Unverified Commit 5549af7f authored Aug 05, 2022 by Mark Brown

ASoC: Fix theoretical buffer overflow by snprintf()

Merge series from Takashi Iwai <tiwai@suse.de>:

This is a patch series to paper over the theoretical buffer overflow
that might be caused by snprintf().  snprintf() is notorious for its
behavior and the usage of a safer version, scnprintf(), is
recommended.

parents 75459065 94c1ceb0

sound/soc/intel/avs/pcm.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -636,7 +636,7 @@ static ssize_t topology_name_read(struct file file, char __user user_buf, size
		char buf[64];
		size_t len;

		len = snprintf(buf, sizeof(buf), "%s/%s\n", component->driver->topology_name_prefix,
		len = scnprintf(buf, sizeof(buf), "%s/%s\n", component->driver->topology_name_prefix,
		mach->tplg_filename);

		return simple_read_from_buffer(user_buf, count, ppos, buf, len);

sound/soc/sof/debug.c

+3 −3

Original line number	Diff line number	Diff line
		@@ -252,7 +252,7 @@ static int memory_info_update(struct snd_sof_dev sdev, char buf, size_t buff_s
		}

		for (i = 0, len = 0; i < reply->num_elems; i++) {
		ret = snprintf(buf + len, buff_size - len, "zone %d.%d used %#8x free %#8x\n",
		ret = scnprintf(buf + len, buff_size - len, "zone %d.%d used %#8x free %#8x\n",
		reply->elems[i].zone, reply->elems[i].id,
		reply->elems[i].used, reply->elems[i].free);
		if (ret < 0)

sound/soc/sof/intel/hda.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -574,7 +574,7 @@ static void hda_dsp_dump_ext_rom_status(struct snd_sof_dev sdev, const char le
		chip = get_chip_info(sdev->pdata);
		for (i = 0; i < HDA_EXT_ROM_STATUS_SIZE; i++) {
		value = snd_sof_dsp_read(sdev, HDA_DSP_BAR, chip->rom_status_reg + i * 0x4);
		len += snprintf(msg + len, sizeof(msg) - len, " 0x%x", value);
		len += scnprintf(msg + len, sizeof(msg) - len, " 0x%x", value);
		}

		dev_printk(level, sdev->dev, "extended rom status: %s", msg);