On Sat, Jan 12, 2019 at 7:28 AM Willy Tarreau <w...@1wt.eu> wrote: > > From: Silvio Cesare <silvio.ces...@gmail.com> > > Change snprintf to scnprintf. There are generally two cases where using > snprintf causes problems. > > 1) Uses of size += snprintf(buf, SIZE - size, fmt, ...) > In this case, if snprintf would have written more characters than what the > buffer size (SIZE) is, then size will end up larger than SIZE. In later > uses of snprintf, SIZE - size will result in a negative number, leading > to problems. Note that size might already be too large by using > size = snprintf before the code reaches a case of size += snprintf. > > 2) If size is ultimately used as a length parameter for a copy back to user > space, then it will potentially allow for a buffer overflow and information > disclosure when size is greater than SIZE. When the size is used to index > the buffer directly, we can have memory corruption. This also means when > size = snprintf... is used, it may also cause problems since size may become > large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel > configuration. > > The solution to these issues is to use scnprintf which returns the number of > characters actually written to the buffer, so the size variable will never > exceed SIZE. > > Signed-off-by: Silvio Cesare <silvio.ces...@gmail.com> > Cc: Pierre-Louis Bossart <pierre-louis.boss...@linux.intel.com> > Cc: Liam Girdwood <liam.r.girdw...@linux.intel.com> > Cc: Jie Yang <yang....@linux.intel.com> > Cc: Dan Carpenter <dan.carpen...@oracle.com> > Cc: Kees Cook <keesc...@chromium.org> > Cc: Will Deacon <will.dea...@arm.com> > Cc: Greg KH <g...@kroah.com> > Signed-off-by: Willy Tarreau <w...@1wt.eu> > > --- > sound/soc/intel/skylake/skl-debug.c | 28 ++++++++++++++-------------- > 1 file changed, 14 insertions(+), 14 deletions(-) > > diff --git a/sound/soc/intel/skylake/skl-debug.c > b/sound/soc/intel/skylake/skl-debug.c > index 5d7ac2ee7a3c..bb28db734fb7 100644 > --- a/sound/soc/intel/skylake/skl-debug.c > +++ b/sound/soc/intel/skylake/skl-debug.c > @@ -43,7 +43,7 @@ static ssize_t skl_print_pins(struct skl_module_pin *m_pin, > char *buf, > ssize_t ret = 0; > > for (i = 0; i < max_pin; i++) > - ret += snprintf(buf + size, MOD_BUF - size, > + ret += scnprintf(buf + size, MOD_BUF - size, > "%s %d\n\tModule %d\n\tInstance %d\n\t" > "In-used %s\n\tType %s\n" > "\tState %d\n\tIndex %d\n", >
While working on a Coccinelle script to find more cases of this, I noticed that this code is buggy: it keeps overwriting the same position in the buf string: "buf + size" and don't take "ret" into account at all. This needs to be: ret += scnprintf(buf + size + ret, MOD_BUF - size - ret, -- Kees Cook