mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2024-12-29 09:12:07 +00:00
iommu/omap: Fix buffer overflow in debugfs
There are two issues here:
1) The "len" variable needs to be checked before the very first write.
Otherwise if omap2_iommu_dump_ctx() with "bytes" less than 32 it is a
buffer overflow.
2) The snprintf() function returns the number of bytes that *would* have
been copied if there were enough space. But we want to know the
number of bytes which were *actually* copied so use scnprintf()
instead.
Fixes: bd4396f09a
("iommu/omap: Consolidate OMAP IOMMU modules")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Robin Murphy <robin.murphy@arm.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Link: https://lore.kernel.org/r/YuvYh1JbE3v+abd5@kili
Signed-off-by: Joerg Roedel <jroedel@suse.de>
This commit is contained in:
parent
7e18e42e4b
commit
184233a520
@ -32,12 +32,12 @@ static inline bool is_omap_iommu_detached(struct omap_iommu *obj)
|
||||
ssize_t bytes; \
|
||||
const char *str = "%20s: %08x\n"; \
|
||||
const int maxcol = 32; \
|
||||
bytes = snprintf(p, maxcol, str, __stringify(name), \
|
||||
if (len < maxcol) \
|
||||
goto out; \
|
||||
bytes = scnprintf(p, maxcol, str, __stringify(name), \
|
||||
iommu_read_reg(obj, MMU_##name)); \
|
||||
p += bytes; \
|
||||
len -= bytes; \
|
||||
if (len < maxcol) \
|
||||
goto out; \
|
||||
} while (0)
|
||||
|
||||
static ssize_t
|
||||
|
Loading…
Reference in New Issue
Block a user