diff mbox series

[4.19,166/229] iommu/omap: Fix buffer overflow in debugfs

Message ID	20221024113004.450933795@linuxfoundation.org
State	New
Headers	Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, Dan Carpenter <dan.carpenter@oracle.com>, Robin Murphy <robin.murphy@arm.com>, Laurent Pinchart <laurent.pinchart@ideasonboard.com>, Joerg Roedel <jroedel@suse.de>, Sasha Levin <sashal@kernel.org> Subject: [PATCH 4.19 166/229] iommu/omap: Fix buffer overflow in debugfs Date: Mon, 24 Oct 2022 13:31:25 +0200 Message-Id: <20221024113004.450933795@linuxfoundation.org> In-Reply-To: <20221024112959.085534368@linuxfoundation.org> References: <20221024112959.085534368@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	None \| [4.19,002/229] docs: update mediator information in CoC docs [4.19,003/229] ARM: fix function graph tracer and unwinder dependencies [4.19,004/229] fs: fix UAF/GPF bug in nilfs_mdt_destroy [4.19,005/229] firmware: arm_scmi: Add SCMI PM driver remove routine [4.19,006/229] dmaengine: xilinx_dma: cleanup for fetching xlnx,num-fstores property [4.19,007/229] dmaengine: xilinx_dma: Report error in case of dma_set_mask_and_coherent API failure [4.19,008/229] ARM: dts: fix Moxa SDIO compatible, remove sdhci misnomer [4.19,009/229] scsi: qedf: Fix a UAF bug in __qedf_probe() [4.19,010/229] net/ieee802154: fix uninit value bug in dgram_sendmsg [4.19,011/229] um: Cleanup syscall_handler_t cast in syscalls_32.h [4.19,012/229] um: Cleanup compiler warning in arch/x86/um/tls_32.c [4.19,013/229] usb: mon: make mmapped memory read only [4.19,014/229] USB: serial: ftdi_sio: fix 300 bps rate for SIO [4.19,015/229] mmc: core: Replace with already defined values for readability [4.19,016/229] mmc: core: Terminate infinite loop in SD-UHS voltage switch [4.19,017/229] rpmsg: qcom: glink: replace strncpy() with strscpy_pad() [4.19,018/229] nilfs2: fix NULL pointer dereference at nilfs_bmap_lookup_at_level() [4.19,019/229] nilfs2: fix leak of nilfs_root in case of writer thread creation failure [4.19,020/229] nilfs2: replace WARN_ONs by nilfs_error for checkpoint acquisition failure [4.19,021/229] ceph: dont truncate file in atomic_open [4.19,022/229] random: clamp credited irq bits to maximum mixed [4.19,023/229] ALSA: hda: Fix position reporting on Poulsbo [4.19,024/229] scsi: stex: Properly zero out the passthrough command structure [4.19,025/229] USB: serial: qcserial: add new usb-id for Dell branded EM7455 [4.19,026/229] random: restore O_NONBLOCK support [4.19,027/229] random: avoid reading two cache lines on irq randomness [4.19,028/229] random: use expired timer rather than wq for mixing fast pool [4.19,029/229] wifi: mac80211_hwsim: avoid mac80211 warning on bad rate [4.19,030/229] Input: xpad - add supported devices as contributed on github [4.19,031/229] Input: xpad - fix wireless 360 controller breaking after suspend [4.19,032/229] ALSA: oss: Fix potential deadlock at unregistration [4.19,033/229] ALSA: rawmidi: Drop register_mutex in snd_rawmidi_free() [4.19,034/229] ALSA: usb-audio: Fix potential memory leaks [4.19,035/229] ALSA: usb-audio: Fix NULL dererence at error path [4.19,036/229] ALSA: hda/realtek: remove ALC289_FIXUP_DUAL_SPK for Dell 5530 [4.19,037/229] mtd: rawnand: atmel: Unmap streaming DMA mappings [4.19,038/229] iio: dac: ad5593r: Fix i2c read protocol requirements [4.19,039/229] usb: add quirks for Lenovo OneLink+ Dock [4.19,040/229] can: kvaser_usb: Fix use of uninitialized completion [4.19,041/229] can: kvaser_usb_leaf: Fix overread with an invalid command [4.19,042/229] can: kvaser_usb_leaf: Fix TX queue out of sync after restart [4.19,043/229] can: kvaser_usb_leaf: Fix CAN state after restart [4.19,044/229] fs: dlm: fix race between test_bit() and queue_work() [4.19,045/229] fs: dlm: handle -EBUSY first in lock arg validation [4.19,046/229] HID: multitouch: Add memory barriers [4.19,047/229] quota: Check next/prev free block number after reading from quota file [4.19,048/229] regulator: qcom_rpm: Fix circular deferral regression [4.19,049/229] Revert "fs: check FMODE_LSEEK to control internal pipe splicing" [4.19,050/229] parisc: fbdev/stifb: Align graphics memory size to 4MB [4.19,051/229] riscv: Allow PROT_WRITE-only mmap() [4.19,052/229] UM: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK [4.19,053/229] PCI: Sanitise firmware BAR assignments behind a PCI-PCI bridge [4.19,054/229] fbdev: smscufx: Fix use-after-free in ufx_ops_open() [4.19,055/229] btrfs: fix race between quota enable and quota rescan ioctl [4.19,056/229] riscv: fix build with binutils 2.38 [4.19,057/229] nilfs2: fix use-after-free bug of struct nilfs_root [4.19,058/229] ext4: avoid crash when inline data creation follows DIO write [4.19,059/229] ext4: fix null-ptr-deref in ext4_write_info [4.19,060/229] ext4: make ext4_lazyinit_thread freezable [4.19,061/229] ext4: place buffer head allocation before handle start [4.19,062/229] livepatch: fix race between fork and KLP transition [4.19,063/229] ftrace: Properly unset FTRACE_HASH_FL_MOD [4.19,064/229] ring-buffer: Allow splice to read previous partially read pages [4.19,065/229] ring-buffer: Check pending waiters when doing wake ups as well [4.19,066/229] ring-buffer: Fix race between reset page and reading page [4.19,067/229] KVM: x86/emulator: Fix handing of POP SS to correctly set interruptibility [4.19,068/229] KVM: nVMX: Unconditionally purge queued/injected events on nested "exit" [4.19,069/229] selinux: use "grep -E" instead of "egrep" [4.19,070/229] sh: machvec: Use char[] for section boundaries [4.19,071/229] wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state() [4.19,072/229] wifi: mac80211: allow bw change during channel switch in mesh [4.19,073/229] bpftool: Fix a wrong type cast in btf_dumper_int [4.19,074/229] spi: mt7621: Fix an error message in mt7621_spi_probe() [4.19,075/229] wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse() [4.19,076/229] spi: qup: add missing clk_disable_unprepare on error in spi_qup_resume() [4.19,077/229] spi: qup: add missing clk_disable_unprepare on error in spi_qup_pm_resume_runtime() [4.19,078/229] wifi: rtl8xxxu: Fix skb misuse in TX queue selection [4.19,079/229] bpf: btf: fix truncated last_member_type_id in btf_struct_resolve [4.19,080/229] wifi: rtl8xxxu: gen2: Fix mistake in path B IQ calibration [4.19,081/229] net: fs_enet: Fix wrong check in do_pd_setup [4.19,082/229] bpf: Ensure correct locking around vulnerable function find_vpid() [4.19,083/229] spi/omap100k:Fix PM disable depth imbalance in omap1_spi100k_probe [4.19,084/229] netfilter: nft_fib: Fix for rpath check with VRF devices [4.19,085/229] spi: s3c64xx: Fix large transfers with DMA [4.19,086/229] vhost/vsock: Use kvmalloc/kvfree for larger packets. [4.19,087/229] mISDN: fix use-after-free bugs in l1oip timer handlers [4.19,088/229] sctp: handle the error returned from sctp_auth_asoc_init_active_key [4.19,089/229] tcp: fix tcp_cwnd_validate() to not forget is_cwnd_limited [4.19,090/229] net: rds: dont hold sock lock when cancelling work from rds_tcp_reset_callbacks() [4.19,091/229] bnx2x: fix potential memory leak in bnx2x_tpa_stop() [4.19,092/229] once: add DO_ONCE_SLOW() for sleepable contexts [4.19,093/229] net: mvpp2: fix mvpp2 debugfs leak [4.19,094/229] drm: bridge: adv7511: fix CEC power down control register offset [4.19,095/229] drm/mipi-dsi: Detach devices when removing the host [4.19,096/229] platform/chrome: fix double-free in chromeos_laptop_prepare() [4.19,097/229] platform/x86: msi-laptop: Fix old-ec check for backlight registering [4.19,098/229] platform/x86: msi-laptop: Fix resource cleanup [4.19,099/229] drm/bridge: megachips: Fix a null pointer dereference bug [4.19,100/229] mmc: au1xmmc: Fix an error handling path in au1xmmc_probe() [4.19,101/229] ASoC: eureka-tlv320: Hold reference returned from of_find_xxx API [4.19,102/229] drm/msm/dpu: index dpu_kms->hw_vbif using vbif_idx [4.19,103/229] ALSA: dmaengine: increment buffer pointer atomically [4.19,104/229] mmc: wmt-sdmmc: Fix an error handling path in wmt_mci_probe() [4.19,105/229] ASoC: wm8997: Fix PM disable depth imbalance in wm8997_probe [4.19,106/229] ASoC: wm5110: Fix PM disable depth imbalance in wm5110_probe [4.19,107/229] ASoC: wm5102: Fix PM disable depth imbalance in wm5102_probe [4.19,108/229] memory: of: Fix refcount leak bug in of_get_ddr_timings() [4.19,109/229] soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe() [4.19,110/229] soc: qcom: smem_state: Add refcounting for the state->of_node [4.19,111/229] ARM: dts: turris-omnia: Fix mpp26 pin name and comment [4.19,112/229] ARM: dts: kirkwood: lsxl: fix serial line [4.19,113/229] ARM: dts: kirkwood: lsxl: remove first ethernet port [4.19,114/229] ARM: dts: exynos: correct s5k6a3 reset polarity on Midas family [4.19,115/229] ARM: Drop CMDLINE_* dependency on ATAGS [4.19,116/229] ARM: dts: exynos: fix polarity of VBUS GPIO of Origen [4.19,117/229] iio: adc: at91-sama5d2_adc: fix AT91_SAMA5D2_MR_TRACKTIM_MAX [4.19,118/229] iio: adc: at91-sama5d2_adc: check return status for pressure and touch [4.19,119/229] iio: inkern: only release the device node when done with it [4.19,120/229] iio: ABI: Fix wrong format of differential capacitance channel ABI. [4.19,121/229] clk: oxnas: Hold reference returned by of_get_parent() [4.19,122/229] clk: berlin: Add of_node_put() for of_get_parent() [4.19,123/229] clk: tegra: Fix refcount leak in tegra210_clock_init [4.19,124/229] clk: tegra: Fix refcount leak in tegra114_clock_init [4.19,125/229] clk: tegra20: Fix refcount leak in tegra20_clock_init [4.19,126/229] HSI: omap_ssi: Fix refcount leak in ssi_probe [4.19,127/229] HSI: omap_ssi_port: Fix dma_map_sg error check [4.19,128/229] media: exynos4-is: fimc-is: Add of_node_put() when breaking out of loop [4.19,129/229] tty: xilinx_uartps: Fix the ignore_status [4.19,130/229] media: xilinx: vipp: Fix refcount leak in xvip_graph_dma_init [4.19,131/229] RDMA/rxe: Fix "kernel NULL pointer dereference" error [4.19,132/229] RDMA/rxe: Fix the error caused by qp->sk [4.19,133/229] dyndbg: fix module.dyndbg handling [4.19,134/229] dyndbg: let query-modname override actual module name [4.19,135/229] mtd: devices: docg3: check the return value of devm_ioremap() in the probe [4.19,136/229] ata: fix ata_id_sense_reporting_enabled() and ata_id_has_sense_reporting() [4.19,137/229] ata: fix ata_id_has_devslp() [4.19,138/229] ata: fix ata_id_has_ncq_autosense() [4.19,139/229] ata: fix ata_id_has_dipm() [4.19,140/229] md/raid5: Ensure stripe_fill happens on non-read IO with journal [4.19,141/229] xhci: Dont show warning for reinit on known broken suspend [4.19,142/229] usb: gadget: function: fix dangling pnp_string in f_printer.c [4.19,143/229] drivers: serial: jsm: fix some leaks in probe [4.19,144/229] phy: qualcomm: call clk_disable_unprepare in the error handling [4.19,145/229] staging: vt6655: fix some erroneous memory clean-up loops [4.19,146/229] firmware: google: Test spinlock on panic path to avoid lockups [4.19,147/229] serial: 8250: Fix restoring termios speed after suspend [4.19,148/229] fsi: core: Check error number after calling ida_simple_get [4.19,149/229] mfd: intel_soc_pmic: Fix an error handling path in intel_soc_pmic_i2c_probe() [4.19,150/229] mfd: fsl-imx25: Fix an error handling path in mx25_tsadc_setup_irq() [4.19,151/229] mfd: lp8788: Fix an error handling path in lp8788_probe() [4.19,152/229] mfd: lp8788: Fix an error handling path in lp8788_irq_init() and lp8788_irq_init() [4.19,153/229] mfd: sm501: Add check for platform_driver_register() [4.19,154/229] dmaengine: ioat: stop mod_timer from resurrecting deleted timer in __cleanup() [4.19,155/229] spmi: pmic-arb: correct duplicate APID to PPID mapping logic [4.19,156/229] clk: bcm2835: fix bcm2835_clock_rate_from_divisor declaration [4.19,157/229] clk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe [4.19,158/229] mailbox: bcm-ferxrm-mailbox: Fix error check for dma_map_sg [4.19,159/229] powerpc/math_emu/efp: Include module.h [4.19,160/229] powerpc/sysdev/fsl_msi: Add missing of_node_put() [4.19,161/229] powerpc/pci_dn: Add missing of_node_put() [4.19,162/229] powerpc/powernv: add missing of_node_put() in opal_export_attrs() [4.19,163/229] x86/hyperv: Fix struct hv_enlightened_vmcs definition [4.19,164/229] powerpc/64s: Fix GENERIC_CPU build flags for PPC970 / G5 [4.19,165/229] powerpc: Fix SPE Power ISA properties for e500v1 platforms [4.19,166/229] iommu/omap: Fix buffer overflow in debugfs [4.19,167/229] iommu/iova: Fix module config properly [4.19,168/229] crypto: cavium - prevent integer overflow loading firmware [4.19,169/229] f2fs: fix race condition on setting FI_NO_EXTENT flag [4.19,170/229] ACPI: video: Add Toshiba Satellite/Portege Z830 quirk [4.19,171/229] MIPS: BCM47XX: Cast memcmp() of function to (void *) [4.19,172/229] powercap: intel_rapl: fix UBSAN shift-out-of-bounds issue [4.19,173/229] thermal: intel_powerclamp: Use get_cpu() instead of smp_processor_id() to avoid crash [4.19,174/229] x86/entry: Work around Clang __bdos() bug [4.19,175/229] NFSD: Return nfserr_serverfault if splice_ok but buf->pages have data [4.19,176/229] wifi: brcmfmac: fix invalid address access when enabling SCAN log level [4.19,177/229] openvswitch: Fix double reporting of drops in dropwatch [4.19,178/229] openvswitch: Fix overreporting of drops in dropwatch [4.19,179/229] tcp: annotate data-race around tcp_md5sig_pool_populated [4.19,180/229] wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg() [4.19,181/229] xfrm: Update ipcomp_scratches with NULL when freed [4.19,182/229] wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit() [4.19,183/229] Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create() [4.19,184/229] Bluetooth: hci_sysfs: Fix attempting to call device_add multiple times [4.19,185/229] can: bcm: check the result of can_send() in bcm_can_tx() [4.19,186/229] wifi: rt2x00: dont run Rt5592 IQ calibration on MT7620 [4.19,187/229] wifi: rt2x00: set correct TX_SW_CFG1 MAC register for MT7620 [4.19,188/229] wifi: rt2x00: set SoC wmac clock register [4.19,189/229] wifi: rt2x00: correctly set BBP register 86 for MT7620 [4.19,190/229] net: If sock is dead dont access socks sk_wq in sk_stream_wait_memory [4.19,191/229] Bluetooth: L2CAP: Fix user-after-free [4.19,192/229] r8152: Rate limit overflow messages [4.19,193/229] drm: Use size_t type for len variable in drm_copy_field() [4.19,194/229] drm: Prevent drm_copy_field() to attempt copying a NULL pointer [4.19,195/229] drm/amd/display: fix overflow on MIN_I64 definition [4.19,196/229] drm/vc4: vec: Fix timings for VEC modes [4.19,197/229] drm: panel-orientation-quirks: Add quirk for Anbernic Win600 [4.19,198/229] platform/x86: msi-laptop: Change DMI match / alias strings to fix module autoloading [4.19,199/229] drm/amdgpu: fix initial connector audio value [4.19,200/229] ARM: dts: imx7d-sdb: config the max pressure for tsc2046 [4.19,201/229] ARM: dts: imx6q: add missing properties for sram [4.19,202/229] ARM: dts: imx6dl: add missing properties for sram [4.19,203/229] ARM: dts: imx6qp: add missing properties for sram [4.19,204/229] ARM: dts: imx6sl: add missing properties for sram [4.19,205/229] ARM: dts: imx6sll: add missing properties for sram [4.19,206/229] ARM: dts: imx6sx: add missing properties for sram [4.19,207/229] media: cx88: Fix a null-ptr-deref bug in buffer_prepare() [4.19,208/229] scsi: 3w-9xxx: Avoid disabling device if failing to enable it [4.19,209/229] nbd: Fix hung when signal interrupts nbd_start_device_ioctl() [4.19,210/229] power: supply: adp5061: fix out-of-bounds read in adp5061_get_chg_type() [4.19,211/229] staging: vt6655: fix potential memory leak [4.19,212/229] ata: libahci_platform: Sanity check the DT child nodes number [4.19,213/229] HID: roccat: Fix use-after-free in roccat_read() [4.19,214/229] md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d [4.19,215/229] usb: host: xhci: Fix potential memory leak in xhci_alloc_stream_info() [4.19,216/229] usb: musb: Fix musb_gadget.c rxstate overflow bug [4.19,217/229] Revert "usb: storage: Add quirk for Samsung Fit flash" [4.19,218/229] nvme: copy firmware_rev on each init [4.19,219/229] usb: idmouse: fix an uninit-value in idmouse_open [4.19,220/229] clk: bcm2835: Make peripheral PLLC critical [4.19,221/229] perf intel-pt: Fix segfault in intel_pt_print_info() with uClibc [4.19,222/229] net: ieee802154: return -EINVAL for unknown addr type [4.19,223/229] net/ieee802154: dont warn zero-sized raw_sendmsg() [4.19,224/229] ext4: continue to expand file system when the target size doesnt reach [4.19,225/229] md: Replace snprintf with scnprintf [4.19,226/229] efi: libstub: drop pointless get_memory_map() call [4.19,227/229] inet: fully convert sk->sk_rx_dst to RCU rules [4.19,228/229] thermal: intel_powerclamp: Use first online CPU as control_cpu [4.19,229/229] gcov: support GCC 12.1 and newer compilers

Commit Message

Greg KH Oct. 24, 2022, 11:31 a.m. UTC

  From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit 184233a5202786b20220acd2d04ddf909ef18f29 ]

There are two issues here:

1) The "len" variable needs to be checked before the very first write.
   Otherwise if omap2_iommu_dump_ctx() with "bytes" less than 32 it is a
   buffer overflow.
2) The snprintf() function returns the number of bytes that *would* have
   been copied if there were enough space.  But we want to know the
   number of bytes which were *actually* copied so use scnprintf()
   instead.

Fixes: bd4396f09a4a ("iommu/omap: Consolidate OMAP IOMMU modules")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Robin Murphy <robin.murphy@arm.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Link: https://lore.kernel.org/r/YuvYh1JbE3v+abd5@kili
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/iommu/omap-iommu-debug.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff mbox series

Patch

diff --git a/drivers/iommu/omap-iommu-debug.c b/drivers/iommu/omap-iommu-debug.c
index 5ce55fabc9d8..726702d01522 100644
--- a/drivers/iommu/omap-iommu-debug.c
+++ b/drivers/iommu/omap-iommu-debug.c
@@ -35,12 +35,12 @@  static inline bool is_omap_iommu_detached(struct omap_iommu *obj)
 		ssize_t bytes;						\
 		const char *str = "%20s: %08x\n";			\
 		const int maxcol = 32;					\
-		bytes = snprintf(p, maxcol, str, __stringify(name),	\
+		if (len < maxcol)					\
+			goto out;					\
+		bytes = scnprintf(p, maxcol, str, __stringify(name),	\
 				 iommu_read_reg(obj, MMU_##name));	\
 		p += bytes;						\
 		len -= bytes;						\
-		if (len < maxcol)					\
-			goto out;					\
 	} while (0)
 
 static ssize_t