From: Maciej W. Rozycki <macro@orcam.me.uk>
Date: Tue, 20 Apr 2021 18:01:52 +0000 (+0200)
Subject: scsi: BusLogic: Avoid unbounded vsprintf() use
X-Git-Tag: accepted/tizen/unified/20230118.172025~6478^2~191
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=a40662c90d974a89d2f5d627542b63bed88e72f0;p=platform%2Fkernel%2Flinux-rpi.git

scsi: BusLogic: Avoid unbounded vsprintf() use

Existing blogic_msg() invocations do not appear to overrun its internal
buffer of a fixed length of 100, which would cause stack corruption, but
it's easy to miss with possible further updates and a fix is cheap in
performance terms, so limit the output produced into the buffer by using
vscnprintf() rather than vsprintf().

Link: https://lore.kernel.org/r/alpine.DEB.2.21.2104201939390.44318@angie.orcam.me.uk
Acked-by: Khalid Aziz <khalid@gonehiking.org>
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
---

diff --git a/drivers/scsi/BusLogic.c b/drivers/scsi/BusLogic.c
index 4d8556f..0bcedd9 100644
--- a/drivers/scsi/BusLogic.c
+++ b/drivers/scsi/BusLogic.c
@@ -3436,7 +3436,7 @@ static void blogic_msg(enum blogic_msglevel msglevel, char *fmt,
 	int len = 0;
 
 	va_start(args, adapter);
-	len = vsprintf(buf, fmt, args);
+	len = vscnprintf(buf, sizeof(buf), fmt, args);
 	va_end(args);
 	if (msglevel == BLOGIC_ANNOUNCE_LEVEL) {
 		static int msglines = 0;