Bluetooth: Fix potential bad memory access with sysfs files

When creating a high number of Bluetooth sockets (L2CAP, SCO
and RFCOMM) it is possible to scribble repeatedly on arbitrary
pages of memory. Ensure that the content of these sysfs files is
always less than one page. Even if this means truncating. The
files in question are scheduled to be moved over to debugfs in
the future anyway.

Based on initial patches from Neil Brown and Linus Torvalds

Reported-by: Neil Brown <neilb@suse.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

1 files changed, 9 insertions, 1 deletions

diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index 4db7ae2fe07d..27551820741e 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -3944,16 +3944,24 @@ static ssize_t l2cap_sysfs_show(struct class *dev,
         struct sock *sk;
         struct hlist_node *node;
         char *str = buf;
+        int size = PAGE_SIZE;
 
         read_lock_bh(&l2cap_sk_list.lock);
 
         sk_for_each(sk, node, &l2cap_sk_list.head) {
                 struct l2cap_pinfo *pi = l2cap_pi(sk);
+                int len;
 
-                str += sprintf(str, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
+                len = snprintf(str, size, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
                                 batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
                                 sk->sk_state, __le16_to_cpu(pi->psm), pi->scid,
                                 pi->dcid, pi->imtu, pi->omtu, pi->sec_level);
+
+                size -= len;
+                if (size <= 0)
+                        break;
+
+                str += len;
         }
 
         read_unlock_bh(&l2cap_sk_list.lock);