Patch "iommu/omap: Fix buffer overflow in debugfs" has been added to the 5.15-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 16 Oct 2022 23:21:20 -0400

This is a note to let you know that I've just added the patch titled

    iommu/omap: Fix buffer overflow in debugfs

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     iommu-omap-fix-buffer-overflow-in-debugfs.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit f8111244b70af64594e0bff446effc588bf361bb
Author: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Date:   Thu Aug 4 17:32:39 2022 +0300

    iommu/omap: Fix buffer overflow in debugfs
    
    [ Upstream commit 184233a5202786b20220acd2d04ddf909ef18f29 ]
    
    There are two issues here:
    
    1) The "len" variable needs to be checked before the very first write.
       Otherwise if omap2_iommu_dump_ctx() with "bytes" less than 32 it is a
       buffer overflow.
    2) The snprintf() function returns the number of bytes that *would* have
       been copied if there were enough space.  But we want to know the
       number of bytes which were *actually* copied so use scnprintf()
       instead.
    
    Fixes: bd4396f09a4a ("iommu/omap: Consolidate OMAP IOMMU modules")
    Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
    Reviewed-by: Robin Murphy <robin.murphy@xxxxxxx>
    Reviewed-by: Laurent Pinchart <laurent.pinchart@xxxxxxxxxxxxxxxx>
    Link: https://lore.kernel.org/r/YuvYh1JbE3v+abd5@kili
    Signed-off-by: Joerg Roedel <jroedel@xxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/iommu/omap-iommu-debug.c b/drivers/iommu/omap-iommu-debug.c
index a99afb5d9011..259f65291d90 100644
--- a/drivers/iommu/omap-iommu-debug.c
+++ b/drivers/iommu/omap-iommu-debug.c
@@ -32,12 +32,12 @@ static inline bool is_omap_iommu_detached(struct omap_iommu *obj)
 		ssize_t bytes;						\
 		const char *str = "%20s: %08x\n";			\
 		const int maxcol = 32;					\
-		bytes = snprintf(p, maxcol, str, __stringify(name),	\
+		if (len < maxcol)					\
+			goto out;					\
+		bytes = scnprintf(p, maxcol, str, __stringify(name),	\
 				 iommu_read_reg(obj, MMU_##name));	\
 		p += bytes;						\
 		len -= bytes;						\
-		if (len < maxcol)					\
-			goto out;					\
 	} while (0)
 
 static ssize_t






