[SRU][F:linux-bluefield][PATCH v3 2/3] UBUNTU: SAUCE: mlx-bootctl: Fix potential buffer overflow
Shravan Kumar Ramani
shravankr at nvidia.com
Wed Jun 16 06:41:41 UTC 2021
BugLink: https://bugs.launchpad.net/bugs/1931981
Replace sprintf with snprintf to avoid buffer overflow.
Also, remove the redundant strlen usage since count is already
available in the _store functions
Signed-off-by: Shravan Kumar Ramani <shravankr at nvidia.com>
---
drivers/platform/mellanox/mlx-bootctl.c | 123 +++++++++++++++---------
1 file changed, 75 insertions(+), 48 deletions(-)
diff --git a/drivers/platform/mellanox/mlx-bootctl.c b/drivers/platform/mellanox/mlx-bootctl.c
index 8ad38643ecb9..f71d14f2ad4f 100644
--- a/drivers/platform/mellanox/mlx-bootctl.c
+++ b/drivers/platform/mellanox/mlx-bootctl.c
@@ -152,7 +152,8 @@ static const char *reset_action_to_string(int action)
static ssize_t post_reset_wdog_show(struct device_driver *drv,
char *buf)
{
- return sprintf(buf, "%d\n", smc_call0(MLNX_GET_POST_RESET_WDOG));
+ return snprintf(buf, PAGE_SIZE, "%d\n",
+ smc_call0(MLNX_GET_POST_RESET_WDOG));
}
static ssize_t post_reset_wdog_store(struct device_driver *drv,
@@ -174,8 +175,8 @@ static ssize_t post_reset_wdog_store(struct device_driver *drv,
static ssize_t reset_action_show(struct device_driver *drv,
char *buf)
{
- return sprintf(buf, "%s\n", reset_action_to_string(
- smc_call0(MLNX_GET_RESET_ACTION)));
+ return snprintf(buf, PAGE_SIZE, "%s\n", reset_action_to_string(
+ smc_call0(MLNX_GET_RESET_ACTION)));
}
static ssize_t reset_action_store(struct device_driver *drv,
@@ -195,8 +196,8 @@ static ssize_t reset_action_store(struct device_driver *drv,
static ssize_t second_reset_action_show(struct device_driver *drv,
char *buf)
{
- return sprintf(buf, "%s\n", reset_action_to_string(
- smc_call0(MLNX_GET_SECOND_RESET_ACTION)));
+ return snprintf(buf, PAGE_SIZE, "%s\n", reset_action_to_string(
+ smc_call0(MLNX_GET_SECOND_RESET_ACTION)));
}
static ssize_t second_reset_action_store(struct device_driver *drv,
@@ -231,10 +232,11 @@ static ssize_t lifecycle_state_show(struct device_driver *drv,
lc_state &= SB_MODE_SECURE_MASK;
- return sprintf(buf, "%s(test)\n", lifecycle_states[lc_state]);
+ return snprintf(buf, PAGE_SIZE, "%s(test)\n",
+ lifecycle_states[lc_state]);
}
- return sprintf(buf, "%s\n", lifecycle_states[lc_state]);
+ return snprintf(buf, PAGE_SIZE, "%s\n", lifecycle_states[lc_state]);
}
static ssize_t secure_boot_fuse_state_show(struct device_driver *drv,
@@ -316,8 +318,10 @@ static ssize_t oob_mac_show(struct device_driver *drv, char *buf)
struct arm_smccc_res res;
u8 *mac_byte_ptr;
+ mutex_lock(&mfg_ops_lock);
arm_smccc_smc(MLNX_HANDLE_GET_MFG_INFO, MLNX_MFG_TYPE_OOB_MAC, 0, 0, 0,
0, 0, 0, &res);
+ mutex_unlock(&mfg_ops_lock);
if (res.a0)
return -EPERM;
@@ -327,7 +331,7 @@ static ssize_t oob_mac_show(struct device_driver *drv, char *buf)
mac_byte_ptr[0], mac_byte_ptr[1], mac_byte_ptr[2],
mac_byte_ptr[3], mac_byte_ptr[4], mac_byte_ptr[5]);
- return sprintf(buf, "%s\n", mac_str);
+ return snprintf(buf, PAGE_SIZE, "%s", mac_str);
}
static ssize_t oob_mac_store(struct device_driver *drv, const char *buf,
@@ -368,18 +372,21 @@ static ssize_t opn_show(struct device_driver *drv, char *buf)
struct arm_smccc_res res;
int word;
+ mutex_lock(&mfg_ops_lock);
for (word = 0; word < MLNX_MFG_VAL_WORD_CNT(OPN); word++) {
arm_smccc_smc(MLNX_HANDLE_GET_MFG_INFO,
MLNX_MFG_TYPE_OPN_0 + word,
0, 0, 0, 0, 0, 0, &res);
- if (res.a0)
+ if (res.a0) {
+ mutex_unlock(&mfg_ops_lock);
return -EPERM;
+ }
opn_data[word] = res.a1;
}
-
+ mutex_unlock(&mfg_ops_lock);
memcpy(opn, opn_data, MLNX_MFG_OPN_VAL_LEN);
- return sprintf(buf, "%s", opn);
+ return snprintf(buf, PAGE_SIZE, "%s", opn);
}
static ssize_t opn_store(struct device_driver *drv, const char *buf,
@@ -392,7 +399,7 @@ static ssize_t opn_store(struct device_driver *drv, const char *buf,
if (count > MLNX_MFG_OPN_VAL_LEN)
return -EINVAL;
- memcpy(opn, buf, strlen(buf));
+ memcpy(opn, buf, count);
mutex_lock(&mfg_ops_lock);
for (word = 0; word < MLNX_MFG_VAL_WORD_CNT(OPN); word++) {
@@ -416,18 +423,21 @@ static ssize_t sku_show(struct device_driver *drv, char *buf)
struct arm_smccc_res res;
int word;
+ mutex_lock(&mfg_ops_lock);
for (word = 0; word < MLNX_MFG_VAL_WORD_CNT(SKU); word++) {
arm_smccc_smc(MLNX_HANDLE_GET_MFG_INFO,
MLNX_MFG_TYPE_SKU_0 + word,
0, 0, 0, 0, 0, 0, &res);
- if (res.a0)
+ if (res.a0) {
+ mutex_unlock(&mfg_ops_lock);
return -EPERM;
+ }
sku_data[word] = res.a1;
}
-
+ mutex_unlock(&mfg_ops_lock);
memcpy(sku, sku_data, MLNX_MFG_SKU_VAL_LEN);
- return sprintf(buf, "%s", sku);
+ return snprintf(buf, PAGE_SIZE, "%s", sku);
}
static ssize_t sku_store(struct device_driver *drv, const char *buf,
@@ -440,7 +450,7 @@ static ssize_t sku_store(struct device_driver *drv, const char *buf,
if (count > MLNX_MFG_SKU_VAL_LEN)
return -EINVAL;
- memcpy(sku, buf, strlen(buf));
+ memcpy(sku, buf, count);
mutex_lock(&mfg_ops_lock);
for (word = 0; word < MLNX_MFG_VAL_WORD_CNT(SKU); word++) {
@@ -464,18 +474,21 @@ static ssize_t modl_show(struct device_driver *drv, char *buf)
struct arm_smccc_res res;
int word;
+ mutex_lock(&mfg_ops_lock);
for (word = 0; word < MLNX_MFG_VAL_WORD_CNT(MODL); word++) {
arm_smccc_smc(MLNX_HANDLE_GET_MFG_INFO,
MLNX_MFG_TYPE_MODL_0 + word,
0, 0, 0, 0, 0, 0, &res);
- if (res.a0)
+ if (res.a0) {
+ mutex_unlock(&mfg_ops_lock);
return -EPERM;
+ }
modl_data[word] = res.a1;
}
-
+ mutex_unlock(&mfg_ops_lock);
memcpy(modl, modl_data, MLNX_MFG_MODL_VAL_LEN);
- return sprintf(buf, "%s", modl);
+ return snprintf(buf, PAGE_SIZE, "%s", modl);
}
static ssize_t modl_store(struct device_driver *drv, const char *buf,
@@ -488,7 +501,7 @@ static ssize_t modl_store(struct device_driver *drv, const char *buf,
if (count > MLNX_MFG_MODL_VAL_LEN)
return -EINVAL;
- memcpy(modl, buf, strlen(buf));
+ memcpy(modl, buf, count);
mutex_lock(&mfg_ops_lock);
for (word = 0; word < MLNX_MFG_VAL_WORD_CNT(MODL); word++) {
@@ -512,18 +525,21 @@ static ssize_t sn_show(struct device_driver *drv, char *buf)
struct arm_smccc_res res;
int word;
+ mutex_lock(&mfg_ops_lock);
for (word = 0; word < MLNX_MFG_VAL_WORD_CNT(SN); word++) {
arm_smccc_smc(MLNX_HANDLE_GET_MFG_INFO,
MLNX_MFG_TYPE_SN_0 + word,
0, 0, 0, 0, 0, 0, &res);
- if (res.a0)
+ if (res.a0) {
+ mutex_unlock(&mfg_ops_lock);
return -EPERM;
+ }
sn_data[word] = res.a1;
}
-
+ mutex_unlock(&mfg_ops_lock);
memcpy(sn, sn_data, MLNX_MFG_SN_VAL_LEN);
- return sprintf(buf, "%s", sn);
+ return snprintf(buf, PAGE_SIZE, "%s", sn);
}
static ssize_t sn_store(struct device_driver *drv, const char *buf,
@@ -536,7 +552,7 @@ static ssize_t sn_store(struct device_driver *drv, const char *buf,
if (count > MLNX_MFG_SN_VAL_LEN)
return -EINVAL;
- memcpy(sn, buf, strlen(buf));
+ memcpy(sn, buf, count);
mutex_lock(&mfg_ops_lock);
for (word = 0; word < MLNX_MFG_VAL_WORD_CNT(SN); word++) {
@@ -560,18 +576,21 @@ static ssize_t uuid_show(struct device_driver *drv, char *buf)
struct arm_smccc_res res;
int word;
+ mutex_lock(&mfg_ops_lock);
for (word = 0; word < MLNX_MFG_VAL_WORD_CNT(UUID); word++) {
arm_smccc_smc(MLNX_HANDLE_GET_MFG_INFO,
MLNX_MFG_TYPE_UUID_0 + word,
0, 0, 0, 0, 0, 0, &res);
- if (res.a0)
+ if (res.a0) {
+ mutex_unlock(&mfg_ops_lock);
return -EPERM;
+ }
uuid_data[word] = res.a1;
}
-
+ mutex_unlock(&mfg_ops_lock);
memcpy(uuid, uuid_data, MLNX_MFG_UUID_VAL_LEN);
- return sprintf(buf, "%s", uuid);
+ return snprintf(buf, PAGE_SIZE, "%s", uuid);
}
static ssize_t uuid_store(struct device_driver *drv, const char *buf,
@@ -584,7 +603,7 @@ static ssize_t uuid_store(struct device_driver *drv, const char *buf,
if (count > MLNX_MFG_UUID_VAL_LEN)
return -EINVAL;
- memcpy(uuid, buf, strlen(buf));
+ memcpy(uuid, buf, count);
mutex_lock(&mfg_ops_lock);
for (word = 0; word < MLNX_MFG_VAL_WORD_CNT(UUID); word++) {
@@ -897,7 +916,7 @@ static char *rsh_log_get_reg_name(u64 opcode)
return "unknown";
}
-static int rsh_log_show_crash(u64 hdr, char *buf)
+static int rsh_log_show_crash(u64 hdr, char *buf, int size)
{
int i, module, type, len, n = 0;
u32 pc, syndrome, ec;
@@ -913,17 +932,20 @@ static int rsh_log_show_crash(u64 hdr, char *buf)
if (type == BF_RSH_LOG_TYPE_EXCEPTION) {
syndrome = BF_RSH_LOG_HEADER_GET(SYNDROME, hdr);
ec = syndrome >> AARCH64_ESR_ELX_EXCEPTION_CLASS_SHIFT;
- n = sprintf(p, " Exception(%s): syndrome = 0x%x%s\n",
+ n = snprintf(p, size, " Exception(%s): syndrome = 0x%x%s\n",
rsh_log_mod[module], syndrome,
(ec == 0x24 || ec == 0x25) ? "(Data Abort)" :
(ec == 0x2f) ? "(SError)" : "");
} else if (type == BF_RSH_LOG_TYPE_PANIC) {
pc = BF_RSH_LOG_HEADER_GET(PC, hdr);
- n = sprintf(p, " PANIC(%s): PC = 0x%x\n", rsh_log_mod[module],
- pc);
+ n = snprintf(p, size,
+ " PANIC(%s): PC = 0x%x\n", rsh_log_mod[module],
+ pc);
}
- if (n > 0)
+ if (n > 0) {
p += n;
+ size -= n;
+ }
/*
* Read the registers in a loop. 'len' is the total number of words in
@@ -935,28 +957,31 @@ static int rsh_log_show_crash(u64 hdr, char *buf)
opcode = (opcode >> AARCH64_MRS_REG_SHIFT) &
AARCH64_MRS_REG_MASK;
- n = sprintf(p, " %-16s0x%llx\n", rsh_log_get_reg_name(opcode),
- (unsigned long long)data);
- if (n > 0)
+ n = snprintf(p, size,
+ " %-16s0x%llx\n", rsh_log_get_reg_name(opcode),
+ (unsigned long long)data);
+ if (n > 0) {
p += n;
+ size -= n;
+ }
}
return p - buf;
}
-static int rsh_log_format_msg(char *buf, const char *msg, ...)
+static int rsh_log_format_msg(char *buf, int size, const char *msg, ...)
{
va_list args;
int len;
va_start(args, msg);
- len = vsprintf(buf, msg, args);
+ len = vsnprintf(buf, size, msg, args);
va_end(args);
return len;
}
-static int rsh_log_show_msg(u64 hdr, char *buf)
+static int rsh_log_show_msg(u64 hdr, char *buf, int size)
{
int has_arg = BF_RSH_LOG_HEADER_GET(HAS_ARG, hdr);
int level = BF_RSH_LOG_HEADER_GET(LEVEL, hdr);
@@ -987,13 +1012,13 @@ static int rsh_log_show_msg(u64 hdr, char *buf)
}
*p = '\0';
if (!has_arg) {
- len = sprintf(buf, " %s[%s]: %s\n", rsh_log_level[level],
- rsh_log_mod[module], msg);
+ len = snprintf(buf, size, " %s[%s]: %s\n", rsh_log_level[level],
+ rsh_log_mod[module], msg);
} else {
- len = sprintf(buf, " %s[%s]: ", rsh_log_level[level],
- rsh_log_mod[module]);
- len += rsh_log_format_msg(buf + len, msg, arg);
- len += sprintf(buf + len, "\n");
+ len = snprintf(buf, size, " %s[%s]: ", rsh_log_level[level],
+ rsh_log_mod[module]);
+ len += rsh_log_format_msg(buf + len, size - len, msg, arg);
+ len += snprintf(buf + len, size - len, "\n");
}
kfree(msg);
@@ -1004,7 +1029,7 @@ static ssize_t rsh_log_show(struct device_driver *drv, char *buf)
{
u64 hdr;
char *p = buf;
- int i, n, rc, idx, type, len;
+ int i, n, rc, idx, type, len, size = PAGE_SIZE;
if (!rsh_semaphore || !rsh_scratch_buf_ctl)
return -EOPNOTSUPP;
@@ -1032,12 +1057,14 @@ static ssize_t rsh_log_show(struct device_driver *drv, char *buf)
switch (type) {
case BF_RSH_LOG_TYPE_PANIC:
case BF_RSH_LOG_TYPE_EXCEPTION:
- n = rsh_log_show_crash(hdr, p);
+ n = rsh_log_show_crash(hdr, p, size);
p += n;
+ size -= n;
break;
case BF_RSH_LOG_TYPE_MSG:
- n = rsh_log_show_msg(hdr, p);
+ n = rsh_log_show_msg(hdr, p, size);
p += n;
+ size -= n;
break;
default:
/* Drain this message. */
--
2.30.1
More information about the kernel-team
mailing list