Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp672575ybh;
        Tue, 10 Mar 2020 06:14:42 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vvbmUsOTusa6rkXKm4CUyfELWeQH5LiEghBIM+Y30DMz++skOfnfEbSsf7Bankv92+Zm7Dn
X-Received: by 2002:aca:3354:: with SMTP id z81mr1099133oiz.129.1583846082566;
        Tue, 10 Mar 2020 06:14:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1583846082; cv=none;
        d=google.com; s=arc-20160816;
        b=pF0VMVs+cbl4LzddrjYQWb3tCnXC3HJPvp8LYyqTduEABZiQrv2/wztAvf2ZaUsxl+
         Zpa8XWG4cJfClgFlmjxTiNB52PQu/CX2S2Y5XttA0nYtwCiekeA4GVdtpkwopp/4KjlP
         7dGZYmSs4S/xMpG0aFuuXr4ndEIJwnArpboTrLLjB5b6f0b4rJ5OJwBmVaj4eiHcFEDv
         CWdNvYTrhs289BKCKa2Kih7hcHOqHXsy3iPomBZ7JeTSRSjfk3lZik4vM/kWarLDzB/4
         +r5RY94lC042kmuoCBv6+RKPnMe3oSyFBMwSNO8dAh7wRGmRH80uHGgvmO8116b00OnA
         TtVg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=qz4TQbklnXATWnB/VbCAh7RN2fcKCJHmIAFhHNcTxxc=;
        b=eyzp//qH/+cPwj1SIUwzg/qGIH2Xi2E4OpplQr5yntIBEQQx9WGOIRyX3OWfmdXZFH
         6n8w4rr3Kibb0f6ro+V3eve71pAWQvxU5r3uAakDyAZwGewK/seHW6ndceQrE9SFWN4G
         txsteTtc3kV2oeZn+n3zDbLZulPvyiykreeBYIOaXpep+Eny01SGWb8nawS4m0vyqHaw
         yDrouQJeqXiRfp8QWWuzM8pr3uKO0awYjoIKgUYF+vpk8QiSc+3bvsgkC+1Dg2hhIeoF
         4zg058E953nCEcnE9qHKgZXqPG9u0g5sdYrwy9m1p1Jn5AqiU4Xn4jzzoeuPJj12rzpY
         w24w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="wT+/Jk2Y";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a3si5284075oie.164.2020.03.10.06.14.30;
        Tue, 10 Mar 2020 06:14:42 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="wT+/Jk2Y";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731626AbgCJNOI (ORCPT
        <rfc822;paul.schmitz.hallo.parkuhr@gmail.com> + 99 others);
        Tue, 10 Mar 2020 09:14:08 -0400
Received: from mail.kernel.org ([198.145.29.99]:37456 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1730355AbgCJNOH (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 10 Mar 2020 09:14:07 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 6B26924649;
        Tue, 10 Mar 2020 13:14:06 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1583846046;
        bh=jENa1iOTffqMHGFt30gipGVXbT4PUMFHQ7QC1hJPN3E=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=wT+/Jk2YroU4gPaIFPhEQohjvhcy62XEpa72ZwZjuEdqHYDR0FysC74VBIJaBlQxG
         b//U2LCGzE7eba+iXnd61GgWSPGrcOeMHCWilgnT4eUngO8xjjqfwMvxiyX6rBLfFI
         FCyAIbnhzfUPMks88UKUfGMNAFip75ImoeYqK478=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Takashi Iwai <tiwai@suse.de>,
        Cezary Rojewski <cezary.rojewski@intel.com>,
        Mark Brown <broonie@kernel.org>
Subject: [PATCH 4.19 65/86] ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output
Date:   Tue, 10 Mar 2020 13:45:29 +0100
Message-Id: <20200310124534.295150608@linuxfoundation.org>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20200310124530.808338541@linuxfoundation.org>
References: <20200310124530.808338541@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Takashi Iwai <tiwai@suse.de>

commit 6c89ffea60aa3b2a33ae7987de1e84bfb89e4c9e upstream.

dpcm_show_state() invokes multiple snprintf() calls to concatenate
formatted strings on the fixed size buffer.  The usage of snprintf()
is supposed for avoiding the buffer overflow, but it doesn't work as
expected because snprintf() doesn't return the actual output size but
the size to be written.

Fix this bug by replacing all snprintf() calls with scnprintf()
calls.

Fixes: f86dcef87b77 ("ASoC: dpcm: Add debugFS support for DPCM")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Acked-by: Cezary Rojewski <cezary.rojewski@intel.com>
Link: https://lore.kernel.org/r/20200218111737.14193-4-tiwai@suse.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/soc/soc-pcm.c |   16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

--- a/sound/soc/soc-pcm.c
+++ b/sound/soc/soc-pcm.c
@@ -3357,16 +3357,16 @@ static ssize_t dpcm_show_state(struct sn
 	ssize_t offset = 0;
 
 	/* FE state */
-	offset += snprintf(buf + offset, size - offset,
+	offset += scnprintf(buf + offset, size - offset,
 			"[%s - %s]\n", fe->dai_link->name,
 			stream ? "Capture" : "Playback");
 
-	offset += snprintf(buf + offset, size - offset, "State: %s\n",
+	offset += scnprintf(buf + offset, size - offset, "State: %s\n",
 	                dpcm_state_string(fe->dpcm[stream].state));
 
 	if ((fe->dpcm[stream].state >= SND_SOC_DPCM_STATE_HW_PARAMS) &&
 	    (fe->dpcm[stream].state <= SND_SOC_DPCM_STATE_STOP))
-		offset += snprintf(buf + offset, size - offset,
+		offset += scnprintf(buf + offset, size - offset,
 				"Hardware Params: "
 				"Format = %s, Channels = %d, Rate = %d\n",
 				snd_pcm_format_name(params_format(params)),
@@ -3374,10 +3374,10 @@ static ssize_t dpcm_show_state(struct sn
 				params_rate(params));
 
 	/* BEs state */
-	offset += snprintf(buf + offset, size - offset, "Backends:\n");
+	offset += scnprintf(buf + offset, size - offset, "Backends:\n");
 
 	if (list_empty(&fe->dpcm[stream].be_clients)) {
-		offset += snprintf(buf + offset, size - offset,
+		offset += scnprintf(buf + offset, size - offset,
 				" No active DSP links\n");
 		goto out;
 	}
@@ -3386,16 +3386,16 @@ static ssize_t dpcm_show_state(struct sn
 		struct snd_soc_pcm_runtime *be = dpcm->be;
 		params = &dpcm->hw_params;
 
-		offset += snprintf(buf + offset, size - offset,
+		offset += scnprintf(buf + offset, size - offset,
 				"- %s\n", be->dai_link->name);
 
-		offset += snprintf(buf + offset, size - offset,
+		offset += scnprintf(buf + offset, size - offset,
 				"   State: %s\n",
 				dpcm_state_string(be->dpcm[stream].state));
 
 		if ((be->dpcm[stream].state >= SND_SOC_DPCM_STATE_HW_PARAMS) &&
 		    (be->dpcm[stream].state <= SND_SOC_DPCM_STATE_STOP))
-			offset += snprintf(buf + offset, size - offset,
+			offset += scnprintf(buf + offset, size - offset,
 				"   Hardware Params: "
 				"Format = %s, Channels = %d, Rate = %d\n",
 				snd_pcm_format_name(params_format(params)),