From nobody Thu Dec 18 13:00:11 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1EFB0C32772 for ; Tue, 23 Aug 2022 09:25:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1350090AbiHWJZW (ORCPT ); Tue, 23 Aug 2022 05:25:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40124 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349781AbiHWJY2 (ORCPT ); Tue, 23 Aug 2022 05:24:28 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C474490805; Tue, 23 Aug 2022 01:35:54 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 4123BB81C4F; Tue, 23 Aug 2022 08:18:37 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id AC131C433C1; Tue, 23 Aug 2022 08:18:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661242716; bh=+Z2c0OxS9hfS3VZxv8oMBN/X8wfE6XIeSWU42oMqx5g=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=DnvO1XDR/pMEl79/YFpUmiXmcx0Sm36gvoNb8rbDnB4OnWCc/V2eJtCUZ69EfkfiQ Is5mHwKMCowINxnCmWHoZreVJcRWVTS9iL4ie+2ViT+gj7KZ05LL/fSHNh+n/H9FKV vhcy2kR4s1gCghVzhl3ZLjHCRP/6OER8hZ9Pls00= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Takashi Iwai , Mark Brown Subject: [PATCH 5.19 178/365] ASoC: SOF: Intel: hda: Fix potential buffer overflow by snprintf() Date: Tue, 23 Aug 2022 10:01:19 +0200 Message-Id: <20220823080125.671237572@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080118.128342613@linuxfoundation.org> References: <20220823080118.128342613@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Takashi Iwai commit 94c1ceb043c1a002de9649bb630c8e8347645982 upstream. snprintf() returns the would-be-filled size when the string overflows the given buffer size, hence using this value may result in the buffer overflow (although it's unrealistic). This patch replaces with a safer version, scnprintf() for papering over such a potential issue. Fixes: 29c8e4398f02 ("ASoC: SOF: Intel: hda: add extended rom status dump t= o error log") Signed-off-by: Takashi Iwai Link: https://lore.kernel.org/r/20220801165420.25978-4-tiwai@suse.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman --- sound/soc/sof/intel/hda.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/sound/soc/sof/intel/hda.c +++ b/sound/soc/sof/intel/hda.c @@ -467,7 +467,7 @@ static void hda_dsp_dump_ext_rom_status( chip =3D get_chip_info(sdev->pdata); for (i =3D 0; i < HDA_EXT_ROM_STATUS_SIZE; i++) { value =3D snd_sof_dsp_read(sdev, HDA_DSP_BAR, chip->rom_status_reg + i *= 0x4); - len +=3D snprintf(msg + len, sizeof(msg) - len, " 0x%x", value); + len +=3D scnprintf(msg + len, sizeof(msg) - len, " 0x%x", value); } =20 dev_printk(level, sdev->dev, "extended rom status: %s", msg);