Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp634908pxb; Tue, 5 Apr 2022 16:44:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwsQjb2Ov4BR/ae9GF9Dqn4tlPex6JrDC7QB9Tbi6eIZ6zglaMPXP+BLN2u9gfbagSlRlUa X-Received: by 2002:a63:9203:0:b0:386:3b37:76b5 with SMTP id o3-20020a639203000000b003863b3776b5mr4927567pgd.234.1649202283427; Tue, 05 Apr 2022 16:44:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649202283; cv=none; d=google.com; s=arc-20160816; b=iXItEXTxPYoB75Vlmv0x9eU8WOJDLudTSj1f04JQLQNAm5hlWKM+8vDNxDBRQ5T3YF 2sDbRQXs/Tky+/XRB3GEN1cxFMZ77d24FOgEV00m8rejki4SCK7ClsQid/Jpo6E2oeQS z8EK+y3sS8Agt5Qtp4lvQUmGe/XILTiOlXulXaqkHgxJ2DX8k7CK9PC1HbeUCn+UBtmt ge4xEHtyQbnRJxy8S77uqc+TF7IFTqu+j0CGZATt8ZHx4meHtfj4deE6VhRId7U6bgpY yD62QyIZgTdWMpHGPi88rISUgWICHh5m/U8xkWyvXJv1D2wUl0zGi6bkaFU4A5U6Nrjt eurw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=e6aanR29DII2HiUyORIPIK5DJJ7LsJZOVwho3f3W46A=; b=PQBapAmu9567au7DUfZrglgxXN/jliD6tPjdQl8t7BEbQJPZMNR0Jq6SpkYzNWne+u K+VYSGDXEdOYP4+cUqfLZDqGZj8GcZvYX3CseIGvIkhqOFJL2Tutw4/SvBCjqlY1HQg3 yxqhBLXEWSUDz0RvTFOEO6qsPV0Fx+U9MlLtcXDZaRQyNBdueCUn/RbQaNFZqSJotfwk y2OLE6LIdGAmfdyc5aZDHJV0D6tnL9onwELRv+gy2XL/GIIDZXqdg7lSCHh9VGK/8UXx hLMD90oKo/Qft/JRqIrxqhDPR+4beQBhiWQktFbNmZcO9s9l94Wk/eiM6s5gAF+h/0/V K9AA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="dYX/11UF"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id m16-20020a63ed50000000b003817672f837si14323806pgk.21.2022.04.05.16.44.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 Apr 2022 16:44:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="dYX/11UF"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 0E8B625DEE7; Tue, 5 Apr 2022 16:30:40 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1382762AbiDEMQv (ORCPT + 99 others); Tue, 5 Apr 2022 08:16:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52164 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244928AbiDEIws (ORCPT ); Tue, 5 Apr 2022 04:52:48 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7F5B82496D; Tue, 5 Apr 2022 01:46:46 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 1B9B4614EB; Tue, 5 Apr 2022 08:46:46 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2E69DC385A1; Tue, 5 Apr 2022 08:46:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1649148405; bh=zEeKefMZYRslSx40JLS5O+6+t08QoeqPa7ZuL/Iyqg4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=dYX/11UFk3JDIw6U86VukWm0sX/m7VCz57y4r1gfM2erNge18sv18p/qDty0HOHqf fXIouyizrgDQXLFJNpv5esy4KCDUSlMd/NIb4+rQyVEoxO4P5rsJ2AfRMDvlW0AR2D V8BkUfbdLPpb4mUjR2ine/MM0ZeEOzm2KWCJzNsE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dan Carpenter , Helge Deller , Sasha Levin Subject: [PATCH 5.16 0306/1017] video: fbdev: fbcvt.c: fix printing in fb_cvt_print_name() Date: Tue, 5 Apr 2022 09:20:19 +0200 Message-Id: <20220405070403.359309944@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220405070354.155796697@linuxfoundation.org> References: <20220405070354.155796697@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dan Carpenter [ Upstream commit 78482af095abd9f4f29f1aa3fe575d25c6ae3028 ] This code has two bugs: 1) "cnt" is 255 but the size of the buffer is 256 so the last byte is not used. 2) If we try to print more than 255 characters then "cnt" will be negative and that will trigger a WARN() in snprintf(). The fix for this is to use scnprintf() instead of snprintf(). We can re-write this code to be cleaner: 1) Rename "offset" to "off" because that's shorter. 2) Get rid of the "cnt" variable and just use "size - off" directly. 3) Get rid of the "read" variable and just increment "off" directly. Fixes: 96fe6a2109db ("fbdev: Add VESA Coordinated Video Timings (CVT) support") Signed-off-by: Dan Carpenter Signed-off-by: Helge Deller Signed-off-by: Sasha Levin --- drivers/video/fbdev/core/fbcvt.c | 53 +++++++++++++------------------- 1 file changed, 21 insertions(+), 32 deletions(-) diff --git a/drivers/video/fbdev/core/fbcvt.c b/drivers/video/fbdev/core/fbcvt.c index 55d2bd0ce5c0..64843464c661 100644 --- a/drivers/video/fbdev/core/fbcvt.c +++ b/drivers/video/fbdev/core/fbcvt.c @@ -214,9 +214,11 @@ static u32 fb_cvt_aspect_ratio(struct fb_cvt_data *cvt) static void fb_cvt_print_name(struct fb_cvt_data *cvt) { u32 pixcount, pixcount_mod; - int cnt = 255, offset = 0, read = 0; - u8 *buf = kzalloc(256, GFP_KERNEL); + int size = 256; + int off = 0; + u8 *buf; + buf = kzalloc(size, GFP_KERNEL); if (!buf) return; @@ -224,43 +226,30 @@ static void fb_cvt_print_name(struct fb_cvt_data *cvt) pixcount_mod = (cvt->xres * (cvt->yres/cvt->interlace)) % 1000000; pixcount_mod /= 1000; - read = snprintf(buf+offset, cnt, "fbcvt: %dx%d@%d: CVT Name - ", - cvt->xres, cvt->yres, cvt->refresh); - offset += read; - cnt -= read; + off += scnprintf(buf + off, size - off, "fbcvt: %dx%d@%d: CVT Name - ", + cvt->xres, cvt->yres, cvt->refresh); - if (cvt->status) - snprintf(buf+offset, cnt, "Not a CVT standard - %d.%03d Mega " - "Pixel Image\n", pixcount, pixcount_mod); - else { - if (pixcount) { - read = snprintf(buf+offset, cnt, "%d", pixcount); - cnt -= read; - offset += read; - } + if (cvt->status) { + off += scnprintf(buf + off, size - off, + "Not a CVT standard - %d.%03d Mega Pixel Image\n", + pixcount, pixcount_mod); + } else { + if (pixcount) + off += scnprintf(buf + off, size - off, "%d", pixcount); - read = snprintf(buf+offset, cnt, ".%03dM", pixcount_mod); - cnt -= read; - offset += read; + off += scnprintf(buf + off, size - off, ".%03dM", pixcount_mod); if (cvt->aspect_ratio == 0) - read = snprintf(buf+offset, cnt, "3"); + off += scnprintf(buf + off, size - off, "3"); else if (cvt->aspect_ratio == 3) - read = snprintf(buf+offset, cnt, "4"); + off += scnprintf(buf + off, size - off, "4"); else if (cvt->aspect_ratio == 1 || cvt->aspect_ratio == 4) - read = snprintf(buf+offset, cnt, "9"); + off += scnprintf(buf + off, size - off, "9"); else if (cvt->aspect_ratio == 2) - read = snprintf(buf+offset, cnt, "A"); - else - read = 0; - cnt -= read; - offset += read; - - if (cvt->flags & FB_CVT_FLAG_REDUCED_BLANK) { - read = snprintf(buf+offset, cnt, "-R"); - cnt -= read; - offset += read; - } + off += scnprintf(buf + off, size - off, "A"); + + if (cvt->flags & FB_CVT_FLAG_REDUCED_BLANK) + off += scnprintf(buf + off, size - off, "-R"); } printk(KERN_INFO "%s\n", buf); -- 2.34.1