Commit f5d8a5fe authored by Sergey Shtylyov's avatar Sergey Shtylyov Committed by Ulf Hansson
Browse files

mmc: core: use sysfs_emit() instead of sprintf() 



sprintf() (still used in the MMC core for the sysfs output) is vulnerable
to the buffer overflow.  Use the new-fangled sysfs_emit() instead.

Found by Linux Verification Center (linuxtesting.org) with the SVACE static
analysis tool.

Signed-off-by: default avatarSergey Shtylyov <s.shtylyov@omp.ru>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/717729b2-d65b-c72e-9fac-471d28d00b5a@omp.ru


Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
parent 75a2f412

drivers/mmc/core/bus.c

+5 −4
Original line number Diff line number Diff line
@@ -15,6 +15,7 @@ 
#include <linux/stat.h>

#include <linux/of.h>

#include <linux/pm_runtime.h>

#include <linux/sysfs.h>



#include <linux/mmc/card.h>

#include <linux/mmc/host.h>
@@ -34,13 +35,13 @@ static ssize_t type_show(struct device *dev, 


	switch (card->type) {

	case MMC_TYPE_MMC:

		return sprintf(buf, "MMC\n");

		return sysfs_emit(buf, "MMC\n");

	case MMC_TYPE_SD:

		return sprintf(buf, "SD\n");

		return sysfs_emit(buf, "SD\n");

	case MMC_TYPE_SDIO:

		return sprintf(buf, "SDIO\n");

		return sysfs_emit(buf, "SDIO\n");

	case MMC_TYPE_SD_COMBO:

		return sprintf(buf, "SDcombo\n");

		return sysfs_emit(buf, "SDcombo\n");

	default:

		return -EFAULT;

	}

drivers/mmc/core/bus.h

+2 −1
Original line number Diff line number Diff line
@@ -9,6 +9,7 @@ 
#define _MMC_CORE_BUS_H



#include <linux/device.h>

#include <linux/sysfs.h>



struct mmc_host;

struct mmc_card;
@@ -17,7 +18,7 @@ struct mmc_card; 
static ssize_t mmc_##name##_show (struct device *dev, struct device_attribute *attr, char *buf)	\

{										\

	struct mmc_card *card = mmc_dev_to_card(dev);				\

	return sprintf(buf, fmt, args);						\

	return sysfs_emit(buf, fmt, args);					\

}										\

static DEVICE_ATTR(name, S_IRUGO, mmc_##name##_show, NULL)

drivers/mmc/core/mmc.c

+8 −8
Original line number Diff line number Diff line
@@ -12,6 +12,7 @@ 
#include <linux/slab.h>

#include <linux/stat.h>

#include <linux/pm_runtime.h>

#include <linux/sysfs.h>



#include <linux/mmc/host.h>

#include <linux/mmc/card.h>
@@ -812,13 +813,12 @@ static ssize_t mmc_fwrev_show(struct device *dev, 
{

	struct mmc_card *card = mmc_dev_to_card(dev);



	if (card->ext_csd.rev < 7) {

		return sprintf(buf, "0x%x\n", card->cid.fwrev);

	} else {

		return sprintf(buf, "0x%*phN\n", MMC_FIRMWARE_LEN,

	if (card->ext_csd.rev < 7)

		return sysfs_emit(buf, "0x%x\n", card->cid.fwrev);

	else

		return sysfs_emit(buf, "0x%*phN\n", MMC_FIRMWARE_LEN,

				  card->ext_csd.fwrev);

}

}



static DEVICE_ATTR(fwrev, S_IRUGO, mmc_fwrev_show, NULL);
@@ -830,10 +830,10 @@ static ssize_t mmc_dsr_show(struct device *dev, 
	struct mmc_host *host = card->host;



	if (card->csd.dsr_imp && host->dsr_req)

		return sprintf(buf, "0x%x\n", host->dsr);

		return sysfs_emit(buf, "0x%x\n", host->dsr);

	else

		/* return default DSR value */

		return sprintf(buf, "0x%x\n", 0x404);

		return sysfs_emit(buf, "0x%x\n", 0x404);

}



static DEVICE_ATTR(dsr, S_IRUGO, mmc_dsr_show, NULL);

drivers/mmc/core/sd.c

+12 −13
Original line number Diff line number Diff line
@@ -13,6 +13,7 @@ 
#include <linux/stat.h>

#include <linux/pm_runtime.h>

#include <linux/scatterlist.h>

#include <linux/sysfs.h>



#include <linux/mmc/host.h>

#include <linux/mmc/card.h>
@@ -708,18 +709,16 @@ MMC_DEV_ATTR(ocr, "0x%08x\n", card->ocr); 
MMC_DEV_ATTR(rca, "0x%04x\n", card->rca);





static ssize_t mmc_dsr_show(struct device *dev,

                           struct device_attribute *attr,

static ssize_t mmc_dsr_show(struct device *dev, struct device_attribute *attr,

			    char *buf)

{

	struct mmc_card *card = mmc_dev_to_card(dev);

	struct mmc_host *host = card->host;



	if (card->csd.dsr_imp && host->dsr_req)

               return sprintf(buf, "0x%x\n", host->dsr);

       else

		return sysfs_emit(buf, "0x%x\n", host->dsr);

	/* return default DSR value */

               return sprintf(buf, "0x%x\n", 0x404);

	return sysfs_emit(buf, "0x%x\n", 0x404);

}



static DEVICE_ATTR(dsr, S_IRUGO, mmc_dsr_show, NULL);
@@ -737,7 +736,7 @@ static ssize_t info##num##_show(struct device *dev, struct device_attribute *att 
		return -ENODATA;								\

	if (!card->info[num - 1][0])								\

		return 0;									\

	return sprintf(buf, "%s\n", card->info[num-1]);						\

	return sysfs_emit(buf, "%s\n", card->info[num - 1]);					\

}												\

static DEVICE_ATTR_RO(info##num)

drivers/mmc/core/sdio.c

+3 −2
Original line number Diff line number Diff line
@@ -7,6 +7,7 @@ 


#include <linux/err.h>

#include <linux/pm_runtime.h>

#include <linux/sysfs.h>



#include <linux/mmc/host.h>

#include <linux/mmc/card.h>
@@ -42,7 +43,7 @@ static ssize_t info##num##_show(struct device *dev, struct device_attribute *att 
		return -ENODATA;								\

	if (!card->info[num - 1][0])								\

		return 0;									\

	return sprintf(buf, "%s\n", card->info[num-1]);						\

	return sysfs_emit(buf, "%s\n", card->info[num - 1]);					\

}												\

static DEVICE_ATTR_RO(info##num)