[PATCH 5.17 0129/1126] mmc: core: use sysfs_emit() instead of sprintf()

From: Greg Kroah-Hartman
Date: Tue Apr 05 2022 - 04:02:24 EST

Next message: Greg Kroah-Hartman: "[PATCH 5.17 0167/1126] media: gpio-ir-tx: fix transmit with long spaces on Orange Pi PC"
Previous message: Greg Kroah-Hartman: "[PATCH 5.17 0110/1126] mm/kmemleak: reset tag when compare object pointer"
In reply to: Greg Kroah-Hartman: "[PATCH 5.17 0110/1126] mm/kmemleak: reset tag when compare object pointer"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.17 0167/1126] media: gpio-ir-tx: fix transmit with long spaces on Orange Pi PC"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sergey Shtylyov <s.shtylyov@xxxxxx>

commit f5d8a5fe77ce933f53eb8f2e22bb7a1a2019ea11 upstream.

sprintf() (still used in the MMC core for the sysfs output) is vulnerable
to the buffer overflow. Use the new-fangled sysfs_emit() instead.

Found by Linux Verification Center (linuxtesting.org) with the SVACE static
analysis tool.

Signed-off-by: Sergey Shtylyov <s.shtylyov@xxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Link: https://lore.kernel.org/r/717729b2-d65b-c72e-9fac-471d28d00b5a@xxxxxx
Signed-off-by: Ulf Hansson <ulf.hansson@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/mmc/core/bus.c | 9 +++++----
drivers/mmc/core/bus.h | 3 ++-
drivers/mmc/core/mmc.c | 16 ++++++++--------
drivers/mmc/core/sd.c | 27 +++++++++++++--------------
drivers/mmc/core/sdio.c | 5 +++--
drivers/mmc/core/sdio_bus.c | 7 ++++---
6 files changed, 35 insertions(+), 32 deletions(-)

--- a/drivers/mmc/core/bus.c
+++ b/drivers/mmc/core/bus.c
@@ -15,6 +15,7 @@
#include <linux/stat.h>
#include <linux/of.h>
#include <linux/pm_runtime.h>
+#include <linux/sysfs.h>

#include <linux/mmc/card.h>
#include <linux/mmc/host.h>
@@ -34,13 +35,13 @@ static ssize_t type_show(struct device *

switch (card->type) {
case MMC_TYPE_MMC:
- return sprintf(buf, "MMC\n");
+ return sysfs_emit(buf, "MMC\n");
case MMC_TYPE_SD:
- return sprintf(buf, "SD\n");
+ return sysfs_emit(buf, "SD\n");
case MMC_TYPE_SDIO:
- return sprintf(buf, "SDIO\n");
+ return sysfs_emit(buf, "SDIO\n");
case MMC_TYPE_SD_COMBO:
- return sprintf(buf, "SDcombo\n");
+ return sysfs_emit(buf, "SDcombo\n");
default:
return -EFAULT;
}
--- a/drivers/mmc/core/bus.h
+++ b/drivers/mmc/core/bus.h
@@ -9,6 +9,7 @@
#define _MMC_CORE_BUS_H

#include <linux/device.h>
+#include <linux/sysfs.h>

struct mmc_host;
struct mmc_card;
@@ -17,7 +18,7 @@ struct mmc_card;
static ssize_t mmc_##name##_show (struct device *dev, struct device_attribute *attr, char *buf) \
{ \
struct mmc_card *card = mmc_dev_to_card(dev); \
- return sprintf(buf, fmt, args); \
+ return sysfs_emit(buf, fmt, args); \
} \
static DEVICE_ATTR(name, S_IRUGO, mmc_##name##_show, NULL)

--- a/drivers/mmc/core/mmc.c
+++ b/drivers/mmc/core/mmc.c
@@ -12,6 +12,7 @@
#include <linux/slab.h>
#include <linux/stat.h>
#include <linux/pm_runtime.h>
+#include <linux/sysfs.h>

#include <linux/mmc/host.h>
#include <linux/mmc/card.h>
@@ -812,12 +813,11 @@ static ssize_t mmc_fwrev_show(struct dev
{
struct mmc_card *card = mmc_dev_to_card(dev);

- if (card->ext_csd.rev < 7) {
- return sprintf(buf, "0x%x\n", card->cid.fwrev);
- } else {
- return sprintf(buf, "0x%*phN\n", MMC_FIRMWARE_LEN,
- card->ext_csd.fwrev);
- }
+ if (card->ext_csd.rev < 7)
+ return sysfs_emit(buf, "0x%x\n", card->cid.fwrev);
+ else
+ return sysfs_emit(buf, "0x%*phN\n", MMC_FIRMWARE_LEN,
+ card->ext_csd.fwrev);
}

static DEVICE_ATTR(fwrev, S_IRUGO, mmc_fwrev_show, NULL);
@@ -830,10 +830,10 @@ static ssize_t mmc_dsr_show(struct devic
struct mmc_host *host = card->host;

if (card->csd.dsr_imp && host->dsr_req)
- return sprintf(buf, "0x%x\n", host->dsr);
+ return sysfs_emit(buf, "0x%x\n", host->dsr);
else
/* return default DSR value */
- return sprintf(buf, "0x%x\n", 0x404);
+ return sysfs_emit(buf, "0x%x\n", 0x404);
}

static DEVICE_ATTR(dsr, S_IRUGO, mmc_dsr_show, NULL);
--- a/drivers/mmc/core/sd.c
+++ b/drivers/mmc/core/sd.c
@@ -13,6 +13,7 @@
#include <linux/stat.h>
#include <linux/pm_runtime.h>
#include <linux/scatterlist.h>
+#include <linux/sysfs.h>

#include <linux/mmc/host.h>
#include <linux/mmc/card.h>
@@ -708,18 +709,16 @@ MMC_DEV_ATTR(ocr, "0x%08x\n", card->ocr)
MMC_DEV_ATTR(rca, "0x%04x\n", card->rca);

-static ssize_t mmc_dsr_show(struct device *dev,
- struct device_attribute *attr,
- char *buf)
-{
- struct mmc_card *card = mmc_dev_to_card(dev);
- struct mmc_host *host = card->host;
-
- if (card->csd.dsr_imp && host->dsr_req)
- return sprintf(buf, "0x%x\n", host->dsr);
- else
- /* return default DSR value */
- return sprintf(buf, "0x%x\n", 0x404);
+static ssize_t mmc_dsr_show(struct device *dev, struct device_attribute *attr,
+ char *buf)
+{
+ struct mmc_card *card = mmc_dev_to_card(dev);
+ struct mmc_host *host = card->host;
+
+ if (card->csd.dsr_imp && host->dsr_req)
+ return sysfs_emit(buf, "0x%x\n", host->dsr);
+ /* return default DSR value */
+ return sysfs_emit(buf, "0x%x\n", 0x404);
}

static DEVICE_ATTR(dsr, S_IRUGO, mmc_dsr_show, NULL);
@@ -735,9 +734,9 @@ static ssize_t info##num##_show(struct d
\
if (num > card->num_info) \
return -ENODATA; \
- if (!card->info[num-1][0]) \
+ if (!card->info[num - 1][0]) \
return 0; \
- return sprintf(buf, "%s\n", card->info[num-1]); \
+ return sysfs_emit(buf, "%s\n", card->info[num - 1]); \
} \
static DEVICE_ATTR_RO(info##num)

--- a/drivers/mmc/core/sdio.c
+++ b/drivers/mmc/core/sdio.c
@@ -7,6 +7,7 @@

#include <linux/err.h>
#include <linux/pm_runtime.h>
+#include <linux/sysfs.h>

#include <linux/mmc/host.h>
#include <linux/mmc/card.h>
@@ -40,9 +41,9 @@ static ssize_t info##num##_show(struct d
\
if (num > card->num_info) \
return -ENODATA; \
- if (!card->info[num-1][0]) \
+ if (!card->info[num - 1][0]) \
return 0; \
- return sprintf(buf, "%s\n", card->info[num-1]); \
+ return sysfs_emit(buf, "%s\n", card->info[num - 1]); \
} \
static DEVICE_ATTR_RO(info##num)

--- a/drivers/mmc/core/sdio_bus.c
+++ b/drivers/mmc/core/sdio_bus.c
@@ -14,6 +14,7 @@
#include <linux/pm_runtime.h>
#include <linux/pm_domain.h>
#include <linux/acpi.h>
+#include <linux/sysfs.h>

#include <linux/mmc/card.h>
#include <linux/mmc/host.h>
@@ -35,7 +36,7 @@ field##_show(struct device *dev, struct
struct sdio_func *func; \
\
func = dev_to_sdio_func (dev); \
- return sprintf(buf, format_string, args); \
+ return sysfs_emit(buf, format_string, args); \
} \
static DEVICE_ATTR_RO(field)

@@ -52,9 +53,9 @@ static ssize_t info##num##_show(struct d
\
if (num > func->num_info) \
return -ENODATA; \
- if (!func->info[num-1][0]) \
+ if (!func->info[num - 1][0]) \
return 0; \
- return sprintf(buf, "%s\n", func->info[num-1]); \
+ return sysfs_emit(buf, "%s\n", func->info[num - 1]); \
} \
static DEVICE_ATTR_RO(info##num)

Next message: Greg Kroah-Hartman: "[PATCH 5.17 0167/1126] media: gpio-ir-tx: fix transmit with long spaces on Orange Pi PC"
Previous message: Greg Kroah-Hartman: "[PATCH 5.17 0110/1126] mm/kmemleak: reset tag when compare object pointer"
In reply to: Greg Kroah-Hartman: "[PATCH 5.17 0110/1126] mm/kmemleak: reset tag when compare object pointer"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.17 0167/1126] media: gpio-ir-tx: fix transmit with long spaces on Orange Pi PC"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]