@@ -95,7 +95,6 @@ void aspeed_print_security_info(void)
u32 sb_sts = readl(ASPEED_SB_STS);
u32 hash;
u32 rsa;
- char alg[20];
if (!(sb_sts & BIT(6)))
return;
@@ -104,38 +103,39 @@ void aspeed_print_security_info(void)
hash = (qsr >> 10) & 3;
rsa = (qsr >> 12) & 3;
+ printf("Mode_2, ");
+
if (qsr & BIT(27)) {
- sprintf(alg + strlen(alg), "AES_");
+ printf("AES_");
}
switch (rsa) {
case 0:
- sprintf(alg + strlen(alg), "RSA1024_");
+ printf("RSA1024_");
break;
case 1:
- sprintf(alg + strlen(alg), "RSA2048_");
+ printf("RSA2048_");
break;
case 2:
- sprintf(alg + strlen(alg), "RSA3072_");
+ printf("RSA3072_");
break;
default:
- sprintf(alg + strlen(alg), "RSA4096_");
+ printf("RSA4096_");
break;
}
switch (hash) {
case 0:
- sprintf(alg + strlen(alg), "SHA224");
+ printf("SHA224\n");
break;
case 1:
- sprintf(alg + strlen(alg), "SHA256");
+ printf("SHA256\n");
break;
case 2:
- sprintf(alg + strlen(alg), "SHA384");
+ printf("SHA384\n");
break;
default:
- sprintf(alg + strlen(alg), "SHA512");
+ printf("SHA512\n");
break;
}
- printf("Mode_2, %s\n", alg);
} else {
printf("Mode_GCM\n");
return;
The current code misses initialising the char buffer 'alg' to zero, causing the sprintf to potentially write past the end of the buffer. Most of the time strlen happened upon a 0 early in the buffer, and the resulting string would be constructed in bounds: Secure Boot: Mode_2, m��ERSA4096_SHA512 Avoid the issue by not constructing the string in memory. Instead print it out as the bits are parsed. Fixes: dd27b24b13d5 ("ARM: Aspeed: update secure boot information") Signed-off-by: Joel Stanley <joel@jms.id.au> --- arch/arm/mach-aspeed/ast2600/scu_info.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-)