Commit e39c0ffe authored by Takashi Iwai's avatar Takashi Iwai Committed by Greg Kroah-Hartman
Browse files

tty: serial: pch_uart: Use scnprintf() for avoiding potential buffer overflow 



Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit.  Fix it by replacing with scnprintf().

Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
Link: https://lore.kernel.org/r/20200311092930.24433-1-tiwai@suse.de


Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent e2c2e798

drivers/tty/serial/pch_uart.c

+11 −11
Original line number Diff line number Diff line
@@ -310,32 +310,32 @@ static ssize_t port_show_regs(struct file *file, char __user *user_buf, 
	if (!buf)

		return 0;



	len += snprintf(buf + len, PCH_REGS_BUFSIZE - len,

	len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len,

			"PCH EG20T port[%d] regs:\n", priv->port.line);



	len += snprintf(buf + len, PCH_REGS_BUFSIZE - len,

	len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len,

			"=================================\n");

	len += snprintf(buf + len, PCH_REGS_BUFSIZE - len,

	len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len,

			"IER: \t0x%02x\n", ioread8(priv->membase + UART_IER));

	len += snprintf(buf + len, PCH_REGS_BUFSIZE - len,

	len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len,

			"IIR: \t0x%02x\n", ioread8(priv->membase + UART_IIR));

	len += snprintf(buf + len, PCH_REGS_BUFSIZE - len,

	len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len,

			"LCR: \t0x%02x\n", ioread8(priv->membase + UART_LCR));

	len += snprintf(buf + len, PCH_REGS_BUFSIZE - len,

	len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len,

			"MCR: \t0x%02x\n", ioread8(priv->membase + UART_MCR));

	len += snprintf(buf + len, PCH_REGS_BUFSIZE - len,

	len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len,

			"LSR: \t0x%02x\n", ioread8(priv->membase + UART_LSR));

	len += snprintf(buf + len, PCH_REGS_BUFSIZE - len,

	len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len,

			"MSR: \t0x%02x\n", ioread8(priv->membase + UART_MSR));

	len += snprintf(buf + len, PCH_REGS_BUFSIZE - len,

	len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len,

			"BRCSR: \t0x%02x\n",

			ioread8(priv->membase + PCH_UART_BRCSR));



	lcr = ioread8(priv->membase + UART_LCR);

	iowrite8(PCH_UART_LCR_DLAB, priv->membase + UART_LCR);

	len += snprintf(buf + len, PCH_REGS_BUFSIZE - len,

	len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len,

			"DLL: \t0x%02x\n", ioread8(priv->membase + UART_DLL));

	len += snprintf(buf + len, PCH_REGS_BUFSIZE - len,

	len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len,

			"DLM: \t0x%02x\n", ioread8(priv->membase + UART_DLM));

	iowrite8(lcr, priv->membase + UART_LCR);

CRA Git | Maintained and supported by SUSTech CRA and CCSE