Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4202935imu; Mon, 14 Jan 2019 17:28:02 -0800 (PST) X-Google-Smtp-Source: ALg8bN5VNq0M63VfV/fNIGPmrLYD4rywiVlxXVZSeFfPEFYD73JSsDK+0Y6fxl+LhJJ06GW9QD3c X-Received: by 2002:a62:1f9d:: with SMTP id l29mr1391933pfj.14.1547515682248; Mon, 14 Jan 2019 17:28:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547515682; cv=none; d=google.com; s=arc-20160816; b=t/4JgcmpsOD7vSrTni6kAMLxERStzYr5Rw9I7lqXAdl/UzPeAK3WAoIvL1a7+/0a9u uialRaFKr2p4+LdOqB56x1H+7qY2EIhzIx4/mjV73JA0vUIh+pYMCHVC3Qd7vKcUlIat UWo0WoJWwfaGmqD+JQGQaPp/LRc8Q5156Kaby9Q8zT34WNQy38Zdm85PCnc4/HzPceYY CY+aC5YobNEh39LDKBCusaftYJ0dBv7axY3bwJg7Sk4MRU+WlGPxKffB5a4OIMK1NYIL omBh8oECtlbutJUy7ULyLQi/4k2ZvA4aYz4TIRZxTvVB2EpACLDiec8XU7+/y5ErS+QU H0vQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=Xalgf0gPnoByW49DMFh9qJbLDgTPKrWP+HijoiEdQb0=; b=K86sF4S2do3tLogCgq9Ofov5M198K0D7Jjunlyg2CkaePaqpQOAJ5D4TpHP3WAsNxE I2yhcjxu8DZPLKtKVppgbd3Wvf3mW/wuk/HS3KNT2CpSZaiVJ2G0OAEy/XZ3TuJ7FpJP 6w1xRWMN2TKVqJBc8+Tiz9xH/gfkgQmdj8/NvSNuwPzzx9+9jAV0RHTHqziMCodykvs5 r0ABT6YzMF1/AERd75Y8ZvVgVHSki6B7cQAeXIo2gH9L1RGL6RB9OOTi6hCjB94DHttr CTy8fKx2TboHa7mB9SeajAOl+5KIjkviwxfO3TWU/lW5s+BAVFg8ufmOJGEhnfT1zYty GUhg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=O0BeH79q; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g63si1806720pfc.60.2019.01.14.17.27.46; Mon, 14 Jan 2019 17:28:02 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=O0BeH79q; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727701AbfAOBNo (ORCPT + 99 others); Mon, 14 Jan 2019 20:13:44 -0500 Received: from mail-vk1-f193.google.com ([209.85.221.193]:35057 "EHLO mail-vk1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727122AbfAOBNo (ORCPT ); Mon, 14 Jan 2019 20:13:44 -0500 Received: by mail-vk1-f193.google.com with SMTP id b18so252094vke.2 for ; Mon, 14 Jan 2019 17:13:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Xalgf0gPnoByW49DMFh9qJbLDgTPKrWP+HijoiEdQb0=; b=O0BeH79qINijcJmjv2t6L4u5vAIqxhqIKoy233zwEcks/8jDYZyn9rvmw+ik2ExZxn /QqhbHnsY00fAytQt6UesFULETek7+QT/W/zcqdFvAcMRi6qxlOH9sv5Bkh6U1CRx+Cc g4MZKSO8uc9ZEq9Ah3+zbwT8Jtxw9jhktabt0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Xalgf0gPnoByW49DMFh9qJbLDgTPKrWP+HijoiEdQb0=; b=E0I3yskG4b926TjfvZUc54vA59wZjNVvXn4TF9RS0f8Ku5llgzr+0mm5kjO/HqpnvO FHB0pvPToRkwJR82aIDlK5px7bYLtagjoGWxAvu4e0ALPc0i3Y9vzS/2E4jIRzLaXd66 7Uy6UTFSV6ioyrSPJhyXbM/dt+qJtceUdbwU4gWcw3M6fyAJV9mpvl7twS+Ucem5+ro6 odXlk5jOA5NSl/iQhcuz5F61J5xVDLT5/nXLlmyfX1UpMagu5fdxWQG+q8xMGvEKfTj8 1oH6TQ8QBmL4F6Ly4nI68TwPib/e+K/jLlkbG6WCgyNwHc0Vx7jJV/Ljg5IprzkcP0Tt SCfw== X-Gm-Message-State: AJcUukd9lY7Mc4ATH0MoEQ+xiAcHed1LYtVSdR2CLlXLwvUoRaV963yP JO3HZQaFx0C9FTN344Z2z+neacIkGbg= X-Received: by 2002:a1f:d647:: with SMTP id n68mr509409vkg.33.1547514817555; Mon, 14 Jan 2019 17:13:37 -0800 (PST) Received: from mail-vs1-f47.google.com (mail-vs1-f47.google.com. [209.85.217.47]) by smtp.gmail.com with ESMTPSA id o1sm1185545uaj.4.2019.01.14.17.13.35 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 14 Jan 2019 17:13:35 -0800 (PST) Received: by mail-vs1-f47.google.com with SMTP id z3so662476vsf.7 for ; Mon, 14 Jan 2019 17:13:35 -0800 (PST) X-Received: by 2002:a67:7d01:: with SMTP id y1mr610977vsc.48.1547514814595; Mon, 14 Jan 2019 17:13:34 -0800 (PST) MIME-Version: 1.0 References: <20190112152844.26550-1-w@1wt.eu> <20190112152844.26550-4-w@1wt.eu> In-Reply-To: <20190112152844.26550-4-w@1wt.eu> From: Kees Cook Date: Mon, 14 Jan 2019 17:13:21 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 4/8] ASoC: change snprintf to scnprintf for possible overflow To: Willy Tarreau Cc: Silvio Cesare , LKML , Timur Tabi , Nicolin Chen , Xiubo Li , Fabio Estevam , Dan Carpenter , Will Deacon , Greg KH Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Jan 12, 2019 at 7:28 AM Willy Tarreau wrote: > > From: Silvio Cesare > > Change snprintf to scnprintf. There are generally two cases where using > snprintf causes problems. > > 1) Uses of size += snprintf(buf, SIZE - size, fmt, ...) > In this case, if snprintf would have written more characters than what the > buffer size (SIZE) is, then size will end up larger than SIZE. In later > uses of snprintf, SIZE - size will result in a negative number, leading > to problems. Note that size might already be too large by using > size = snprintf before the code reaches a case of size += snprintf. > > 2) If size is ultimately used as a length parameter for a copy back to user > space, then it will potentially allow for a buffer overflow and information > disclosure when size is greater than SIZE. When the size is used to index > the buffer directly, we can have memory corruption. This also means when > size = snprintf... is used, it may also cause problems since size may become > large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel > configuration. > > The solution to these issues is to use scnprintf which returns the number of > characters actually written to the buffer, so the size variable will never > exceed SIZE. > > Signed-off-by: Silvio Cesare > Cc: Timur Tabi > Cc: Nicolin Chen > Cc: Xiubo Li > Cc: Fabio Estevam > Cc: Dan Carpenter > Cc: Kees Cook > Cc: Will Deacon > Cc: Greg KH > Signed-off-by: Willy Tarreau Reviewed-by: Kees Cook -Kees > > --- > sound/soc/fsl/imx-audmux.c | 24 ++++++++++++------------ > 1 file changed, 12 insertions(+), 12 deletions(-) > > diff --git a/sound/soc/fsl/imx-audmux.c b/sound/soc/fsl/imx-audmux.c > index 392d5eef356d..99e07b01a2ce 100644 > --- a/sound/soc/fsl/imx-audmux.c > +++ b/sound/soc/fsl/imx-audmux.c > @@ -86,49 +86,49 @@ static ssize_t audmux_read_file(struct file *file, char __user *user_buf, > if (!buf) > return -ENOMEM; > > - ret = snprintf(buf, PAGE_SIZE, "PDCR: %08x\nPTCR: %08x\n", > + ret = scnprintf(buf, PAGE_SIZE, "PDCR: %08x\nPTCR: %08x\n", > pdcr, ptcr); > > if (ptcr & IMX_AUDMUX_V2_PTCR_TFSDIR) > - ret += snprintf(buf + ret, PAGE_SIZE - ret, > + ret += scnprintf(buf + ret, PAGE_SIZE - ret, > "TxFS output from %s, ", > audmux_port_string((ptcr >> 27) & 0x7)); > else > - ret += snprintf(buf + ret, PAGE_SIZE - ret, > + ret += scnprintf(buf + ret, PAGE_SIZE - ret, > "TxFS input, "); > > if (ptcr & IMX_AUDMUX_V2_PTCR_TCLKDIR) > - ret += snprintf(buf + ret, PAGE_SIZE - ret, > + ret += scnprintf(buf + ret, PAGE_SIZE - ret, > "TxClk output from %s", > audmux_port_string((ptcr >> 22) & 0x7)); > else > - ret += snprintf(buf + ret, PAGE_SIZE - ret, > + ret += scnprintf(buf + ret, PAGE_SIZE - ret, > "TxClk input"); > > - ret += snprintf(buf + ret, PAGE_SIZE - ret, "\n"); > + ret += scnprintf(buf + ret, PAGE_SIZE - ret, "\n"); > > if (ptcr & IMX_AUDMUX_V2_PTCR_SYN) { > - ret += snprintf(buf + ret, PAGE_SIZE - ret, > + ret += scnprintf(buf + ret, PAGE_SIZE - ret, > "Port is symmetric"); > } else { > if (ptcr & IMX_AUDMUX_V2_PTCR_RFSDIR) > - ret += snprintf(buf + ret, PAGE_SIZE - ret, > + ret += scnprintf(buf + ret, PAGE_SIZE - ret, > "RxFS output from %s, ", > audmux_port_string((ptcr >> 17) & 0x7)); > else > - ret += snprintf(buf + ret, PAGE_SIZE - ret, > + ret += scnprintf(buf + ret, PAGE_SIZE - ret, > "RxFS input, "); > > if (ptcr & IMX_AUDMUX_V2_PTCR_RCLKDIR) > - ret += snprintf(buf + ret, PAGE_SIZE - ret, > + ret += scnprintf(buf + ret, PAGE_SIZE - ret, > "RxClk output from %s", > audmux_port_string((ptcr >> 12) & 0x7)); > else > - ret += snprintf(buf + ret, PAGE_SIZE - ret, > + ret += scnprintf(buf + ret, PAGE_SIZE - ret, > "RxClk input"); > } > > - ret += snprintf(buf + ret, PAGE_SIZE - ret, > + ret += scnprintf(buf + ret, PAGE_SIZE - ret, > "\nData received from %s\n", > audmux_port_string((pdcr >> 13) & 0x7)); > > -- > 2.19.2 > -- Kees Cook