Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4257791imu; Mon, 14 Jan 2019 18:47:30 -0800 (PST) X-Google-Smtp-Source: ALg8bN5qCsszqFRHBxCCU3PMr7mCZCwE2ue8U153FjnJaVAaTSZxF1tpUQ0toqvwlhm7JTBXugMw X-Received: by 2002:a62:53c5:: with SMTP id h188mr1634802pfb.190.1547520450449; Mon, 14 Jan 2019 18:47:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547520450; cv=none; d=google.com; s=arc-20160816; b=smTM0Ft9dqYso2IBmkZfxXQn5sQslhfQHuFsiZqleZ4/E0dTvs1LsJ9JBEsaa3wXpP IjsRR9VmCIVkrluAOCHJEdaK58V26a0r4bI1baC7iHrt4ph1VFMZpe1s5cuAGWFGwojI +zZpEW3tPQTMRMSB7X55fXrRdcAe3Ob63LZpPYqFCcJyxRhplU4DpAKaQKHZwX7xeySp KnBhYPpXCWwZyHSqct9nHy1ykIICKUPbOClap51edtfcElqetokjbz0n2euMrhRXQpiK lIQ5BP9keW72IK9UtZW+BJ9crqQN+xbCImp6R1jjohEc3MHBthMKlxPxjQyfBw1T1Lkh xn0w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=ksB2ayFP/NTGxreAkGUO765puiXCtztQ2E4cR81tAWo=; b=GeKoJTgxh5s0VX6znUpX2UjJJrYh0WC8zGlxXr7/JjmOR87D8yhHKKA4rk7iAgYx3X 5FppufFyb7fA1dVH/sgG27/9Xd6TmKEreeng9Y7FU9A0KVJ3Pu1CltquzS5ixzMRIbuY tvTlhGpUi5lnP1zoadyJTg1jOWJQ3Afemznmuy6sZm6+lS8Lyz6QE6cD1Jc+ruyNdhqr ZIR4BUc93cz4/ypl/khJz90wQ+PXVs5vk2SuY1vjFC0mvwV+GBfOuP9wOLTqmBsR1fjC v2Dg+W8kHuPMdijjUk+O2yzBW2MchVNB9HVrPEeMGs7AAHP7fwCXw67VxoSd8afzxT4S 993Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=a+4bWHvq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m1si1973636pfi.286.2019.01.14.18.47.14; Mon, 14 Jan 2019 18:47:30 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=a+4bWHvq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727664AbfAOBKH (ORCPT + 99 others); Mon, 14 Jan 2019 20:10:07 -0500 Received: from mail-vs1-f66.google.com ([209.85.217.66]:38234 "EHLO mail-vs1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726769AbfAOBKH (ORCPT ); Mon, 14 Jan 2019 20:10:07 -0500 Received: by mail-vs1-f66.google.com with SMTP id x64so665454vsa.5 for ; Mon, 14 Jan 2019 17:10:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ksB2ayFP/NTGxreAkGUO765puiXCtztQ2E4cR81tAWo=; b=a+4bWHvqVgoT2+J9wcncY04YXwWjQ6CcHOrcM+7nGJ+zcWz22HfEz7z87tvFk/k+WE JtqBiMhNUlegeE5/LZT6hv7SSJ0+GCFjzYSKqIZfJ/cQr1jecuLWSbmiEZg+vQkYBJ3r OiStdVrarKtAZw6qKPb02gE0K7LA+uVAT/iPc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ksB2ayFP/NTGxreAkGUO765puiXCtztQ2E4cR81tAWo=; b=h59BJeBNaalUVYWRwh5GIH0I1PiS/56EHFtZW7SKgbwDra/k2+lPMvdXGCX0h4CSxj k56IKeTnmJsEJlJXXjMlBkRk8KSGnfcw3mzNFkGkwvYAOn9O2hoNDN1UwBfoXceplU4c 8WZh9lOiM00KJzoHt8WTdQiY+YEJq9qC0mVtXkyteLMAXk7wP+BUcvwulaYQiAbeWthm VKEgzOqo0+m6ELvNQopzLCgfH1RcC1/92Nrt9zLhcAqO5+cZivbOiYVV5QKnkbSH6f4T BJoPYXtTMPCp2peDmHk5qsF9SVozaYqDzfZtRpdDwreSIAsAaZhNFhIG5abx6sCpLjA6 yhKg== X-Gm-Message-State: AJcUukdbcO/h4LITBTbrSH6jZvCJd2I3hrli8JhGt11+cCFwLm36OOyU VYOAP4zbHAPIeru9fK7pPOp/CK3vN1w= X-Received: by 2002:a67:3144:: with SMTP id x65mr620662vsx.186.1547514604963; Mon, 14 Jan 2019 17:10:04 -0800 (PST) Received: from mail-ua1-f53.google.com (mail-ua1-f53.google.com. [209.85.222.53]) by smtp.gmail.com with ESMTPSA id c11sm528694vsd.9.2019.01.14.17.10.03 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 14 Jan 2019 17:10:04 -0800 (PST) Received: by mail-ua1-f53.google.com with SMTP id u19so376952uae.4 for ; Mon, 14 Jan 2019 17:10:03 -0800 (PST) X-Received: by 2002:ab0:6151:: with SMTP id w17mr572886uan.114.1547514603506; Mon, 14 Jan 2019 17:10:03 -0800 (PST) MIME-Version: 1.0 References: <20190112152844.26550-1-w@1wt.eu> <20190112152844.26550-8-w@1wt.eu> In-Reply-To: <20190112152844.26550-8-w@1wt.eu> From: Kees Cook Date: Mon, 14 Jan 2019 17:09:52 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 8/8] spi: dw: change snprintf to scnprintf for possible overflow To: Willy Tarreau Cc: Silvio Cesare , LKML , Mark Brown , Dan Carpenter , Will Deacon , Greg KH Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Jan 12, 2019 at 7:28 AM Willy Tarreau wrote: > > From: Silvio Cesare > > Change snprintf to scnprintf. There are generally two cases where using > snprintf causes problems. > > 1) Uses of size += snprintf(buf, SIZE - size, fmt, ...) > In this case, if snprintf would have written more characters than what the > buffer size (SIZE) is, then size will end up larger than SIZE. In later > uses of snprintf, SIZE - size will result in a negative number, leading > to problems. Note that size might already be too large by using > size = snprintf before the code reaches a case of size += snprintf. > > 2) If size is ultimately used as a length parameter for a copy back to user > space, then it will potentially allow for a buffer overflow and information > disclosure when size is greater than SIZE. When the size is used to index > the buffer directly, we can have memory corruption. This also means when > size = snprintf... is used, it may also cause problems since size may become > large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel > configuration. > > The solution to these issues is to use scnprintf which returns the number of > characters actually written to the buffer, so the size variable will never > exceed SIZE. > > Signed-off-by: Silvio Cesare > Cc: Mark Brown > Cc: Dan Carpenter > Cc: Kees Cook > Cc: Will Deacon > Cc: Greg KH > Signed-off-by: Willy Tarreau Reviewed-by: Kees Cook -Kees > > --- > drivers/spi/spi-dw.c | 36 ++++++++++++++++++------------------ > 1 file changed, 18 insertions(+), 18 deletions(-) > > diff --git a/drivers/spi/spi-dw.c b/drivers/spi/spi-dw.c > index b705f2bdb8b9..008d52d37439 100644 > --- a/drivers/spi/spi-dw.c > +++ b/drivers/spi/spi-dw.c > @@ -54,41 +54,41 @@ static ssize_t dw_spi_show_regs(struct file *file, char __user *user_buf, > if (!buf) > return 0; > > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "%s registers:\n", dev_name(&dws->master->dev)); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "=================================\n"); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "CTRL0: \t\t0x%08x\n", dw_readl(dws, DW_SPI_CTRL0)); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "CTRL1: \t\t0x%08x\n", dw_readl(dws, DW_SPI_CTRL1)); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "SSIENR: \t0x%08x\n", dw_readl(dws, DW_SPI_SSIENR)); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "SER: \t\t0x%08x\n", dw_readl(dws, DW_SPI_SER)); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "BAUDR: \t\t0x%08x\n", dw_readl(dws, DW_SPI_BAUDR)); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "TXFTLR: \t0x%08x\n", dw_readl(dws, DW_SPI_TXFLTR)); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "RXFTLR: \t0x%08x\n", dw_readl(dws, DW_SPI_RXFLTR)); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "TXFLR: \t\t0x%08x\n", dw_readl(dws, DW_SPI_TXFLR)); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "RXFLR: \t\t0x%08x\n", dw_readl(dws, DW_SPI_RXFLR)); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "SR: \t\t0x%08x\n", dw_readl(dws, DW_SPI_SR)); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "IMR: \t\t0x%08x\n", dw_readl(dws, DW_SPI_IMR)); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "ISR: \t\t0x%08x\n", dw_readl(dws, DW_SPI_ISR)); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "DMACR: \t\t0x%08x\n", dw_readl(dws, DW_SPI_DMACR)); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "DMATDLR: \t0x%08x\n", dw_readl(dws, DW_SPI_DMATDLR)); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "DMARDLR: \t0x%08x\n", dw_readl(dws, DW_SPI_DMARDLR)); > - len += snprintf(buf + len, SPI_REGS_BUFSIZE - len, > + len += scnprintf(buf + len, SPI_REGS_BUFSIZE - len, > "=================================\n"); > > ret = simple_read_from_buffer(user_buf, count, ppos, buf, len); > -- > 2.19.2 > -- Kees Cook