[PATCH AUTOSEL 4.19 01/22] scsi: lpfc: Fix possible file string name overflow when updating firmware

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Justin Tee <justin.tee@broadcom.com>,
	Himanshu Madhani <himanshu.madhani@oracle.com>,
	"Martin K . Petersen" <martin.petersen@oracle.com>,
	Sasha Levin <sashal@kernel.org>,
	james.smart@broadcom.com, dick.kennedy@broadcom.com,
	jejb@linux.ibm.com, linux-scsi@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 01/22] scsi: lpfc: Fix possible file string name overflow when updating firmware
Date: Tue, 16 Jan 2024 15:03:55 -0500	[thread overview]
Message-ID: <20240116200432.260016-1-sashal@kernel.org> (raw)

From: Justin Tee <justin.tee@broadcom.com>

[ Upstream commit f5779b529240b715f0e358489ad0ed933bf77c97 ]

Because file_name and phba->ModelName are both declared a size 80 bytes,
the extra ".grp" file extension could cause an overflow into file_name.

Define a ELX_FW_NAME_SIZE macro with value 84.  84 incorporates the 4 extra
characters from ".grp".  file_name is changed to be declared as a char and
initialized to zeros i.e. null chars.

Signed-off-by: Justin Tee <justin.tee@broadcom.com>
Link: https://lore.kernel.org/r/20231031191224.150862-3-justintee8345@gmail.com
Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/lpfc/lpfc.h      | 1 +
 drivers/scsi/lpfc/lpfc_init.c | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h
index 706aca3f7c25..53b661793268 100644
--- a/drivers/scsi/lpfc/lpfc.h
+++ b/drivers/scsi/lpfc/lpfc.h
@@ -32,6 +32,7 @@
 struct lpfc_sli2_slim;
 
 #define ELX_MODEL_NAME_SIZE	80
+#define ELX_FW_NAME_SIZE	84
 
 #define LPFC_PCI_DEV_LP		0x1
 #define LPFC_PCI_DEV_OC		0x2
diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c
index c6caacaa3e7a..7db4e893e10e 100644
--- a/drivers/scsi/lpfc/lpfc_init.c
+++ b/drivers/scsi/lpfc/lpfc_init.c
@@ -11428,7 +11428,7 @@ lpfc_write_firmware(const struct firmware *fw, void *context)
 int
 lpfc_sli4_request_firmware_update(struct lpfc_hba *phba, uint8_t fw_upgrade)
 {
-	uint8_t file_name[ELX_MODEL_NAME_SIZE];
+	char file_name[ELX_FW_NAME_SIZE] = {0};
 	int ret;
 	const struct firmware *fw;
 
@@ -11437,7 +11437,7 @@ lpfc_sli4_request_firmware_update(struct lpfc_hba *phba, uint8_t fw_upgrade)
 	    LPFC_SLI_INTF_IF_TYPE_2)
 		return -EPERM;
 
-	snprintf(file_name, ELX_MODEL_NAME_SIZE, "%s.grp", phba->ModelName);
+	scnprintf(file_name, sizeof(file_name), "%s.grp", phba->ModelName);
 
 	if (fw_upgrade == INT_FW_UPGRADE) {
 		ret = request_firmware_nowait(THIS_MODULE, FW_ACTION_HOTPLUG,
-- 
2.43.0

next             reply	other threads:[~2024-01-16 20:04 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-01-16 20:03 Sasha Levin [this message]
2024-01-16 20:03 ` [PATCH AUTOSEL 4.19 02/22] PCI: Add no PM reset quirk for NVIDIA Spectrum devices Sasha Levin
2024-01-16 20:03 ` [PATCH AUTOSEL 4.19 03/22] bonding: return -ENOMEM instead of BUG in alb_upper_dev_walk Sasha Levin
2024-01-16 20:03 ` [PATCH AUTOSEL 4.19 04/22] ARM: dts: imx7s: Fix lcdif compatible Sasha Levin
2024-01-16 20:03   ` Sasha Levin
2024-01-16 20:03 ` [PATCH AUTOSEL 4.19 05/22] ARM: dts: imx7s: Fix nand-controller #size-cells Sasha Levin
2024-01-16 20:03   ` Sasha Levin
2024-01-16 20:04 ` [PATCH AUTOSEL 4.19 06/22] wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus() Sasha Levin
2024-01-16 20:04 ` [PATCH AUTOSEL 4.19 07/22] bpf: Add map and need_defer parameters to .map_fd_put_ptr() Sasha Levin
2024-01-17  4:16   ` Hou Tao
2024-01-16 20:04 ` [PATCH AUTOSEL 4.19 08/22] scsi: libfc: Don't schedule abort twice Sasha Levin
2024-01-16 20:04 ` [PATCH AUTOSEL 4.19 09/22] scsi: libfc: Fix up timeout error in fc_fcp_rec_error() Sasha Levin
2024-01-16 20:04 ` [PATCH AUTOSEL 4.19 10/22] ARM: dts: rockchip: fix rk3036 hdmi ports node Sasha Levin
2024-01-16 20:04 ` [PATCH AUTOSEL 4.19 11/22] ARM: dts: imx25/27-eukrea: Fix RTC node name Sasha Levin
2024-01-16 20:04   ` Sasha Levin
2024-01-16 20:04 ` [PATCH AUTOSEL 4.19 12/22] ARM: dts: imx: Use flash@0,0 pattern Sasha Levin
2024-01-16 20:04   ` Sasha Levin
2024-01-16 20:04 ` [PATCH AUTOSEL 4.19 13/22] ARM: dts: imx27: Fix sram node Sasha Levin
2024-01-16 20:04   ` Sasha Levin
2024-01-16 20:04 ` [PATCH AUTOSEL 4.19 14/22] ARM: dts: imx1: " Sasha Levin
2024-01-16 20:04   ` Sasha Levin
2024-01-16 20:04 ` [PATCH AUTOSEL 4.19 15/22] ARM: dts: imx27-apf27dev: Fix LED name Sasha Levin
2024-01-16 20:04   ` Sasha Levin
2024-01-16 20:04 ` [PATCH AUTOSEL 4.19 16/22] ARM: dts: imx23-sansa: Use preferred i2c-gpios properties Sasha Levin
2024-01-16 20:04   ` Sasha Levin
2024-01-16 20:04 ` [PATCH AUTOSEL 4.19 17/22] ARM: dts: imx23/28: Fix the DMA controller node name Sasha Levin
2024-01-16 20:04   ` Sasha Levin
2024-01-16 20:04 ` [PATCH AUTOSEL 4.19 18/22] md: Whenassemble the array, consult the superblock of the freshest device Sasha Levin
2024-01-16 20:04 ` [PATCH AUTOSEL 4.19 19/22] wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices Sasha Levin
2024-01-16 20:04 ` [PATCH AUTOSEL 4.19 20/22] wifi: rtlwifi: add calculate_bit_shift() Sasha Levin
2024-01-16 20:04 ` [PATCH AUTOSEL 4.19 21/22] wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift() Sasha Levin
2024-01-16 20:04 ` [PATCH AUTOSEL 4.19 22/22] wifi: cfg80211: free beacon_ies when overridden from hidden BSS Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:706aca3f7c2 dfblob:53b66179326 dfblob:c6caacaa3e7
dfblob:7db4e893e10 )
 OR (
bs:"[PATCH AUTOSEL 4.19 01/22] scsi: lpfc: Fix possible file string name overflow when updating firmware" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240116200432.260016-1-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=dick.kennedy@broadcom.com \
    --cc=himanshu.madhani@oracle.com \
    --cc=james.smart@broadcom.com \
    --cc=jejb@linux.ibm.com \
    --cc=justin.tee@broadcom.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-scsi@vger.kernel.org \
    --cc=martin.petersen@oracle.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.