* [PATCH 0/8] scsi: Use scnprintf() for avoiding potential buffer overflow
@ 2020-03-11 9:16 Takashi Iwai
2020-03-11 9:16 ` [PATCH 1/8] scsi: aacraid: " Takashi Iwai
` (7 more replies)
0 siblings, 8 replies; 13+ messages in thread
From: Takashi Iwai @ 2020-03-11 9:16 UTC (permalink / raw)
To: James E . J . Bottomley, Martin K . Petersen; +Cc: linux-scsi
Hi,
here is a series of trivial patches just to convert suspicious
snprintf() usages with the more safer one, scnprintf().
Takashi
===
Takashi Iwai (8):
scsi: aacraid: Use scnprintf() for avoiding potential buffer overflow
scsi: be2iscsi: Use scnprintf() for avoiding potential buffer overflow
scsi: fnic: Use scnprintf() for avoiding potential buffer overflow
scsi: gdth: Use scnprintf() for avoiding potential buffer overflow
scsi: ipr: Use scnprintf() for avoiding potential buffer overflow
scsi: megaraid_sas: Use scnprintf() for avoiding potential buffer
overflow
scsi: core: Use scnprintf() for avoiding potential buffer overflow
scsi: smartpqi: Use scnprintf() for avoiding potential buffer overflow
drivers/scsi/aacraid/linit.c | 10 +++---
drivers/scsi/be2iscsi/be_mgmt.c | 8 ++---
drivers/scsi/fnic/fnic_trace.c | 58 +++++++++++++++----------------
drivers/scsi/gdth_proc.c | 2 +-
drivers/scsi/ipr.c | 6 ++--
drivers/scsi/megaraid/megaraid_sas_base.c | 3 +-
drivers/scsi/scsi_sysfs.c | 6 ++--
drivers/scsi/smartpqi/smartpqi_init.c | 22 ++++++------
8 files changed, 58 insertions(+), 57 deletions(-)
--
2.16.4
^ permalink raw reply [flat|nested] 13+ messages in thread
* [PATCH 1/8] scsi: aacraid: Use scnprintf() for avoiding potential buffer overflow
2020-03-11 9:16 [PATCH 0/8] scsi: Use scnprintf() for avoiding potential buffer overflow Takashi Iwai
@ 2020-03-11 9:16 ` Takashi Iwai
2020-03-13 5:47 ` Balsundar.P
2020-03-11 9:16 ` [PATCH 2/8] scsi: be2iscsi: " Takashi Iwai
` (6 subsequent siblings)
7 siblings, 1 reply; 13+ messages in thread
From: Takashi Iwai @ 2020-03-11 9:16 UTC (permalink / raw)
To: James E . J . Bottomley, Martin K . Petersen
Cc: linux-scsi, Adaptec OEM Raid Solutions
Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit. Fix it by replacing with scnprintf().
Cc: Adaptec OEM Raid Solutions <aacraid@microsemi.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
drivers/scsi/aacraid/linit.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/scsi/aacraid/linit.c b/drivers/scsi/aacraid/linit.c
index b1d133de29ab..046fef4ff1f0 100644
--- a/drivers/scsi/aacraid/linit.c
+++ b/drivers/scsi/aacraid/linit.c
@@ -1287,20 +1287,20 @@ static ssize_t aac_show_flags(struct device *cdev,
if (nblank(dprintk(x)))
len = snprintf(buf, PAGE_SIZE, "dprintk\n");
#ifdef AAC_DETAILED_STATUS_INFO
- len += snprintf(buf + len, PAGE_SIZE - len,
+ len += scnprintf(buf + len, PAGE_SIZE - len,
"AAC_DETAILED_STATUS_INFO\n");
#endif
if (dev->raw_io_interface && dev->raw_io_64)
- len += snprintf(buf + len, PAGE_SIZE - len,
+ len += scnprintf(buf + len, PAGE_SIZE - len,
"SAI_READ_CAPACITY_16\n");
if (dev->jbod)
- len += snprintf(buf + len, PAGE_SIZE - len, "SUPPORTED_JBOD\n");
+ len += scnprintf(buf + len, PAGE_SIZE - len, "SUPPORTED_JBOD\n");
if (dev->supplement_adapter_info.supported_options2 &
AAC_OPTION_POWER_MANAGEMENT)
- len += snprintf(buf + len, PAGE_SIZE - len,
+ len += scnprintf(buf + len, PAGE_SIZE - len,
"SUPPORTED_POWER_MANAGEMENT\n");
if (dev->msi)
- len += snprintf(buf + len, PAGE_SIZE - len, "PCI_HAS_MSI\n");
+ len += scnprintf(buf + len, PAGE_SIZE - len, "PCI_HAS_MSI\n");
return len;
}
--
2.16.4
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH 2/8] scsi: be2iscsi: Use scnprintf() for avoiding potential buffer overflow
2020-03-11 9:16 [PATCH 0/8] scsi: Use scnprintf() for avoiding potential buffer overflow Takashi Iwai
2020-03-11 9:16 ` [PATCH 1/8] scsi: aacraid: " Takashi Iwai
@ 2020-03-11 9:16 ` Takashi Iwai
2020-03-11 9:16 ` [PATCH 3/8] scsi: fnic: " Takashi Iwai
` (5 subsequent siblings)
7 siblings, 0 replies; 13+ messages in thread
From: Takashi Iwai @ 2020-03-11 9:16 UTC (permalink / raw)
To: James E . J . Bottomley, Martin K . Petersen
Cc: linux-scsi, Subbu Seetharaman, Ketan Mukadam, Jitendra Bhivare
Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit. Fix it by replacing with scnprintf().
Cc: Subbu Seetharaman <subbu.seetharaman@broadcom.com>
Cc: Ketan Mukadam <ketan.mukadam@broadcom.com>
Cc: Jitendra Bhivare <jitendra.bhivare@broadcom.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
drivers/scsi/be2iscsi/be_mgmt.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/scsi/be2iscsi/be_mgmt.c b/drivers/scsi/be2iscsi/be_mgmt.c
index d4febaadfaa3..3ae8d2b4ea31 100644
--- a/drivers/scsi/be2iscsi/be_mgmt.c
+++ b/drivers/scsi/be2iscsi/be_mgmt.c
@@ -1178,11 +1178,11 @@ beiscsi_active_session_disp(struct device *dev, struct device_attribute *attr,
if (test_bit(ulp_num, (void *)&phba->fw_config.ulp_supported)) {
avlbl_cids = BEISCSI_ULP_AVLBL_CID(phba, ulp_num);
total_cids = BEISCSI_GET_CID_COUNT(phba, ulp_num);
- len += snprintf(buf+len, PAGE_SIZE - len,
+ len += scnprintf(buf+len, PAGE_SIZE - len,
"ULP%d : %d\n", ulp_num,
(total_cids - avlbl_cids));
} else
- len += snprintf(buf+len, PAGE_SIZE - len,
+ len += scnprintf(buf+len, PAGE_SIZE - len,
"ULP%d : %d\n", ulp_num, 0);
}
@@ -1208,11 +1208,11 @@ beiscsi_free_session_disp(struct device *dev, struct device_attribute *attr,
for (ulp_num = 0; ulp_num < BEISCSI_ULP_COUNT; ulp_num++) {
if (test_bit(ulp_num, (void *)&phba->fw_config.ulp_supported))
- len += snprintf(buf+len, PAGE_SIZE - len,
+ len += scnprintf(buf+len, PAGE_SIZE - len,
"ULP%d : %d\n", ulp_num,
BEISCSI_ULP_AVLBL_CID(phba, ulp_num));
else
- len += snprintf(buf+len, PAGE_SIZE - len,
+ len += scnprintf(buf+len, PAGE_SIZE - len,
"ULP%d : %d\n", ulp_num, 0);
}
--
2.16.4
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH 3/8] scsi: fnic: Use scnprintf() for avoiding potential buffer overflow
2020-03-11 9:16 [PATCH 0/8] scsi: Use scnprintf() for avoiding potential buffer overflow Takashi Iwai
2020-03-11 9:16 ` [PATCH 1/8] scsi: aacraid: " Takashi Iwai
2020-03-11 9:16 ` [PATCH 2/8] scsi: be2iscsi: " Takashi Iwai
@ 2020-03-11 9:16 ` Takashi Iwai
2020-03-11 9:16 ` [PATCH 4/8] scsi: gdth: " Takashi Iwai
` (4 subsequent siblings)
7 siblings, 0 replies; 13+ messages in thread
From: Takashi Iwai @ 2020-03-11 9:16 UTC (permalink / raw)
To: James E . J . Bottomley, Martin K . Petersen
Cc: linux-scsi, Satish Kharat, Sesidhar Baddela, Karan Tilak Kumar
Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit. Fix it by replacing with scnprintf().
Cc: Satish Kharat <satishkh@cisco.com>
Cc: Sesidhar Baddela <sebaddel@cisco.com>
Cc: Karan Tilak Kumar <kartilak@cisco.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
drivers/scsi/fnic/fnic_trace.c | 58 +++++++++++++++++++++---------------------
1 file changed, 29 insertions(+), 29 deletions(-)
diff --git a/drivers/scsi/fnic/fnic_trace.c b/drivers/scsi/fnic/fnic_trace.c
index a0d01aea28f7..9d52d83161ed 100644
--- a/drivers/scsi/fnic/fnic_trace.c
+++ b/drivers/scsi/fnic/fnic_trace.c
@@ -138,7 +138,7 @@ int fnic_get_trace_data(fnic_dbgfs_t *fnic_dbgfs_prt)
* Dump trace buffer entry to memory file
* and increment read index @rd_idx
*/
- len += snprintf(fnic_dbgfs_prt->buffer + len,
+ len += scnprintf(fnic_dbgfs_prt->buffer + len,
(trace_max_pages * PAGE_SIZE * 3) - len,
"%16llu.%09lu %-50s %8x %8x %16llx %16llx "
"%16llx %16llx %16llx\n", (u64)val.tv_sec,
@@ -180,7 +180,7 @@ int fnic_get_trace_data(fnic_dbgfs_t *fnic_dbgfs_prt)
* Dump trace buffer entry to memory file
* and increment read index @rd_idx
*/
- len += snprintf(fnic_dbgfs_prt->buffer + len,
+ len += scnprintf(fnic_dbgfs_prt->buffer + len,
(trace_max_pages * PAGE_SIZE * 3) - len,
"%16llu.%09lu %-50s %8x %8x %16llx %16llx "
"%16llx %16llx %16llx\n", (u64)val.tv_sec,
@@ -220,12 +220,12 @@ int fnic_get_stats_data(struct stats_debug_info *debug,
struct timespec64 val1, val2;
ktime_get_real_ts64(&val1);
- len = snprintf(debug->debug_buffer + len, buf_size - len,
+ len = scnprintf(debug->debug_buffer + len, buf_size - len,
"------------------------------------------\n"
"\t\tTime\n"
"------------------------------------------\n");
- len += snprintf(debug->debug_buffer + len, buf_size - len,
+ len += scnprintf(debug->debug_buffer + len, buf_size - len,
"Current time : [%lld:%ld]\n"
"Last stats reset time: [%lld:%09ld]\n"
"Last stats read time: [%lld:%ld]\n"
@@ -243,11 +243,11 @@ int fnic_get_stats_data(struct stats_debug_info *debug,
stats->stats_timestamps.last_read_time = val1;
- len += snprintf(debug->debug_buffer + len, buf_size - len,
+ len += scnprintf(debug->debug_buffer + len, buf_size - len,
"------------------------------------------\n"
"\t\tIO Statistics\n"
"------------------------------------------\n");
- len += snprintf(debug->debug_buffer + len, buf_size - len,
+ len += scnprintf(debug->debug_buffer + len, buf_size - len,
"Number of Active IOs: %lld\nMaximum Active IOs: %lld\n"
"Number of IOs: %lld\nNumber of IO Completions: %lld\n"
"Number of IO Failures: %lld\nNumber of IO NOT Found: %lld\n"
@@ -280,16 +280,16 @@ int fnic_get_stats_data(struct stats_debug_info *debug,
(u64)atomic64_read(&stats->io_stats.io_btw_10000_to_30000_msec),
(u64)atomic64_read(&stats->io_stats.io_greater_than_30000_msec));
- len += snprintf(debug->debug_buffer + len, buf_size - len,
+ len += scnprintf(debug->debug_buffer + len, buf_size - len,
"\nCurrent Max IO time : %lld\n",
(u64)atomic64_read(&stats->io_stats.current_max_io_time));
- len += snprintf(debug->debug_buffer + len, buf_size - len,
+ len += scnprintf(debug->debug_buffer + len, buf_size - len,
"\n------------------------------------------\n"
"\t\tAbort Statistics\n"
"------------------------------------------\n");
- len += snprintf(debug->debug_buffer + len, buf_size - len,
+ len += scnprintf(debug->debug_buffer + len, buf_size - len,
"Number of Aborts: %lld\n"
"Number of Abort Failures: %lld\n"
"Number of Abort Driver Timeouts: %lld\n"
@@ -318,12 +318,12 @@ int fnic_get_stats_data(struct stats_debug_info *debug,
(u64)atomic64_read(&stats->abts_stats.abort_issued_btw_50_to_60_sec),
(u64)atomic64_read(&stats->abts_stats.abort_issued_greater_than_60_sec));
- len += snprintf(debug->debug_buffer + len, buf_size - len,
+ len += scnprintf(debug->debug_buffer + len, buf_size - len,
"\n------------------------------------------\n"
"\t\tTerminate Statistics\n"
"------------------------------------------\n");
- len += snprintf(debug->debug_buffer + len, buf_size - len,
+ len += scnprintf(debug->debug_buffer + len, buf_size - len,
"Number of Terminates: %lld\n"
"Maximum Terminates: %lld\n"
"Number of Terminate Driver Timeouts: %lld\n"
@@ -337,12 +337,12 @@ int fnic_get_stats_data(struct stats_debug_info *debug,
(u64)atomic64_read(&stats->term_stats.terminate_io_not_found),
(u64)atomic64_read(&stats->term_stats.terminate_failures));
- len += snprintf(debug->debug_buffer + len, buf_size - len,
+ len += scnprintf(debug->debug_buffer + len, buf_size - len,
"\n------------------------------------------\n"
"\t\tReset Statistics\n"
"------------------------------------------\n");
- len += snprintf(debug->debug_buffer + len, buf_size - len,
+ len += scnprintf(debug->debug_buffer + len, buf_size - len,
"Number of Device Resets: %lld\n"
"Number of Device Reset Failures: %lld\n"
"Number of Device Reset Aborts: %lld\n"
@@ -368,12 +368,12 @@ int fnic_get_stats_data(struct stats_debug_info *debug,
&stats->reset_stats.fnic_reset_completions),
(u64)atomic64_read(&stats->reset_stats.fnic_reset_failures));
- len += snprintf(debug->debug_buffer + len, buf_size - len,
+ len += scnprintf(debug->debug_buffer + len, buf_size - len,
"\n------------------------------------------\n"
"\t\tFirmware Statistics\n"
"------------------------------------------\n");
- len += snprintf(debug->debug_buffer + len, buf_size - len,
+ len += scnprintf(debug->debug_buffer + len, buf_size - len,
"Number of Active FW Requests %lld\n"
"Maximum FW Requests: %lld\n"
"Number of FW out of resources: %lld\n"
@@ -383,12 +383,12 @@ int fnic_get_stats_data(struct stats_debug_info *debug,
(u64)atomic64_read(&stats->fw_stats.fw_out_of_resources),
(u64)atomic64_read(&stats->fw_stats.io_fw_errs));
- len += snprintf(debug->debug_buffer + len, buf_size - len,
+ len += scnprintf(debug->debug_buffer + len, buf_size - len,
"\n------------------------------------------\n"
"\t\tVlan Discovery Statistics\n"
"------------------------------------------\n");
- len += snprintf(debug->debug_buffer + len, buf_size - len,
+ len += scnprintf(debug->debug_buffer + len, buf_size - len,
"Number of Vlan Discovery Requests Sent %lld\n"
"Vlan Response Received with no FCF VLAN ID: %lld\n"
"No solicitations recvd after vlan set, expiry count: %lld\n"
@@ -398,7 +398,7 @@ int fnic_get_stats_data(struct stats_debug_info *debug,
(u64)atomic64_read(&stats->vlan_stats.sol_expiry_count),
(u64)atomic64_read(&stats->vlan_stats.flogi_rejects));
- len += snprintf(debug->debug_buffer + len, buf_size - len,
+ len += scnprintf(debug->debug_buffer + len, buf_size - len,
"\n------------------------------------------\n"
"\t\tOther Important Statistics\n"
"------------------------------------------\n");
@@ -406,7 +406,7 @@ int fnic_get_stats_data(struct stats_debug_info *debug,
jiffies_to_timespec64(stats->misc_stats.last_isr_time, &val1);
jiffies_to_timespec64(stats->misc_stats.last_ack_time, &val2);
- len += snprintf(debug->debug_buffer + len, buf_size - len,
+ len += scnprintf(debug->debug_buffer + len, buf_size - len,
"Last ISR time: %llu (%8llu.%09lu)\n"
"Last ACK time: %llu (%8llu.%09lu)\n"
"Max ISR jiffies: %llu\n"
@@ -452,7 +452,7 @@ int fnic_get_stats_data(struct stats_debug_info *debug,
(u64)atomic64_read(&stats->misc_stats.rport_not_ready),
(u64)atomic64_read(&stats->misc_stats.frame_errors));
- len += snprintf(debug->debug_buffer + len, buf_size - len,
+ len += scnprintf(debug->debug_buffer + len, buf_size - len,
"Firmware reported port speed: %llu\n",
(u64)atomic64_read(
&stats->misc_stats.current_port_speed));
@@ -742,7 +742,7 @@ int fnic_fc_trace_get_data(fnic_dbgfs_t *fnic_dbgfs_prt, u8 rdata_flag)
rd_idx = fc_trace_entries.rd_idx;
wr_idx = fc_trace_entries.wr_idx;
if (rdata_flag == 0) {
- len += snprintf(fnic_dbgfs_prt->buffer + len,
+ len += scnprintf(fnic_dbgfs_prt->buffer + len,
(fnic_fc_trace_max_pages * PAGE_SIZE * 3) - len,
"Time Stamp (UTC)\t\t"
"Host No: F Type: len: FCoE_FRAME:\n");
@@ -762,11 +762,11 @@ int fnic_fc_trace_get_data(fnic_dbgfs_t *fnic_dbgfs_prt, u8 rdata_flag)
} else {
fc_trace = (char *)tdata;
for (j = 0; j < FC_TRC_SIZE_BYTES; j++) {
- len += snprintf(fnic_dbgfs_prt->buffer + len,
+ len += scnprintf(fnic_dbgfs_prt->buffer + len,
(fnic_fc_trace_max_pages * PAGE_SIZE * 3)
- len, "%02x", fc_trace[j] & 0xff);
} /* for loop */
- len += snprintf(fnic_dbgfs_prt->buffer + len,
+ len += scnprintf(fnic_dbgfs_prt->buffer + len,
(fnic_fc_trace_max_pages * PAGE_SIZE * 3) - len,
"\n");
}
@@ -810,7 +810,7 @@ void copy_and_format_trace_data(struct fc_trace_hdr *tdata,
time64_to_tm(tdata->time_stamp.tv_sec, 0, &tm);
fmt = "%02d:%02d:%04ld %02d:%02d:%02d.%09lu ns%8x %c%8x\t";
- len += snprintf(fnic_dbgfs_prt->buffer + len,
+ len += scnprintf(fnic_dbgfs_prt->buffer + len,
max_size - len,
fmt,
tm.tm_mon + 1, tm.tm_mday, tm.tm_year + 1900,
@@ -823,25 +823,25 @@ void copy_and_format_trace_data(struct fc_trace_hdr *tdata,
for (j = 0; j < min_t(u8, tdata->frame_len,
(u8)(FC_TRC_SIZE_BYTES - FC_TRC_HEADER_SIZE)); j++) {
if (tdata->frame_type == FNIC_FC_LE) {
- len += snprintf(fnic_dbgfs_prt->buffer + len,
+ len += scnprintf(fnic_dbgfs_prt->buffer + len,
max_size - len, "%c", fc_trace[j]);
} else {
- len += snprintf(fnic_dbgfs_prt->buffer + len,
+ len += scnprintf(fnic_dbgfs_prt->buffer + len,
max_size - len, "%02x", fc_trace[j] & 0xff);
- len += snprintf(fnic_dbgfs_prt->buffer + len,
+ len += scnprintf(fnic_dbgfs_prt->buffer + len,
max_size - len, " ");
if (j == ethhdr_len ||
j == ethhdr_len + fcoehdr_len ||
j == ethhdr_len + fcoehdr_len + fchdr_len ||
(i > 3 && j%fchdr_len == 0)) {
- len += snprintf(fnic_dbgfs_prt->buffer
+ len += scnprintf(fnic_dbgfs_prt->buffer
+ len, max_size - len,
"\n\t\t\t\t\t\t\t\t");
i++;
}
} /* end of else*/
} /* End of for loop*/
- len += snprintf(fnic_dbgfs_prt->buffer + len,
+ len += scnprintf(fnic_dbgfs_prt->buffer + len,
max_size - len, "\n");
*orig_len = len;
}
--
2.16.4
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH 4/8] scsi: gdth: Use scnprintf() for avoiding potential buffer overflow
2020-03-11 9:16 [PATCH 0/8] scsi: Use scnprintf() for avoiding potential buffer overflow Takashi Iwai
` (2 preceding siblings ...)
2020-03-11 9:16 ` [PATCH 3/8] scsi: fnic: " Takashi Iwai
@ 2020-03-11 9:16 ` Takashi Iwai
2020-03-11 9:16 ` [PATCH 5/8] scsi: ipr: " Takashi Iwai
` (3 subsequent siblings)
7 siblings, 0 replies; 13+ messages in thread
From: Takashi Iwai @ 2020-03-11 9:16 UTC (permalink / raw)
To: James E . J . Bottomley, Martin K . Petersen; +Cc: linux-scsi, Achim Leubner
Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit. Fix it by replacing with scnprintf().
Cc: Achim Leubner <achim_leubner@adaptec.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
drivers/scsi/gdth_proc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/gdth_proc.c b/drivers/scsi/gdth_proc.c
index 381d849726ac..34149842cf1c 100644
--- a/drivers/scsi/gdth_proc.c
+++ b/drivers/scsi/gdth_proc.c
@@ -193,7 +193,7 @@ int gdth_show_info(struct seq_file *m, struct Scsi_Host *host)
for (i = 1; i < MAX_RES_ARGS; i++) {
if (reserve_list[i] == 0xff)
break;
- hlen += snprintf(hrec + hlen , 161 - hlen, ",%d", reserve_list[i]);
+ hlen += scnprintf(hrec + hlen , 161 - hlen, ",%d", reserve_list[i]);
}
}
seq_printf(m,
--
2.16.4
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH 5/8] scsi: ipr: Use scnprintf() for avoiding potential buffer overflow
2020-03-11 9:16 [PATCH 0/8] scsi: Use scnprintf() for avoiding potential buffer overflow Takashi Iwai
` (3 preceding siblings ...)
2020-03-11 9:16 ` [PATCH 4/8] scsi: gdth: " Takashi Iwai
@ 2020-03-11 9:16 ` Takashi Iwai
2020-03-11 9:16 ` [PATCH 6/8] scsi: megaraid_sas: " Takashi Iwai
` (2 subsequent siblings)
7 siblings, 0 replies; 13+ messages in thread
From: Takashi Iwai @ 2020-03-11 9:16 UTC (permalink / raw)
To: James E . J . Bottomley, Martin K . Petersen; +Cc: linux-scsi, Brian King
Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit. Fix it by replacing with scnprintf().
Cc: Brian King <brking@us.ibm.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
drivers/scsi/ipr.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c
index ae45cbe98ae2..155832d54efa 100644
--- a/drivers/scsi/ipr.c
+++ b/drivers/scsi/ipr.c
@@ -1299,9 +1299,9 @@ static char *__ipr_format_res_path(u8 *res_path, char *buffer, int len)
char *p = buffer;
*p = '\0';
- p += snprintf(p, buffer + len - p, "%02X", res_path[0]);
+ p += scnprintf(p, buffer + len - p, "%02X", res_path[0]);
for (i = 1; res_path[i] != 0xff && ((i * 3) < len); i++)
- p += snprintf(p, buffer + len - p, "-%02X", res_path[i]);
+ p += scnprintf(p, buffer + len - p, "-%02X", res_path[i]);
return buffer;
}
@@ -1322,7 +1322,7 @@ static char *ipr_format_res_path(struct ipr_ioa_cfg *ioa_cfg,
char *p = buffer;
*p = '\0';
- p += snprintf(p, buffer + len - p, "%d/", ioa_cfg->host->host_no);
+ p += scnprintf(p, buffer + len - p, "%d/", ioa_cfg->host->host_no);
__ipr_format_res_path(res_path, p, len - (buffer - p));
return buffer;
}
--
2.16.4
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH 6/8] scsi: megaraid_sas: Use scnprintf() for avoiding potential buffer overflow
2020-03-11 9:16 [PATCH 0/8] scsi: Use scnprintf() for avoiding potential buffer overflow Takashi Iwai
` (4 preceding siblings ...)
2020-03-11 9:16 ` [PATCH 5/8] scsi: ipr: " Takashi Iwai
@ 2020-03-11 9:16 ` Takashi Iwai
2020-03-11 9:16 ` [PATCH 7/8] scsi: core: " Takashi Iwai
2020-03-11 9:16 ` [PATCH 8/8] scsi: smartpqi: " Takashi Iwai
7 siblings, 0 replies; 13+ messages in thread
From: Takashi Iwai @ 2020-03-11 9:16 UTC (permalink / raw)
To: James E . J . Bottomley, Martin K . Petersen
Cc: linux-scsi, Kashyap Desai, Sumit Saxena, Shivasharan S
Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit. Fix it by replacing with scnprintf().
Cc: Kashyap Desai <kashyap.desai@broadcom.com>
Cc: Sumit Saxena <sumit.saxena@broadcom.com>
Cc: Shivasharan S <shivasharan.srikanteshwara@broadcom.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
drivers/scsi/megaraid/megaraid_sas_base.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
index 5bebdd397580..c3554bb12071 100644
--- a/drivers/scsi/megaraid/megaraid_sas_base.c
+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
@@ -2987,7 +2987,8 @@ megasas_dump_sys_regs(void __iomem *reg_set, char *buf)
u32 __iomem *reg = (u32 __iomem *)reg_set;
for (i = 0; i < sz / sizeof(u32); i++) {
- bytes_wrote += snprintf(loc + bytes_wrote, PAGE_SIZE,
+ bytes_wrote += scnprintf(loc + bytes_wrote,
+ PAGE_SIZE - bytes_wrote,
"%08x: %08x\n", (i * 4),
readl(®[i]));
}
--
2.16.4
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH 7/8] scsi: core: Use scnprintf() for avoiding potential buffer overflow
2020-03-11 9:16 [PATCH 0/8] scsi: Use scnprintf() for avoiding potential buffer overflow Takashi Iwai
` (5 preceding siblings ...)
2020-03-11 9:16 ` [PATCH 6/8] scsi: megaraid_sas: " Takashi Iwai
@ 2020-03-11 9:16 ` Takashi Iwai
2020-03-11 15:12 ` Bart Van Assche
2020-03-12 9:25 ` John Garry
2020-03-11 9:16 ` [PATCH 8/8] scsi: smartpqi: " Takashi Iwai
7 siblings, 2 replies; 13+ messages in thread
From: Takashi Iwai @ 2020-03-11 9:16 UTC (permalink / raw)
To: James E . J . Bottomley, Martin K . Petersen; +Cc: linux-scsi
Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit. Fix it by replacing with scnprintf().
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
drivers/scsi/scsi_sysfs.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
index c3a30ba4ae08..6b3644246d3a 100644
--- a/drivers/scsi/scsi_sysfs.c
+++ b/drivers/scsi/scsi_sysfs.c
@@ -1045,14 +1045,14 @@ sdev_show_blacklist(struct device *dev, struct device_attribute *attr,
name = sdev_bflags_name[i];
if (name)
- len += snprintf(buf + len, PAGE_SIZE - len,
+ len += scnprintf(buf + len, PAGE_SIZE - len,
"%s%s", len ? " " : "", name);
else
- len += snprintf(buf + len, PAGE_SIZE - len,
+ len += scnprintf(buf + len, PAGE_SIZE - len,
"%sINVALID_BIT(%d)", len ? " " : "", i);
}
if (len)
- len += snprintf(buf + len, PAGE_SIZE - len, "\n");
+ len += scnprintf(buf + len, PAGE_SIZE - len, "\n");
return len;
}
static DEVICE_ATTR(blacklist, S_IRUGO, sdev_show_blacklist, NULL);
--
2.16.4
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH 8/8] scsi: smartpqi: Use scnprintf() for avoiding potential buffer overflow
2020-03-11 9:16 [PATCH 0/8] scsi: Use scnprintf() for avoiding potential buffer overflow Takashi Iwai
` (6 preceding siblings ...)
2020-03-11 9:16 ` [PATCH 7/8] scsi: core: " Takashi Iwai
@ 2020-03-11 9:16 ` Takashi Iwai
7 siblings, 0 replies; 13+ messages in thread
From: Takashi Iwai @ 2020-03-11 9:16 UTC (permalink / raw)
To: James E . J . Bottomley, Martin K . Petersen; +Cc: linux-scsi, Don Brace
Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit. Fix it by replacing with scnprintf().
Cc: Don Brace <don.brace@microsemi.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
drivers/scsi/smartpqi/smartpqi_init.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c
index b7492568e02f..cd157f11eb22 100644
--- a/drivers/scsi/smartpqi/smartpqi_init.c
+++ b/drivers/scsi/smartpqi/smartpqi_init.c
@@ -1614,28 +1614,28 @@ static void pqi_dev_info(struct pqi_ctrl_info *ctrl_info,
"%d:%d:", ctrl_info->scsi_host->host_no, device->bus);
if (device->target_lun_valid)
- count += snprintf(buffer + count,
+ count += scnprintf(buffer + count,
PQI_DEV_INFO_BUFFER_LENGTH - count,
"%d:%d",
device->target,
device->lun);
else
- count += snprintf(buffer + count,
+ count += scnprintf(buffer + count,
PQI_DEV_INFO_BUFFER_LENGTH - count,
"-:-");
if (pqi_is_logical_device(device))
- count += snprintf(buffer + count,
+ count += scnprintf(buffer + count,
PQI_DEV_INFO_BUFFER_LENGTH - count,
" %08x%08x",
*((u32 *)&device->scsi3addr),
*((u32 *)&device->scsi3addr[4]));
else
- count += snprintf(buffer + count,
+ count += scnprintf(buffer + count,
PQI_DEV_INFO_BUFFER_LENGTH - count,
" %016llx", device->sas_address);
- count += snprintf(buffer + count, PQI_DEV_INFO_BUFFER_LENGTH - count,
+ count += scnprintf(buffer + count, PQI_DEV_INFO_BUFFER_LENGTH - count,
" %s %.8s %.16s ",
pqi_device_type(device),
device->vendor,
@@ -1643,19 +1643,19 @@ static void pqi_dev_info(struct pqi_ctrl_info *ctrl_info,
if (pqi_is_logical_device(device)) {
if (device->devtype == TYPE_DISK)
- count += snprintf(buffer + count,
+ count += scnprintf(buffer + count,
PQI_DEV_INFO_BUFFER_LENGTH - count,
"SSDSmartPathCap%c En%c %-12s",
device->raid_bypass_configured ? '+' : '-',
device->raid_bypass_enabled ? '+' : '-',
pqi_raid_level_to_string(device->raid_level));
} else {
- count += snprintf(buffer + count,
+ count += scnprintf(buffer + count,
PQI_DEV_INFO_BUFFER_LENGTH - count,
"AIO%c", device->aio_enabled ? '+' : '-');
if (device->devtype == TYPE_DISK ||
device->devtype == TYPE_ZBC)
- count += snprintf(buffer + count,
+ count += scnprintf(buffer + count,
PQI_DEV_INFO_BUFFER_LENGTH - count,
" qd=%-6d", device->queue_depth);
}
@@ -6191,14 +6191,14 @@ static ssize_t pqi_lockup_action_show(struct device *dev,
for (i = 0; i < ARRAY_SIZE(pqi_lockup_actions); i++) {
if (pqi_lockup_actions[i].action == pqi_lockup_action)
- count += snprintf(buffer + count, PAGE_SIZE - count,
+ count += scnprintf(buffer + count, PAGE_SIZE - count,
"[%s] ", pqi_lockup_actions[i].name);
else
- count += snprintf(buffer + count, PAGE_SIZE - count,
+ count += scnprintf(buffer + count, PAGE_SIZE - count,
"%s ", pqi_lockup_actions[i].name);
}
- count += snprintf(buffer + count, PAGE_SIZE - count, "\n");
+ count += scnprintf(buffer + count, PAGE_SIZE - count, "\n");
return count;
}
--
2.16.4
^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: [PATCH 7/8] scsi: core: Use scnprintf() for avoiding potential buffer overflow
2020-03-11 9:16 ` [PATCH 7/8] scsi: core: " Takashi Iwai
@ 2020-03-11 15:12 ` Bart Van Assche
2020-03-12 9:25 ` John Garry
1 sibling, 0 replies; 13+ messages in thread
From: Bart Van Assche @ 2020-03-11 15:12 UTC (permalink / raw)
To: Takashi Iwai, James E . J . Bottomley, Martin K . Petersen; +Cc: linux-scsi
On 3/11/20 2:16 AM, Takashi Iwai wrote:
> Since snprintf() returns the would-be-output size instead of the
> actual output size, the succeeding calls may go beyond the given
> buffer limit. Fix it by replacing with scnprintf().
Reviewed-by: Bart van Assche <bvanassche@acm.org>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH 7/8] scsi: core: Use scnprintf() for avoiding potential buffer overflow
2020-03-11 9:16 ` [PATCH 7/8] scsi: core: " Takashi Iwai
2020-03-11 15:12 ` Bart Van Assche
@ 2020-03-12 9:25 ` John Garry
2020-03-12 11:40 ` Takashi Iwai
1 sibling, 1 reply; 13+ messages in thread
From: John Garry @ 2020-03-12 9:25 UTC (permalink / raw)
To: Takashi Iwai, James E . J . Bottomley, Martin K . Petersen; +Cc: linux-scsi
On 11/03/2020 09:16, Takashi Iwai wrote:
> Since snprintf() returns the would-be-output size instead of the
> actual output size, the succeeding calls may go beyond the given
> buffer limit. Fix it by replacing with scnprintf().
>
> Signed-off-by: Takashi Iwai <tiwai@suse.de>
> ---
> drivers/scsi/scsi_sysfs.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
> index c3a30ba4ae08..6b3644246d3a 100644
> --- a/drivers/scsi/scsi_sysfs.c
> +++ b/drivers/scsi/scsi_sysfs.c
> @@ -1045,14 +1045,14 @@ sdev_show_blacklist(struct device *dev, struct device_attribute *attr,
> name = sdev_bflags_name[i];
>
> if (name)
> - len += snprintf(buf + len, PAGE_SIZE - len,
> + len += scnprintf(buf + len, PAGE_SIZE - len,
> "%s%s", len ? " " : "", name);
It would be nice to ensure that alignment with the parenthesis is maintained
Thanks
> else
> - len += snprintf(buf + len, PAGE_SIZE - len,
> + len += scnprintf(buf + len, PAGE_SIZE - len,
> "%sINVALID_BIT(%d)", len ? " " : "", i);
> }
> if (len)
> - len += snprintf(buf + len, PAGE_SIZE - len, "\n");
> + len += scnprintf(buf + len, PAGE_SIZE - len, "\n");
> return len;
> }
> static DEVICE_ATTR(blacklist, S_IRUGO, sdev_show_blacklist, NULL);
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH 7/8] scsi: core: Use scnprintf() for avoiding potential buffer overflow
2020-03-12 9:25 ` John Garry
@ 2020-03-12 11:40 ` Takashi Iwai
0 siblings, 0 replies; 13+ messages in thread
From: Takashi Iwai @ 2020-03-12 11:40 UTC (permalink / raw)
To: John Garry
Cc: Takashi Iwai, James E . J . Bottomley, Martin K . Petersen,
linux-scsi
On Thu, 12 Mar 2020 10:25:11 +0100,
John Garry wrote:
>
> On 11/03/2020 09:16, Takashi Iwai wrote:
> > Since snprintf() returns the would-be-output size instead of the
> > actual output size, the succeeding calls may go beyond the given
> > buffer limit. Fix it by replacing with scnprintf().
> >
> > Signed-off-by: Takashi Iwai <tiwai@suse.de>
> > ---
> > drivers/scsi/scsi_sysfs.c | 6 +++---
> > 1 file changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
> > index c3a30ba4ae08..6b3644246d3a 100644
> > --- a/drivers/scsi/scsi_sysfs.c
> > +++ b/drivers/scsi/scsi_sysfs.c
> > @@ -1045,14 +1045,14 @@ sdev_show_blacklist(struct device *dev, struct device_attribute *attr,
> > name = sdev_bflags_name[i];
> > if (name)
> > - len += snprintf(buf + len, PAGE_SIZE - len,
> > + len += scnprintf(buf + len, PAGE_SIZE - len,
> > "%s%s", len ? " " : "", name);
>
> It would be nice to ensure that alignment with the parenthesis is maintained
OK, will respin v2 with that change.
thanks,
Takashi
^ permalink raw reply [flat|nested] 13+ messages in thread
* RE: [PATCH 1/8] scsi: aacraid: Use scnprintf() for avoiding potential buffer overflow
2020-03-11 9:16 ` [PATCH 1/8] scsi: aacraid: " Takashi Iwai
@ 2020-03-13 5:47 ` Balsundar.P
0 siblings, 0 replies; 13+ messages in thread
From: Balsundar.P @ 2020-03-13 5:47 UTC (permalink / raw)
To: tiwai, jejb, martin.petersen; +Cc: linux-scsi, aacraid
Acked-by: Balsundar P < Balsundar.P@microchip.com>
-----Original Message-----
From: Takashi Iwai <tiwai@suse.de>
Sent: Wednesday, March 11, 2020 14:46
To: James E . J . Bottomley <jejb@linux.ibm.com>; Martin K . Petersen <martin.petersen@oracle.com>
Cc: linux-scsi@vger.kernel.org; Adaptec OEM Raid Solutions <aacraid@microsemi.com>
Subject: [PATCH 1/8] scsi: aacraid: Use scnprintf() for avoiding potential buffer overflow
EXTERNAL EMAIL: Do not click links or open attachments unless you know the content is safe
Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf().
Cc: Adaptec OEM Raid Solutions <aacraid@microsemi.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
drivers/scsi/aacraid/linit.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/scsi/aacraid/linit.c b/drivers/scsi/aacraid/linit.c index b1d133de29ab..046fef4ff1f0 100644
--- a/drivers/scsi/aacraid/linit.c
+++ b/drivers/scsi/aacraid/linit.c
@@ -1287,20 +1287,20 @@ static ssize_t aac_show_flags(struct device *cdev,
if (nblank(dprintk(x)))
len = snprintf(buf, PAGE_SIZE, "dprintk\n"); #ifdef AAC_DETAILED_STATUS_INFO
- len += snprintf(buf + len, PAGE_SIZE - len,
+ len += scnprintf(buf + len, PAGE_SIZE - len,
"AAC_DETAILED_STATUS_INFO\n"); #endif
if (dev->raw_io_interface && dev->raw_io_64)
- len += snprintf(buf + len, PAGE_SIZE - len,
+ len += scnprintf(buf + len, PAGE_SIZE - len,
"SAI_READ_CAPACITY_16\n");
if (dev->jbod)
- len += snprintf(buf + len, PAGE_SIZE - len, "SUPPORTED_JBOD\n");
+ len += scnprintf(buf + len, PAGE_SIZE - len,
+ "SUPPORTED_JBOD\n");
if (dev->supplement_adapter_info.supported_options2 &
AAC_OPTION_POWER_MANAGEMENT)
- len += snprintf(buf + len, PAGE_SIZE - len,
+ len += scnprintf(buf + len, PAGE_SIZE - len,
"SUPPORTED_POWER_MANAGEMENT\n");
if (dev->msi)
- len += snprintf(buf + len, PAGE_SIZE - len, "PCI_HAS_MSI\n");
+ len += scnprintf(buf + len, PAGE_SIZE - len,
+ "PCI_HAS_MSI\n");
return len;
}
--
2.16.4
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2020-03-13 5:47 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-03-11 9:16 [PATCH 0/8] scsi: Use scnprintf() for avoiding potential buffer overflow Takashi Iwai
2020-03-11 9:16 ` [PATCH 1/8] scsi: aacraid: " Takashi Iwai
2020-03-13 5:47 ` Balsundar.P
2020-03-11 9:16 ` [PATCH 2/8] scsi: be2iscsi: " Takashi Iwai
2020-03-11 9:16 ` [PATCH 3/8] scsi: fnic: " Takashi Iwai
2020-03-11 9:16 ` [PATCH 4/8] scsi: gdth: " Takashi Iwai
2020-03-11 9:16 ` [PATCH 5/8] scsi: ipr: " Takashi Iwai
2020-03-11 9:16 ` [PATCH 6/8] scsi: megaraid_sas: " Takashi Iwai
2020-03-11 9:16 ` [PATCH 7/8] scsi: core: " Takashi Iwai
2020-03-11 15:12 ` Bart Van Assche
2020-03-12 9:25 ` John Garry
2020-03-12 11:40 ` Takashi Iwai
2020-03-11 9:16 ` [PATCH 8/8] scsi: smartpqi: " Takashi Iwai
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox