/imx-audmux.c b/sound/soc/fsl/imx-audmux.c
index 392d5eef356d..99e07b01a2ce 100644
--- a/sound/soc/fsl/imx-audmux.c
+++ b/sound/soc/fsl/imx-audmux.c
@@ -86,49 +86,49 @@ static ssize_t audmux_read_file(struct file *file, char __user *user_buf,
if (!buf)
return -ENOMEM;
- ret = snprintf(buf, PAGE_SIZE, "PDCR: %08x\nPTCR: %08x\n",
+ ret = scnprintf(buf, PAGE_SIZE, "PDCR: %08x\nPTCR: %08x\n",
pdcr, ptcr);
if (ptcr & IMX_AUDMUX_V2_PTCR_TFSDIR)
- ret += snprintf(buf + ret, PAGE_SIZE - ret,
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
"TxFS output from %s, ",
audmux_port_string((ptcr >> 27) & 0x7));
else
- ret += snprintf(buf + ret, PAGE_SIZE - ret,
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
"TxFS input, ");
if (ptcr & IMX_AUDMUX_V2_PTCR_TCLKDIR)
- ret += snprintf(buf + ret, PAGE_SIZE - ret,
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
"TxClk output from %s",
audmux_port_string((ptcr >> 22) & 0x7));
else
- ret += snprintf(buf + ret, PAGE_SIZE - ret,
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
"TxClk input");
- ret += snprintf(buf + ret, PAGE_SIZE - ret, "\n");
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret, "\n");
if (ptcr & IMX_AUDMUX_V2_PTCR_SYN) {
- ret += snprintf(buf + ret, PAGE_SIZE - ret,
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
"Port is symmetric");
} else {
if (ptcr & IMX_AUDMUX_V2_PTCR_RFSDIR)
- ret += snprintf(buf + ret, PAGE_SIZE - ret,
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
"RxFS output from %s, ",
audmux_port_string((ptcr >> 17) & 0x7));
else
- ret += snprintf(buf + ret, PAGE_SIZE - ret,
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
"RxFS input, ");
if (ptcr & IMX_AUDMUX_V2_PTCR_RCLKDIR)
- ret += snprintf(buf + ret, PAGE_SIZE - ret,
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
"RxClk output from %s",
audmux_port_string((ptcr >> 12) & 0x7));
else
- ret += snprintf(buf + ret, PAGE_SIZE - ret,
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
"RxClk input");
}
- ret += snprintf(buf + ret, PAGE_SIZE - ret,
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
"\nData received from %s\n",
audmux_port_string((pdcr >> 13) & 0x7));
--
2.19.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v2 4/8] ASoC: imx-audmux: change snprintf to scnprintf for possible overflow
2019-01-15 3:27 [PATCH v2 4/8] ASoC: imx-audmux: change snprintf to scnprintf for possible overflow Willy Tarreau
@ 2019-01-15 4:53 ` Gustavo A. R. Silva
2019-01-15 19:08 ` Applied "ASoC: imx-audmux: change snprintf to scnprintf for possible overflow" to the asoc tree Mark Brown
1 sibling, 0 replies; 3+ messages in thread
From: Gustavo A. R. Silva @ 2019-01-15 4:53 UTC (permalink / raw)
To: Willy Tarreau, Silvio Cesare
Cc: linux-kernel, Timur Tabi, Mark Brown, Nicolin Chen, alsa-devel,
Xiubo Li, Fabio Estevam, Dan Carpenter, Kees Cook, Will Deacon,
Greg KH
Hi Willy,
On 1/14/19 9:27 PM, Willy Tarreau wrote:
> From: Silvio Cesare <silvio.cesare@gmail.com>
>
> Change snprintf to scnprintf. There are generally two cases where using
> snprintf causes problems.
>
> 1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
> In this case, if snprintf would have written more characters than what the
> buffer size (SIZE) is, then size will end up larger than SIZE. In later
> uses of snprintf, SIZE - size will result in a negative number, leading
> to problems. Note that size might already be too large by using
> size = snprintf before the code reaches a case of size += snprintf.
>
> 2) If size is ultimately used as a length parameter for a copy back to user
> space, then it will potentially allow for a buffer overflow and information
> disclosure when size is greater than SIZE. When the size is used to index
> the buffer directly, we can have memory corruption. This also means when
> size = snprintf... is used, it may also cause problems since size may become
> large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
> configuration.
>
> The solution to these issues is to use scnprintf which returns the number of
> characters actually written to the buffer, so the size variable will never
> exceed SIZE.
>
> Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
> Cc: Timur Tabi <timur@kernel.org>
> Cc: Nicolin Chen <nicoleotsuka@gmail.com>
> Cc: Mark Brown <broonie@kernel.org>
> Cc: Xiubo Li <Xiubo.Lee@gmail.com>
> Cc: Fabio Estevam <fabio.estevam@nxp.com>
> Cc: Dan Carpenter <dan.carpenter@oracle.com>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Will Deacon <will.deacon@arm.com>
> Cc: Greg KH <greg@kroah.com>
> Signed-off-by: Willy Tarreau <w@1wt.eu>
> Acked-by: Nicolin Chen <nicoleotsuka@gmail.com>
> Reviewed-by: Kees Cook <keescook@chromium.org>
>
You are still missing some people and mailing lists:
$ scripts/get_maintainer.pl --nokeywords --nogit --nogit-fallback sound/soc/fsl/imx-audmux.c
Timur Tabi <timur@kernel.org> (maintainer:FREESCALE SOC SOUND DRIVERS)
Nicolin Chen <nicoleotsuka@gmail.com> (maintainer:FREESCALE SOC SOUND DRIVERS)
Xiubo Li <Xiubo.Lee@gmail.com> (maintainer:FREESCALE SOC SOUND DRIVERS)
Fabio Estevam <fabio.estevam@nxp.com> (reviewer:FREESCALE SOC SOUND DRIVERS)
Liam Girdwood <lgirdwood@gmail.com> (supporter:SOUND - SOC LAYER / DYNAMIC AUDIO POWER MANAGEM...)
Mark Brown <broonie@kernel.org> (supporter:SOUND - SOC LAYER / DYNAMIC AUDIO POWER MANAGEM...)
Jaroslav Kysela <perex@perex.cz> (maintainer:SOUND)
Takashi Iwai <tiwai@suse.com> (maintainer:SOUND)
Shawn Guo <shawnguo@kernel.org> (maintainer:ARM/FREESCALE IMX / MXC ARM ARCHITECTURE)
Sascha Hauer <s.hauer@pengutronix.de> (maintainer:ARM/FREESCALE IMX / MXC ARM ARCHITECTURE)
Pengutronix Kernel Team <kernel@pengutronix.de> (reviewer:ARM/FREESCALE IMX / MXC ARM ARCHITECTURE)
NXP Linux Team <linux-imx@nxp.com> (reviewer:ARM/FREESCALE IMX / MXC ARM ARCHITECTURE)
alsa-devel@alsa-project.org (moderated list:FREESCALE SOC SOUND DRIVERS)
linuxppc-dev@lists.ozlabs.org (open list:FREESCALE SOC SOUND DRIVERS)
linux-arm-kernel@lists.infradead.org (moderated list:ARM/FREESCALE IMX / MXC ARM ARCHITECTURE)
linux-kernel@vger.kernel.org (open list)
--
Gustavo
> --
>
> v2:
> - adjust subject line
> - added alsa-devel & Mark
> - added acked-by
> - added reviewed-by
>
> The patches in this series were sent by Silvio to the security list
> to fix a minor memory disclosure issue after this article was published:
>
> http://blog.infosectcbr.com.au/2018/11/memory-bugs-in-multiple-linux-kernel.html
>
>
> sound/soc/fsl/imx-audmux.c | 24 ++++++++++++------------
> 1 file changed, 12 insertions(+), 12 deletions(-)
>
> diff --git a/sound/soc/fsl/imx-audmux.c b/sound/soc/fsl/imx-audmux.c
> index 392d5eef356d..99e07b01a2ce 100644
> --- a/sound/soc/fsl/imx-audmux.c
> +++ b/sound/soc/fsl/imx-audmux.c
> @@ -86,49 +86,49 @@ static ssize_t audmux_read_file(struct file *file, char __user *user_buf,
> if (!buf)
> return -ENOMEM;
>
> - ret = snprintf(buf, PAGE_SIZE, "PDCR: %08x\nPTCR: %08x\n",
> + ret = scnprintf(buf, PAGE_SIZE, "PDCR: %08x\nPTCR: %08x\n",
> pdcr, ptcr);
>
> if (ptcr & IMX_AUDMUX_V2_PTCR_TFSDIR)
> - ret += snprintf(buf + ret, PAGE_SIZE - ret,
> + ret += scnprintf(buf + ret, PAGE_SIZE - ret,
> "TxFS output from %s, ",
> audmux_port_string((ptcr >> 27) & 0x7));
> else
> - ret += snprintf(buf + ret, PAGE_SIZE - ret,
> + ret += scnprintf(buf + ret, PAGE_SIZE - ret,
> "TxFS input, ");
>
> if (ptcr & IMX_AUDMUX_V2_PTCR_TCLKDIR)
> - ret += snprintf(buf + ret, PAGE_SIZE - ret,
> + ret += scnprintf(buf + ret, PAGE_SIZE - ret,
> "TxClk output from %s",
> audmux_port_string((ptcr >> 22) & 0x7));
> else
> - ret += snprintf(buf + ret, PAGE_SIZE - ret,
> + ret += scnprintf(buf + ret, PAGE_SIZE - ret,
> "TxClk input");
>
> - ret += snprintf(buf + ret, PAGE_SIZE - ret, "\n");
> + ret += scnprintf(buf + ret, PAGE_SIZE - ret, "\n");
>
> if (ptcr & IMX_AUDMUX_V2_PTCR_SYN) {
> - ret += snprintf(buf + ret, PAGE_SIZE - ret,
> + ret += scnprintf(buf + ret, PAGE_SIZE - ret,
> "Port is symmetric");
> } else {
> if (ptcr & IMX_AUDMUX_V2_PTCR_RFSDIR)
> - ret += snprintf(buf + ret, PAGE_SIZE - ret,
> + ret += scnprintf(buf + ret, PAGE_SIZE - ret,
> "RxFS output from %s, ",
> audmux_port_string((ptcr >> 17) & 0x7));
> else
> - ret += snprintf(buf + ret, PAGE_SIZE - ret,
> + ret += scnprintf(buf + ret, PAGE_SIZE - ret,
> "RxFS input, ");
>
> if (ptcr & IMX_AUDMUX_V2_PTCR_RCLKDIR)
> - ret += snprintf(buf + ret, PAGE_SIZE - ret,
> + ret += scnprintf(buf + ret, PAGE_SIZE - ret,
> "RxClk output from %s",
> audmux_port_string((ptcr >> 12) & 0x7));
> else
> - ret += snprintf(buf + ret, PAGE_SIZE - ret,
> + ret += scnprintf(buf + ret, PAGE_SIZE - ret,
> "RxClk input");
> }
>
> - ret += snprintf(buf + ret, PAGE_SIZE - ret,
> + ret += scnprintf(buf + ret, PAGE_SIZE - ret,
> "\nData received from %s\n",
> audmux_port_string((pdcr >> 13) & 0x7));
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Applied "ASoC: imx-audmux: change snprintf to scnprintf for possible overflow" to the asoc tree
2019-01-15 3:27 [PATCH v2 4/8] ASoC: imx-audmux: change snprintf to scnprintf for possible overflow Willy Tarreau
2019-01-15 4:53 ` Gustavo A. R. Silva
@ 2019-01-15 19:08 ` Mark Brown
1 sibling, 0 replies; 3+ messages in thread
From: Mark Brown @ 2019-01-15 19:08 UTC (permalink / raw)
To: Silvio Cesare
Cc: Timur Tabi, Nicolin Chen, Mark Brown, Xiubo Li, Fabio Estevam,
Dan Carpenter, Kees Cook, Will Deacon, Greg KH, Willy Tarreau,
Nicolin Chen, Mark Brown, alsa-devel, Kees Cook, Timur Tabi,
Xiubo Li, Greg KH, Will Deacon, linux-kernel, Nicolin Chen,
Mark Brown, Fabio Estevam, Dan Carpenter, alsa-devel
The patch
ASoC: imx-audmux: change snprintf to scnprintf for possible overflow
has been applied to the asoc tree at
https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git
All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.
You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.
If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.
Please add any relevant lists and maintainers to the CCs when replying
to this mail.
Thanks,
Mark
From c407cd008fd039320d147088b52d0fa34ed3ddcb Mon Sep 17 00:00:00 2001
From: Silvio Cesare <silvio.cesare@gmail.com>
Date: Tue, 15 Jan 2019 04:27:27 +0100
Subject: [PATCH] ASoC: imx-audmux: change snprintf to scnprintf for possible
overflow
Change snprintf to scnprintf. There are generally two cases where using
snprintf causes problems.
1) Uses of size += snprintf(buf, SIZE - size, fmt, ...)
In this case, if snprintf would have written more characters than what the
buffer size (SIZE) is, then size will end up larger than SIZE. In later
uses of snprintf, SIZE - size will result in a negative number, leading
to problems. Note that size might already be too large by using
size = snprintf before the code reaches a case of size += snprintf.
2) If size is ultimately used as a length parameter for a copy back to user
space, then it will potentially allow for a buffer overflow and information
disclosure when size is greater than SIZE. When the size is used to index
the buffer directly, we can have memory corruption. This also means when
size = snprintf... is used, it may also cause problems since size may become
large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel
configuration.
The solution to these issues is to use scnprintf which returns the number of
characters actually written to the buffer, so the size variable will never
exceed SIZE.
Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
Cc: Timur Tabi <timur@kernel.org>
Cc: Nicolin Chen <nicoleotsuka@gmail.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: Xiubo Li <Xiubo.Lee@gmail.com>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Greg KH <greg@kroah.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Acked-by: Nicolin Chen <nicoleotsuka@gmail.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
---
sound/soc/fsl/imx-audmux.c | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/sound/soc/fsl/imx-audmux.c b/sound/soc/fsl/imx-audmux.c
index 392d5eef356d..99e07b01a2ce 100644
--- a/sound/soc/fsl/imx-audmux.c
+++ b/sound/soc/fsl/imx-audmux.c
@@ -86,49 +86,49 @@ static ssize_t audmux_read_file(struct file *file, char __user *user_buf,
if (!buf)
return -ENOMEM;
- ret = snprintf(buf, PAGE_SIZE, "PDCR: %08x\nPTCR: %08x\n",
+ ret = scnprintf(buf, PAGE_SIZE, "PDCR: %08x\nPTCR: %08x\n",
pdcr, ptcr);
if (ptcr & IMX_AUDMUX_V2_PTCR_TFSDIR)
- ret += snprintf(buf + ret, PAGE_SIZE - ret,
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
"TxFS output from %s, ",
audmux_port_string((ptcr >> 27) & 0x7));
else
- ret += snprintf(buf + ret, PAGE_SIZE - ret,
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
"TxFS input, ");
if (ptcr & IMX_AUDMUX_V2_PTCR_TCLKDIR)
- ret += snprintf(buf + ret, PAGE_SIZE - ret,
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
"TxClk output from %s",
audmux_port_string((ptcr >> 22) & 0x7));
else
- ret += snprintf(buf + ret, PAGE_SIZE - ret,
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
"TxClk input");
- ret += snprintf(buf + ret, PAGE_SIZE - ret, "\n");
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret, "\n");
if (ptcr & IMX_AUDMUX_V2_PTCR_SYN) {
- ret += snprintf(buf + ret, PAGE_SIZE - ret,
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
"Port is symmetric");
} else {
if (ptcr & IMX_AUDMUX_V2_PTCR_RFSDIR)
- ret += snprintf(buf + ret, PAGE_SIZE - ret,
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
"RxFS output from %s, ",
audmux_port_string((ptcr >> 17) & 0x7));
else
- ret += snprintf(buf + ret, PAGE_SIZE - ret,
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
"RxFS input, ");
if (ptcr & IMX_AUDMUX_V2_PTCR_RCLKDIR)
- ret += snprintf(buf + ret, PAGE_SIZE - ret,
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
"RxClk output from %s",
audmux_port_string((ptcr >> 12) & 0x7));
else
- ret += snprintf(buf + ret, PAGE_SIZE - ret,
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
"RxClk input");
}
- ret += snprintf(buf + ret, PAGE_SIZE - ret,
+ ret += scnprintf(buf + ret, PAGE_SIZE - ret,
"\nData received from %s\n",
audmux_port_string((pdcr >> 13) & 0x7));
--
2.20.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-01-15 19:08 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-15 3:27 [PATCH v2 4/8] ASoC: imx-audmux: change snprintf to scnprintf for possible overflow Willy Tarreau
2019-01-15 4:53 ` Gustavo A. R. Silva
2019-01-15 19:08 ` Applied "ASoC: imx-audmux: change snprintf to scnprintf for possible overflow" to the asoc tree Mark Brown
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).