From patchwork Wed Mar 11 09:32:28 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Takashi Iwai X-Patchwork-Id: 11431271 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id AD41218E8 for ; Wed, 11 Mar 2020 09:32:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 8C1ED2146E for ; Wed, 11 Mar 2020 09:32:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728721AbgCKJch (ORCPT ); Wed, 11 Mar 2020 05:32:37 -0400 Received: from mx2.suse.de ([195.135.220.15]:32924 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728349AbgCKJcg (ORCPT ); Wed, 11 Mar 2020 05:32:36 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id BAF13B387; Wed, 11 Mar 2020 09:32:34 +0000 (UTC) From: Takashi Iwai To: Bartlomiej Zolnierkiewicz Cc: linux-fbdev@vger.kernel.org Subject: [PATCH 1/3] video: omapfb: Use scnprintf() for avoiding potential buffer overflow Date: Wed, 11 Mar 2020 10:32:28 +0100 Message-Id: <20200311093230.24900-2-tiwai@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200311093230.24900-1-tiwai@suse.de> References: <20200311093230.24900-1-tiwai@suse.de> Sender: linux-fbdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fbdev@vger.kernel.org Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Signed-off-by: Takashi Iwai --- drivers/video/fbdev/omap/omapfb_main.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/drivers/video/fbdev/omap/omapfb_main.c b/drivers/video/fbdev/omap/omapfb_main.c index e8a304f84ea8..1a9d6242916e 100644 --- a/drivers/video/fbdev/omap/omapfb_main.c +++ b/drivers/video/fbdev/omap/omapfb_main.c @@ -1247,7 +1247,7 @@ static ssize_t omapfb_show_caps_num(struct device *dev, size = 0; while (size < PAGE_SIZE && plane < OMAPFB_PLANE_NUM) { omapfb_get_caps(fbdev, plane, &caps); - size += snprintf(&buf[size], PAGE_SIZE - size, + size += scnprintf(&buf[size], PAGE_SIZE - size, "plane#%d %#010x %#010x %#010x\n", plane, caps.ctrl, caps.plane_color, caps.wnd_color); plane++; @@ -1268,28 +1268,28 @@ static ssize_t omapfb_show_caps_text(struct device *dev, size = 0; while (size < PAGE_SIZE && plane < OMAPFB_PLANE_NUM) { omapfb_get_caps(fbdev, plane, &caps); - size += snprintf(&buf[size], PAGE_SIZE - size, + size += scnprintf(&buf[size], PAGE_SIZE - size, "plane#%d:\n", plane); for (i = 0; i < ARRAY_SIZE(ctrl_caps) && size < PAGE_SIZE; i++) { if (ctrl_caps[i].flag & caps.ctrl) - size += snprintf(&buf[size], PAGE_SIZE - size, + size += scnprintf(&buf[size], PAGE_SIZE - size, " %s\n", ctrl_caps[i].name); } - size += snprintf(&buf[size], PAGE_SIZE - size, + size += scnprintf(&buf[size], PAGE_SIZE - size, " plane colors:\n"); for (i = 0; i < ARRAY_SIZE(color_caps) && size < PAGE_SIZE; i++) { if (color_caps[i].flag & caps.plane_color) - size += snprintf(&buf[size], PAGE_SIZE - size, + size += scnprintf(&buf[size], PAGE_SIZE - size, " %s\n", color_caps[i].name); } - size += snprintf(&buf[size], PAGE_SIZE - size, + size += scnprintf(&buf[size], PAGE_SIZE - size, " window colors:\n"); for (i = 0; i < ARRAY_SIZE(color_caps) && size < PAGE_SIZE; i++) { if (color_caps[i].flag & caps.wnd_color) - size += snprintf(&buf[size], PAGE_SIZE - size, + size += scnprintf(&buf[size], PAGE_SIZE - size, " %s\n", color_caps[i].name); } From patchwork Wed Mar 11 09:32:29 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Takashi Iwai X-Patchwork-Id: 11431267 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 629B2138D for ; Wed, 11 Mar 2020 09:32:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 40D2F2146E for ; Wed, 11 Mar 2020 09:32:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728255AbgCKJcg (ORCPT ); Wed, 11 Mar 2020 05:32:36 -0400 Received: from mx2.suse.de ([195.135.220.15]:32930 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728514AbgCKJcg (ORCPT ); Wed, 11 Mar 2020 05:32:36 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id BF06DB388; Wed, 11 Mar 2020 09:32:34 +0000 (UTC) From: Takashi Iwai To: Bartlomiej Zolnierkiewicz Cc: linux-fbdev@vger.kernel.org Subject: [PATCH 2/3] video: omap2: Use scnprintf() for avoiding potential buffer overflow Date: Wed, 11 Mar 2020 10:32:29 +0100 Message-Id: <20200311093230.24900-3-tiwai@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200311093230.24900-1-tiwai@suse.de> References: <20200311093230.24900-1-tiwai@suse.de> Sender: linux-fbdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fbdev@vger.kernel.org Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Signed-off-by: Takashi Iwai --- drivers/video/fbdev/omap2/omapfb/omapfb-sysfs.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/video/fbdev/omap2/omapfb/omapfb-sysfs.c b/drivers/video/fbdev/omap2/omapfb/omapfb-sysfs.c index 4a5db170ef59..2d39dbfa742e 100644 --- a/drivers/video/fbdev/omap2/omapfb/omapfb-sysfs.c +++ b/drivers/video/fbdev/omap2/omapfb/omapfb-sysfs.c @@ -147,11 +147,11 @@ static ssize_t show_overlays(struct device *dev, if (ovl == fbdev->overlays[ovlnum]) break; - l += snprintf(buf + l, PAGE_SIZE - l, "%s%d", + l += scnprintf(buf + l, PAGE_SIZE - l, "%s%d", t == 0 ? "" : ",", ovlnum); } - l += snprintf(buf + l, PAGE_SIZE - l, "\n"); + l += scnprintf(buf + l, PAGE_SIZE - l, "\n"); omapfb_unlock(fbdev); unlock_fb_info(fbi); @@ -328,11 +328,11 @@ static ssize_t show_overlays_rotate(struct device *dev, lock_fb_info(fbi); for (t = 0; t < ofbi->num_overlays; t++) { - l += snprintf(buf + l, PAGE_SIZE - l, "%s%d", + l += scnprintf(buf + l, PAGE_SIZE - l, "%s%d", t == 0 ? "" : ",", ofbi->rotation[t]); } - l += snprintf(buf + l, PAGE_SIZE - l, "\n"); + l += scnprintf(buf + l, PAGE_SIZE - l, "\n"); unlock_fb_info(fbi); From patchwork Wed Mar 11 09:32:30 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Takashi Iwai X-Patchwork-Id: 11431269 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 82BE417D5 for ; Wed, 11 Mar 2020 09:32:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 6BDAB2146E for ; Wed, 11 Mar 2020 09:32:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728514AbgCKJch (ORCPT ); Wed, 11 Mar 2020 05:32:37 -0400 Received: from mx2.suse.de ([195.135.220.15]:32940 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728721AbgCKJcg (ORCPT ); Wed, 11 Mar 2020 05:32:36 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id D0E33B38B; Wed, 11 Mar 2020 09:32:34 +0000 (UTC) From: Takashi Iwai To: Bartlomiej Zolnierkiewicz Cc: linux-fbdev@vger.kernel.org Subject: [PATCH 3/3] video: uvesafb: Use scnprintf() for avoiding potential buffer overflow Date: Wed, 11 Mar 2020 10:32:30 +0100 Message-Id: <20200311093230.24900-4-tiwai@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200311093230.24900-1-tiwai@suse.de> References: <20200311093230.24900-1-tiwai@suse.de> Sender: linux-fbdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fbdev@vger.kernel.org Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Signed-off-by: Takashi Iwai --- drivers/video/fbdev/uvesafb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/video/fbdev/uvesafb.c b/drivers/video/fbdev/uvesafb.c index 53d08d1b56f5..1b385cf76110 100644 --- a/drivers/video/fbdev/uvesafb.c +++ b/drivers/video/fbdev/uvesafb.c @@ -1560,7 +1560,7 @@ static ssize_t uvesafb_show_vbe_modes(struct device *dev, int ret = 0, i; for (i = 0; i < par->vbe_modes_cnt && ret < PAGE_SIZE; i++) { - ret += snprintf(buf + ret, PAGE_SIZE - ret, + ret += scnprintf(buf + ret, PAGE_SIZE - ret, "%dx%d-%d, 0x%.4x\n", par->vbe_modes[i].x_res, par->vbe_modes[i].y_res, par->vbe_modes[i].depth, par->vbe_modes[i].mode_id);