Commit 549cd0ba authored by Takashi Iwai's avatar Takashi Iwai Committed by Mark Brown

ASoC: intel: skl: Fix possible buffer overflow in debug outputs

The debugfs output of intel skl driver writes strings with multiple
snprintf() calls with the fixed size.  This was supposed to avoid the
buffer overflow but actually it still would, because snprintf()
returns the expected size to be output, not the actual output size.

Fix it by replacing snprintf() calls with scnprintf().

Fixes: d14700a0 ("ASoC: Intel: Skylake: Debugfs facility to dump module config")
Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
Acked-by: default avatarCezary Rojewski <cezary.rojewski@intel.com>
Link: https://lore.kernel.org/r/20200218111737.14193-3-tiwai@suse.deSigned-off-by: default avatarMark Brown <broonie@kernel.org>
parent 64bbacc5
...@@ -35,7 +35,7 @@ static ssize_t skl_print_pins(struct skl_module_pin *m_pin, char *buf, ...@@ -35,7 +35,7 @@ static ssize_t skl_print_pins(struct skl_module_pin *m_pin, char *buf,
ssize_t ret = 0; ssize_t ret = 0;
for (i = 0; i < max_pin; i++) { for (i = 0; i < max_pin; i++) {
ret += snprintf(buf + size, MOD_BUF - size, ret += scnprintf(buf + size, MOD_BUF - size,
"%s %d\n\tModule %d\n\tInstance %d\n\t" "%s %d\n\tModule %d\n\tInstance %d\n\t"
"In-used %s\n\tType %s\n" "In-used %s\n\tType %s\n"
"\tState %d\n\tIndex %d\n", "\tState %d\n\tIndex %d\n",
...@@ -53,7 +53,7 @@ static ssize_t skl_print_pins(struct skl_module_pin *m_pin, char *buf, ...@@ -53,7 +53,7 @@ static ssize_t skl_print_pins(struct skl_module_pin *m_pin, char *buf,
static ssize_t skl_print_fmt(struct skl_module_fmt *fmt, char *buf, static ssize_t skl_print_fmt(struct skl_module_fmt *fmt, char *buf,
ssize_t size, bool direction) ssize_t size, bool direction)
{ {
return snprintf(buf + size, MOD_BUF - size, return scnprintf(buf + size, MOD_BUF - size,
"%s\n\tCh %d\n\tFreq %d\n\tBit depth %d\n\t" "%s\n\tCh %d\n\tFreq %d\n\tBit depth %d\n\t"
"Valid bit depth %d\n\tCh config %#x\n\tInterleaving %d\n\t" "Valid bit depth %d\n\tCh config %#x\n\tInterleaving %d\n\t"
"Sample Type %d\n\tCh Map %#x\n", "Sample Type %d\n\tCh Map %#x\n",
...@@ -77,16 +77,16 @@ static ssize_t module_read(struct file *file, char __user *user_buf, ...@@ -77,16 +77,16 @@ static ssize_t module_read(struct file *file, char __user *user_buf,
if (!buf) if (!buf)
return -ENOMEM; return -ENOMEM;
ret = snprintf(buf, MOD_BUF, "Module:\n\tUUID %pUL\n\tModule id %d\n" ret = scnprintf(buf, MOD_BUF, "Module:\n\tUUID %pUL\n\tModule id %d\n"
"\tInstance id %d\n\tPvt_id %d\n", mconfig->guid, "\tInstance id %d\n\tPvt_id %d\n", mconfig->guid,
mconfig->id.module_id, mconfig->id.instance_id, mconfig->id.module_id, mconfig->id.instance_id,
mconfig->id.pvt_id); mconfig->id.pvt_id);
ret += snprintf(buf + ret, MOD_BUF - ret, ret += scnprintf(buf + ret, MOD_BUF - ret,
"Resources:\n\tCPC %#x\n\tIBS %#x\n\tOBS %#x\t\n", "Resources:\n\tCPC %#x\n\tIBS %#x\n\tOBS %#x\t\n",
res->cpc, res->ibs, res->obs); res->cpc, res->ibs, res->obs);
ret += snprintf(buf + ret, MOD_BUF - ret, ret += scnprintf(buf + ret, MOD_BUF - ret,
"Module data:\n\tCore %d\n\tIn queue %d\n\t" "Module data:\n\tCore %d\n\tIn queue %d\n\t"
"Out queue %d\n\tType %s\n", "Out queue %d\n\tType %s\n",
mconfig->core_id, mconfig->max_in_queue, mconfig->core_id, mconfig->max_in_queue,
...@@ -96,38 +96,38 @@ static ssize_t module_read(struct file *file, char __user *user_buf, ...@@ -96,38 +96,38 @@ static ssize_t module_read(struct file *file, char __user *user_buf,
ret += skl_print_fmt(mconfig->in_fmt, buf, ret, true); ret += skl_print_fmt(mconfig->in_fmt, buf, ret, true);
ret += skl_print_fmt(mconfig->out_fmt, buf, ret, false); ret += skl_print_fmt(mconfig->out_fmt, buf, ret, false);
ret += snprintf(buf + ret, MOD_BUF - ret, ret += scnprintf(buf + ret, MOD_BUF - ret,
"Fixup:\n\tParams %#x\n\tConverter %#x\n", "Fixup:\n\tParams %#x\n\tConverter %#x\n",
mconfig->params_fixup, mconfig->converter); mconfig->params_fixup, mconfig->converter);
ret += snprintf(buf + ret, MOD_BUF - ret, ret += scnprintf(buf + ret, MOD_BUF - ret,
"Module Gateway:\n\tType %#x\n\tVbus %#x\n\tHW conn %#x\n\tSlot %#x\n", "Module Gateway:\n\tType %#x\n\tVbus %#x\n\tHW conn %#x\n\tSlot %#x\n",
mconfig->dev_type, mconfig->vbus_id, mconfig->dev_type, mconfig->vbus_id,
mconfig->hw_conn_type, mconfig->time_slot); mconfig->hw_conn_type, mconfig->time_slot);
ret += snprintf(buf + ret, MOD_BUF - ret, ret += scnprintf(buf + ret, MOD_BUF - ret,
"Pipeline:\n\tID %d\n\tPriority %d\n\tConn Type %d\n\t" "Pipeline:\n\tID %d\n\tPriority %d\n\tConn Type %d\n\t"
"Pages %#x\n", mconfig->pipe->ppl_id, "Pages %#x\n", mconfig->pipe->ppl_id,
mconfig->pipe->pipe_priority, mconfig->pipe->conn_type, mconfig->pipe->pipe_priority, mconfig->pipe->conn_type,
mconfig->pipe->memory_pages); mconfig->pipe->memory_pages);
ret += snprintf(buf + ret, MOD_BUF - ret, ret += scnprintf(buf + ret, MOD_BUF - ret,
"\tParams:\n\t\tHost DMA %d\n\t\tLink DMA %d\n", "\tParams:\n\t\tHost DMA %d\n\t\tLink DMA %d\n",
mconfig->pipe->p_params->host_dma_id, mconfig->pipe->p_params->host_dma_id,
mconfig->pipe->p_params->link_dma_id); mconfig->pipe->p_params->link_dma_id);
ret += snprintf(buf + ret, MOD_BUF - ret, ret += scnprintf(buf + ret, MOD_BUF - ret,
"\tPCM params:\n\t\tCh %d\n\t\tFreq %d\n\t\tFormat %d\n", "\tPCM params:\n\t\tCh %d\n\t\tFreq %d\n\t\tFormat %d\n",
mconfig->pipe->p_params->ch, mconfig->pipe->p_params->ch,
mconfig->pipe->p_params->s_freq, mconfig->pipe->p_params->s_freq,
mconfig->pipe->p_params->s_fmt); mconfig->pipe->p_params->s_fmt);
ret += snprintf(buf + ret, MOD_BUF - ret, ret += scnprintf(buf + ret, MOD_BUF - ret,
"\tLink %#x\n\tStream %#x\n", "\tLink %#x\n\tStream %#x\n",
mconfig->pipe->p_params->linktype, mconfig->pipe->p_params->linktype,
mconfig->pipe->p_params->stream); mconfig->pipe->p_params->stream);
ret += snprintf(buf + ret, MOD_BUF - ret, ret += scnprintf(buf + ret, MOD_BUF - ret,
"\tState %d\n\tPassthru %s\n", "\tState %d\n\tPassthru %s\n",
mconfig->pipe->state, mconfig->pipe->state,
mconfig->pipe->passthru ? "true" : "false"); mconfig->pipe->passthru ? "true" : "false");
...@@ -137,7 +137,7 @@ static ssize_t module_read(struct file *file, char __user *user_buf, ...@@ -137,7 +137,7 @@ static ssize_t module_read(struct file *file, char __user *user_buf,
ret += skl_print_pins(mconfig->m_out_pin, buf, ret += skl_print_pins(mconfig->m_out_pin, buf,
mconfig->max_out_queue, ret, false); mconfig->max_out_queue, ret, false);
ret += snprintf(buf + ret, MOD_BUF - ret, ret += scnprintf(buf + ret, MOD_BUF - ret,
"Other:\n\tDomain %d\n\tHomogeneous Input %s\n\t" "Other:\n\tDomain %d\n\tHomogeneous Input %s\n\t"
"Homogeneous Output %s\n\tIn Queue Mask %d\n\t" "Homogeneous Output %s\n\tIn Queue Mask %d\n\t"
"Out Queue Mask %d\n\tDMA ID %d\n\tMem Pages %d\n\t" "Out Queue Mask %d\n\tDMA ID %d\n\tMem Pages %d\n\t"
...@@ -193,7 +193,7 @@ static ssize_t fw_softreg_read(struct file *file, char __user *user_buf, ...@@ -193,7 +193,7 @@ static ssize_t fw_softreg_read(struct file *file, char __user *user_buf,
__ioread32_copy(d->fw_read_buff, fw_reg_addr, w0_stat_sz >> 2); __ioread32_copy(d->fw_read_buff, fw_reg_addr, w0_stat_sz >> 2);
for (offset = 0; offset < FW_REG_SIZE; offset += 16) { for (offset = 0; offset < FW_REG_SIZE; offset += 16) {
ret += snprintf(tmp + ret, FW_REG_BUF - ret, "%#.4x: ", offset); ret += scnprintf(tmp + ret, FW_REG_BUF - ret, "%#.4x: ", offset);
hex_dump_to_buffer(d->fw_read_buff + offset, 16, 16, 4, hex_dump_to_buffer(d->fw_read_buff + offset, 16, 16, 4,
tmp + ret, FW_REG_BUF - ret, 0); tmp + ret, FW_REG_BUF - ret, 0);
ret += strlen(tmp + ret); ret += strlen(tmp + ret);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment