From 9f599b4a78c8f798fab8655641cfd74e42fdaef0 Mon Sep 17 00:00:00 2001 From: Aditya Bavanari Date: Tue, 27 Aug 2019 22:18:41 +0530 Subject: [PATCH] soc: Fix out of bounds access in register show function In register show function, when snprintf returns a negative value out of bounds access occurs while copying the data to user. Add return value check on snprintf before copy_to_user to fix this. Change-Id: I96bfa64b1603c966852c1d4d4a12651664f17aed Signed-off-by: Aditya Bavanari --- soc/swr-mstr-ctrl.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/soc/swr-mstr-ctrl.c b/soc/swr-mstr-ctrl.c index c4deb20014..b42cd5f494 100644 --- a/soc/swr-mstr-ctrl.c +++ b/soc/swr-mstr-ctrl.c @@ -144,6 +144,11 @@ static ssize_t swrm_reg_show(char __user *ubuf, size_t count, i <= SWR_MSTR_MAX_REG_ADDR; i += 4) { reg_val = dbgswrm->read(dbgswrm->handle, i); len = snprintf(tmp_buf, 25, "0x%.3x: 0x%.2x\n", i, reg_val); + if (len < 0) { + pr_err("%s: fail to fill the buffer\n", __func__); + total = -EFAULT; + goto copy_err; + } if ((total + len) >= count - 1) break; if (copy_to_user((ubuf + total), tmp_buf, len)) {