* [PATCH] scsi: libfc: Fix potential buffer overflow in fc_ct_ms_fill()
@ 2025-09-15 18:37 Alok Tiwari
2025-09-25 1:57 ` Martin K. Petersen
2025-09-30 2:36 ` Martin K. Petersen
0 siblings, 2 replies; 3+ messages in thread
From: Alok Tiwari @ 2025-09-15 18:37 UTC (permalink / raw)
To: martin.petersen, hare, James.Bottomley, linux-scsi
Cc: alok.a.tiwari, linux-kernel
The fc_ct_ms_fill() helper currently formats the OS name and version
into entry->value using "%s v%s". Since init_utsname()->sysname and
->release are unbounded strings, snprintf() may attempt to write more
than FC_FDMI_HBA_ATTR_OSNAMEVERSION_LEN bytes, triggering a
-Wformat-truncation warning with W=1.
In file included from drivers/scsi/libfc/fc_elsct.c:18:
drivers/scsi/libfc/fc_encode.h: In function ‘fc_ct_ms_fill.constprop’:
drivers/scsi/libfc/fc_encode.h:359:30: error: ‘%s’ directive output may
be truncated writing up to 64 bytes into a region of size between 62
and 126 [-Werror=format-truncation=]
359 | "%s v%s",
| ^~
360 | init_utsname()->sysname,
361 | init_utsname()->release);
| ~~~~~~~~~~~~~~~~~~~~~~~
drivers/scsi/libfc/fc_encode.h:357:17: note: ‘snprintf’ output between
3 and 131 bytes into a destination of size 128
357 | snprintf((char *)&entry->value,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
358 | FC_FDMI_HBA_ATTR_OSNAMEVERSION_LEN,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
359 | "%s v%s",
| ~~~~~~~~~
360 | init_utsname()->sysname,
| ~~~~~~~~~~~~~~~~~~~~~~~~
361 | init_utsname()->release);
| ~~~~~~~~~~~~~~~~~~~~~~~~
Fix this by using "%.62s v%.62s", which ensures both sysname and
release are truncated to fit within the 64-byte field defined by
FC_FDMI_HBA_ATTR_OSNAMEVERSION_LEN.
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
---
drivers/scsi/libfc/fc_encode.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/libfc/fc_encode.h b/drivers/scsi/libfc/fc_encode.h
index 02e31db31d68..e046091a549a 100644
--- a/drivers/scsi/libfc/fc_encode.h
+++ b/drivers/scsi/libfc/fc_encode.h
@@ -356,7 +356,7 @@ static inline int fc_ct_ms_fill(struct fc_lport *lport,
put_unaligned_be16(len, &entry->len);
snprintf((char *)&entry->value,
FC_FDMI_HBA_ATTR_OSNAMEVERSION_LEN,
- "%s v%s",
+ "%.62s v%.62s",
init_utsname()->sysname,
init_utsname()->release);
--
2.50.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] scsi: libfc: Fix potential buffer overflow in fc_ct_ms_fill()
2025-09-15 18:37 [PATCH] scsi: libfc: Fix potential buffer overflow in fc_ct_ms_fill() Alok Tiwari
@ 2025-09-25 1:57 ` Martin K. Petersen
2025-09-30 2:36 ` Martin K. Petersen
1 sibling, 0 replies; 3+ messages in thread
From: Martin K. Petersen @ 2025-09-25 1:57 UTC (permalink / raw)
To: Alok Tiwari
Cc: martin.petersen, hare, James.Bottomley, linux-scsi, linux-kernel
Alok,
> The fc_ct_ms_fill() helper currently formats the OS name and version
> into entry->value using "%s v%s". Since init_utsname()->sysname and
> ->release are unbounded strings, snprintf() may attempt to write more
> than FC_FDMI_HBA_ATTR_OSNAMEVERSION_LEN bytes, triggering a
> -Wformat-truncation warning with W=1.
Applied to 6.18/scsi-staging, thanks!
--
Martin K. Petersen
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] scsi: libfc: Fix potential buffer overflow in fc_ct_ms_fill()
2025-09-15 18:37 [PATCH] scsi: libfc: Fix potential buffer overflow in fc_ct_ms_fill() Alok Tiwari
2025-09-25 1:57 ` Martin K. Petersen
@ 2025-09-30 2:36 ` Martin K. Petersen
1 sibling, 0 replies; 3+ messages in thread
From: Martin K. Petersen @ 2025-09-30 2:36 UTC (permalink / raw)
To: hare, James.Bottomley, linux-scsi, Alok Tiwari
Cc: Martin K . Petersen, linux-kernel
On Mon, 15 Sep 2025 11:37:57 -0700, Alok Tiwari wrote:
> The fc_ct_ms_fill() helper currently formats the OS name and version
> into entry->value using "%s v%s". Since init_utsname()->sysname and
> ->release are unbounded strings, snprintf() may attempt to write more
> than FC_FDMI_HBA_ATTR_OSNAMEVERSION_LEN bytes, triggering a
> -Wformat-truncation warning with W=1.
>
> In file included from drivers/scsi/libfc/fc_elsct.c:18:
> drivers/scsi/libfc/fc_encode.h: In function ‘fc_ct_ms_fill.constprop’:
> drivers/scsi/libfc/fc_encode.h:359:30: error: ‘%s’ directive output may
> be truncated writing up to 64 bytes into a region of size between 62
> and 126 [-Werror=format-truncation=]
> 359 | "%s v%s",
> | ^~
> 360 | init_utsname()->sysname,
> 361 | init_utsname()->release);
> | ~~~~~~~~~~~~~~~~~~~~~~~
> drivers/scsi/libfc/fc_encode.h:357:17: note: ‘snprintf’ output between
> 3 and 131 bytes into a destination of size 128
> 357 | snprintf((char *)&entry->value,
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 358 | FC_FDMI_HBA_ATTR_OSNAMEVERSION_LEN,
> | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 359 | "%s v%s",
> | ~~~~~~~~~
> 360 | init_utsname()->sysname,
> | ~~~~~~~~~~~~~~~~~~~~~~~~
> 361 | init_utsname()->release);
> | ~~~~~~~~~~~~~~~~~~~~~~~~
>
> [...]
Applied to 6.18/scsi-queue, thanks!
[1/1] scsi: libfc: Fix potential buffer overflow in fc_ct_ms_fill()
https://git.kernel.org/mkp/scsi/c/072fdd4b0be9
--
Martin K. Petersen
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-09-30 2:37 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-15 18:37 [PATCH] scsi: libfc: Fix potential buffer overflow in fc_ct_ms_fill() Alok Tiwari
2025-09-25 1:57 ` Martin K. Petersen
2025-09-30 2:36 ` Martin K. Petersen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox