[RESEND][PATCH] scsi: esas2r: fix potential format string flaw

[RESEND][PATCH] scsi: esas2r: fix potential format string flaw

[Kees Cook]

This makes sure format strings cannot leak into the printk call via the
constructed buffer.

Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/scsi/esas2r/esas2r_log.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/esas2r/esas2r_log.c b/drivers/scsi/esas2r/esas2r_log.c
index 9bf285df58dd..61fc19d296bd 100644
--- a/drivers/scsi/esas2r/esas2r_log.c
+++ b/drivers/scsi/esas2r/esas2r_log.c
@@ -171,7 +171,7 @@ static int esas2r_log_master(const long level,
 		if (strlen(event_buffer) < buflen)
 			strcat(buffer, "\n");
 
-		printk(event_buffer);
+		printk("%s", event_buffer);
 
 		spin_unlock_irqrestore(&event_buffer_lock, flags);
 	}
-- 
1.7.9.5


-- 
Kees Cook
Chrome OS Security

Re: [RESEND][PATCH] scsi: esas2r: fix potential format string flaw

[Greg Kroah-Hartman]

On Tue, Dec 17, 2013 at 10:27:33AM -0800, Kees Cook wrote:
> This makes sure format strings cannot leak into the printk call via the
> constructed buffer.
> 
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
>  drivers/scsi/esas2r/esas2r_log.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Why is this patch "To:" me?  I'm not the author of this driver, or the
maintainer of it or the subsystem, and there's not much, if anything I
can do with it...

confused,

greg k-h

Re: [RESEND][PATCH] scsi: esas2r: fix potential format string flaw

[Kees Cook]

On Tue, Dec 17, 2013 at 12:00 PM, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
> On Tue, Dec 17, 2013 at 10:27:33AM -0800, Kees Cook wrote:
>> This makes sure format strings cannot leak into the printk call via the
>> constructed buffer.
>>
>> Signed-off-by: Kees Cook <keescook@chromium.org>
>> ---
>>  drivers/scsi/esas2r/esas2r_log.c |    2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> Why is this patch "To:" me?  I'm not the author of this driver, or the
> maintainer of it or the subsystem, and there's not much, if anything I
> can do with it...

I've resent this before, and since it lived in "drivers", I figured
you would be the next up the chain to take it (since it's been
ignored).

-Kees

-- 
Kees Cook
Chrome OS Security

Re: [RESEND][PATCH] scsi: esas2r: fix potential format string flaw

[Bradley Grove]

Acked-by: Bradley Grove <bgrove@attotech.com>


On 12/17/2013 01:27 PM, Kees Cook wrote:
> This makes sure format strings cannot leak into the printk call via the
> constructed buffer.
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
>   drivers/scsi/esas2r/esas2r_log.c |    2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/scsi/esas2r/esas2r_log.c b/drivers/scsi/esas2r/esas2r_log.c
> index 9bf285df58dd..61fc19d296bd 100644
> --- a/drivers/scsi/esas2r/esas2r_log.c
> +++ b/drivers/scsi/esas2r/esas2r_log.c
> @@ -171,7 +171,7 @@ static int esas2r_log_master(const long level,
>   		if (strlen(event_buffer) < buflen)
>   			strcat(buffer, "\n");
>
> -		printk(event_buffer);
> +		printk("%s", event_buffer);
>
>   		spin_unlock_irqrestore(&event_buffer_lock, flags);
>   	}
>

Re: [RESEND][PATCH] scsi: esas2r: fix potential format string flaw

[Greg Kroah-Hartman]

On Tue, Dec 17, 2013 at 01:17:51PM -0800, Kees Cook wrote:
> On Tue, Dec 17, 2013 at 12:00 PM, Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> > On Tue, Dec 17, 2013 at 10:27:33AM -0800, Kees Cook wrote:
> >> This makes sure format strings cannot leak into the printk call via the
> >> constructed buffer.
> >>
> >> Signed-off-by: Kees Cook <keescook@chromium.org>
> >> ---
> >>  drivers/scsi/esas2r/esas2r_log.c |    2 +-
> >>  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > Why is this patch "To:" me?  I'm not the author of this driver, or the
> > maintainer of it or the subsystem, and there's not much, if anything I
> > can do with it...
> 
> I've resent this before, and since it lived in "drivers", I figured
> you would be the next up the chain to take it (since it's been
> ignored).

Heh, while I do seem to maintain a ton of the drivers/ tree, I don't
take everything there.  This needs to go through James's tree, he can
handle it :)

thanks,

greg k-h

Re: [RESEND][PATCH] scsi: esas2r: fix potential format string flaw

[Joe Perches]

On Tue, 2013-12-17 at 10:27 -0800, Kees Cook wrote:
> This makes sure format strings cannot leak into the printk call via the
> constructed buffer.
[]
> diff --git a/drivers/scsi/esas2r/esas2r_log.c b/drivers/scsi/esas2r/esas2r_log.c
[]
> @@ -171,7 +171,7 @@ static int esas2r_log_master(const long level,
>  		if (strlen(event_buffer) < buflen)
>  			strcat(buffer, "\n");
>  
> -		printk(event_buffer);
> +		printk("%s", event_buffer);

It's probably better to remove the

		if (strlen(event_buffer) < buflen)
			strcat(buffer, "\n");

and use

	printk("%s\n", event_buffer);

so that the output is always newline terminated.

Re: [RESEND][PATCH] scsi: esas2r: fix potential format string flaw

[Kees Cook]

On Tue, Dec 17, 2013 at 9:42 PM, Joe Perches <joe@perches.com> wrote:
> On Tue, 2013-12-17 at 10:27 -0800, Kees Cook wrote:
>> This makes sure format strings cannot leak into the printk call via the
>> constructed buffer.
> []
>> diff --git a/drivers/scsi/esas2r/esas2r_log.c b/drivers/scsi/esas2r/esas2r_log.c
> []
>> @@ -171,7 +171,7 @@ static int esas2r_log_master(const long level,
>>               if (strlen(event_buffer) < buflen)
>>                       strcat(buffer, "\n");
>>
>> -             printk(event_buffer);
>> +             printk("%s", event_buffer);
>
> It's probably better to remove the
>
>                 if (strlen(event_buffer) < buflen)
>                         strcat(buffer, "\n");
>
> and use
>
>         printk("%s\n", event_buffer);
>
> so that the output is always newline terminated.

Ah! Yes, good call.

-Kees

-- 
Kees Cook
Chrome OS Security