asoc: codecs: Fix out of bounds access in register show functions

In register show functions, when snprintf returns a negative value
out of bounds access occurs while copying the data to user.
Add return value check on snprintf before copy_to_user
to fix this.

Change-Id: I1eb793721c653bf6d1fbd10f4cea3436ffe6f519
Signed-off-by: Aditya Bavanari <[email protected]>

asoc/codecs/wcd9xxx-core.c

@@ -709,6 +709,11 @@ static ssize_t wcd9xxx_slimslave_reg_show(char __user *ubuf, size_t count,
 		reg_val = wcd9xxx_interface_reg_read(debugCodec, i);
 		len = snprintf(tmp_buf, sizeof(tmp_buf),
 			"0x%.3x: 0x%.2x\n", i, reg_val);
+		if (len < 0) {
+			pr_err("%s: fail to fill the buffer\n", __func__);
+			total = -EFAULT;
+			goto copy_err;
+		}
 
 		if ((total + len) >= count - 1)
 			break;

asoc/codecs/wsa881x.c

@@ -105,7 +105,7 @@ struct wsa881x_priv {
 
 #define SWR_SLV_MAX_REG_ADDR	0x390
 #define SWR_SLV_START_REG_ADDR	0x40
-#define SWR_SLV_MAX_BUF_LEN	20
+#define SWR_SLV_MAX_BUF_LEN	25
 #define BYTES_PER_LINE		12
 #define SWR_SLV_RD_BUF_LEN	8
 #define SWR_SLV_WR_BUF_LEN	32
@@ -393,6 +393,12 @@ static ssize_t wsa881x_swrslave_reg_show(char __user *ubuf, size_t count,
 			i, &reg_val, 1);
 		len = snprintf(tmp_buf, 25, "0x%.3x: 0x%.2x\n", i,
 			       (reg_val & 0xFF));
+		if (len < 0) {
+			pr_err("%s: fail to fill the buffer\n", __func__);
+			total = -EFAULT;
+			goto copy_err;
+		}
+
 		if ((total + len) >= count - 1)
 			break;
 		if (copy_to_user((ubuf + total), tmp_buf, len)) {

soc/swr-wcd-ctrl.c

@@ -265,6 +265,12 @@ static ssize_t swrm_reg_show(char __user *ubuf, size_t count,
 		i <= SWR_MSTR_MAX_REG_ADDR; i += 4) {
 		reg_val = dbgswrm->read(dbgswrm->handle, i);
 		len = snprintf(tmp_buf, 25, "0x%.3x: 0x%.2x\n", i, reg_val);
+		if (len < 0) {
+			pr_err("%s: fail to fill the buffer\n", __func__);
+			total = -EFAULT;
+			goto copy_err;
+		}
+
 		if ((total + len) >= count - 1)
 			break;
 		if (copy_to_user((ubuf + total), tmp_buf, len)) {