On Tue, 8 Feb 2022 at 13:02, Sergey Shtylyov <s.shtylyov@xxxxxx> wrote:
>
> sprintf() (still used in the MMC core for the sysfs output) is vulnerable
> to the buffer overflow. Use the new-fangled sysfs_emit() instead.
>
> Found by Linux Verification Center (linuxtesting.org) with the SVACE static
> analysis tool.
>
> Signed-off-by: Sergey Shtylyov <s.shtylyov@xxxxxx>
Applied for next and by adding a stable tag, thanks!
Kind regards
Uffe
>
> ---
> This patch is against the 'next' branch of Ulf Hansson's 'mmc.git' repo.
>
> Changes in version 2:
> - added #include <linux/sysfs.h> where it was missing;
> - moved #include <linux/sysfs.h> where it was present (the #includes weren't
> sorted as it seemed at 1st).
>
> drivers/mmc/core/bus.c | 9 +++++----
> drivers/mmc/core/bus.h | 3 ++-
> drivers/mmc/core/mmc.c | 16 ++++++++--------
> drivers/mmc/core/sd.c | 27 +++++++++++++--------------
> drivers/mmc/core/sdio.c | 5 +++--
> drivers/mmc/core/sdio_bus.c | 7 ++++---
> 6 files changed, 35 insertions(+), 32 deletions(-)
>
> Index: mmc/drivers/mmc/core/bus.c
> ===================================================================
> --- mmc.orig/drivers/mmc/core/bus.c
> +++ mmc/drivers/mmc/core/bus.c
> @@ -15,6 +15,7 @@
> #include <linux/stat.h>
> #include <linux/of.h>
> #include <linux/pm_runtime.h>
> +#include <linux/sysfs.h>
>
> #include <linux/mmc/card.h>
> #include <linux/mmc/host.h>
> @@ -34,13 +35,13 @@ static ssize_t type_show(struct device *
>
> switch (card->type) {
> case MMC_TYPE_MMC:
> - return sprintf(buf, "MMC\n");
> + return sysfs_emit(buf, "MMC\n");
> case MMC_TYPE_SD:
> - return sprintf(buf, "SD\n");
> + return sysfs_emit(buf, "SD\n");
> case MMC_TYPE_SDIO:
> - return sprintf(buf, "SDIO\n");
> + return sysfs_emit(buf, "SDIO\n");
> case MMC_TYPE_SD_COMBO:
> - return sprintf(buf, "SDcombo\n");
> + return sysfs_emit(buf, "SDcombo\n");
> default:
> return -EFAULT;
> }
> Index: mmc/drivers/mmc/core/bus.h
> ===================================================================
> --- mmc.orig/drivers/mmc/core/bus.h
> +++ mmc/drivers/mmc/core/bus.h
> @@ -9,6 +9,7 @@
> #define _MMC_CORE_BUS_H
>
> #include <linux/device.h>
> +#include <linux/sysfs.h>
>
> struct mmc_host;
> struct mmc_card;
> @@ -17,7 +18,7 @@ struct mmc_card;
> static ssize_t mmc_##name##_show (struct device *dev, struct device_attribute *attr, char *buf) \
> { \
> struct mmc_card *card = mmc_dev_to_card(dev); \
> - return sprintf(buf, fmt, args); \
> + return sysfs_emit(buf, fmt, args); \
> } \
> static DEVICE_ATTR(name, S_IRUGO, mmc_##name##_show, NULL)
>
> Index: mmc/drivers/mmc/core/mmc.c
> ===================================================================
> --- mmc.orig/drivers/mmc/core/mmc.c
> +++ mmc/drivers/mmc/core/mmc.c
> @@ -12,6 +12,7 @@
> #include <linux/slab.h>
> #include <linux/stat.h>
> #include <linux/pm_runtime.h>
> +#include <linux/sysfs.h>
>
> #include <linux/mmc/host.h>
> #include <linux/mmc/card.h>
> @@ -812,12 +813,11 @@ static ssize_t mmc_fwrev_show(struct dev
> {
> struct mmc_card *card = mmc_dev_to_card(dev);
>
> - if (card->ext_csd.rev < 7) {
> - return sprintf(buf, "0x%x\n", card->cid.fwrev);
> - } else {
> - return sprintf(buf, "0x%*phN\n", MMC_FIRMWARE_LEN,
> - card->ext_csd.fwrev);
> - }
> + if (card->ext_csd.rev < 7)
> + return sysfs_emit(buf, "0x%x\n", card->cid.fwrev);
> + else
> + return sysfs_emit(buf, "0x%*phN\n", MMC_FIRMWARE_LEN,
> + card->ext_csd.fwrev);
> }
>
> static DEVICE_ATTR(fwrev, S_IRUGO, mmc_fwrev_show, NULL);
> @@ -830,10 +830,10 @@ static ssize_t mmc_dsr_show(struct devic
> struct mmc_host *host = card->host;
>
> if (card->csd.dsr_imp && host->dsr_req)
> - return sprintf(buf, "0x%x\n", host->dsr);
> + return sysfs_emit(buf, "0x%x\n", host->dsr);
> else
> /* return default DSR value */
> - return sprintf(buf, "0x%x\n", 0x404);
> + return sysfs_emit(buf, "0x%x\n", 0x404);
> }
>
> static DEVICE_ATTR(dsr, S_IRUGO, mmc_dsr_show, NULL);
> Index: mmc/drivers/mmc/core/sd.c
> ===================================================================
> --- mmc.orig/drivers/mmc/core/sd.c
> +++ mmc/drivers/mmc/core/sd.c
> @@ -13,6 +13,7 @@
> #include <linux/stat.h>
> #include <linux/pm_runtime.h>
> #include <linux/scatterlist.h>
> +#include <linux/sysfs.h>
>
> #include <linux/mmc/host.h>
> #include <linux/mmc/card.h>
> @@ -708,18 +709,16 @@ MMC_DEV_ATTR(ocr, "0x%08x\n", card->ocr)
> MMC_DEV_ATTR(rca, "0x%04x\n", card->rca);
>
>
> -static ssize_t mmc_dsr_show(struct device *dev,
> - struct device_attribute *attr,
> - char *buf)
> -{
> - struct mmc_card *card = mmc_dev_to_card(dev);
> - struct mmc_host *host = card->host;
> -
> - if (card->csd.dsr_imp && host->dsr_req)
> - return sprintf(buf, "0x%x\n", host->dsr);
> - else
> - /* return default DSR value */
> - return sprintf(buf, "0x%x\n", 0x404);
> +static ssize_t mmc_dsr_show(struct device *dev, struct device_attribute *attr,
> + char *buf)
> +{
> + struct mmc_card *card = mmc_dev_to_card(dev);
> + struct mmc_host *host = card->host;
> +
> + if (card->csd.dsr_imp && host->dsr_req)
> + return sysfs_emit(buf, "0x%x\n", host->dsr);
> + /* return default DSR value */
> + return sysfs_emit(buf, "0x%x\n", 0x404);
> }
>
> static DEVICE_ATTR(dsr, S_IRUGO, mmc_dsr_show, NULL);
> @@ -735,9 +734,9 @@ static ssize_t info##num##_show(struct d
> \
> if (num > card->num_info) \
> return -ENODATA; \
> - if (!card->info[num-1][0]) \
> + if (!card->info[num - 1][0]) \
> return 0; \
> - return sprintf(buf, "%s\n", card->info[num-1]); \
> + return sysfs_emit(buf, "%s\n", card->info[num - 1]); \
> } \
> static DEVICE_ATTR_RO(info##num)
>
> Index: mmc/drivers/mmc/core/sdio.c
> ===================================================================
> --- mmc.orig/drivers/mmc/core/sdio.c
> +++ mmc/drivers/mmc/core/sdio.c
> @@ -7,6 +7,7 @@
>
> #include <linux/err.h>
> #include <linux/pm_runtime.h>
> +#include <linux/sysfs.h>
>
> #include <linux/mmc/host.h>
> #include <linux/mmc/card.h>
> @@ -40,9 +41,9 @@ static ssize_t info##num##_show(struct d
> \
> if (num > card->num_info) \
> return -ENODATA; \
> - if (!card->info[num-1][0]) \
> + if (!card->info[num - 1][0]) \
> return 0; \
> - return sprintf(buf, "%s\n", card->info[num-1]); \
> + return sysfs_emit(buf, "%s\n", card->info[num - 1]); \
> } \
> static DEVICE_ATTR_RO(info##num)
>
> Index: mmc/drivers/mmc/core/sdio_bus.c
> ===================================================================
> --- mmc.orig/drivers/mmc/core/sdio_bus.c
> +++ mmc/drivers/mmc/core/sdio_bus.c
> @@ -14,6 +14,7 @@
> #include <linux/pm_runtime.h>
> #include <linux/pm_domain.h>
> #include <linux/acpi.h>
> +#include <linux/sysfs.h>
>
> #include <linux/mmc/card.h>
> #include <linux/mmc/host.h>
> @@ -35,7 +36,7 @@ field##_show(struct device *dev, struct
> struct sdio_func *func; \
> \
> func = dev_to_sdio_func (dev); \
> - return sprintf(buf, format_string, args); \
> + return sysfs_emit(buf, format_string, args); \
> } \
> static DEVICE_ATTR_RO(field)
>
> @@ -52,9 +53,9 @@ static ssize_t info##num##_show(struct d
> \
> if (num > func->num_info) \
> return -ENODATA; \
> - if (!func->info[num-1][0]) \
> + if (!func->info[num - 1][0]) \
> return 0; \
> - return sprintf(buf, "%s\n", func->info[num-1]); \
> + return sysfs_emit(buf, "%s\n", func->info[num - 1]); \
> } \
> static DEVICE_ATTR_RO(info##num)
>
