From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Insu Yun <wuninsu@gmail.com>,
Shane Seymour <shane.seymour@hpe.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
Ben Hutchings <ben@decadent.org.uk>
Subject: [PATCH 3.14 59/76] ipr: Fix out-of-bounds null overwrite
Date: Sun, 10 Apr 2016 11:37:07 -0700 [thread overview]
Message-ID: <20160410183518.231632991@linuxfoundation.org> (raw)
In-Reply-To: <20160410183516.090999097@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Insu Yun <wuninsu@gmail.com>
commit d63c7dd5bcb9441af0526d370c43a65ca2c980d9 upstream.
Return value of snprintf is not bound by size value, 2nd argument.
(https://www.kernel.org/doc/htmldocs/kernel-api/API-snprintf.html).
Return value is number of printed chars, can be larger than 2nd
argument. Therefore, it can write null byte out of bounds ofbuffer.
Since snprintf puts null, it does not need to put additional null byte.
Signed-off-by: Insu Yun <wuninsu@gmail.com>
Reviewed-by: Shane Seymour <shane.seymour@hpe.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Cc: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/ipr.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/scsi/ipr.c
+++ b/drivers/scsi/ipr.c
@@ -3946,13 +3946,12 @@ static ssize_t ipr_store_update_fw(struc
struct ipr_sglist *sglist;
char fname[100];
char *src;
- int len, result, dnld_size;
+ int result, dnld_size;
if (!capable(CAP_SYS_ADMIN))
return -EACCES;
- len = snprintf(fname, 99, "%s", buf);
- fname[len-1] = '\0';
+ snprintf(fname, sizeof(fname), "%s", buf);
if (request_firmware(&fw_entry, fname, &ioa_cfg->pdev->dev)) {
dev_err(&ioa_cfg->pdev->dev, "Firmware file %s not found\n", fname);
next prev parent reply other threads:[~2016-04-10 19:27 UTC|newest]
Thread overview: 84+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-10 18:36 [PATCH 3.14 00/76] 3.14.66-stable review Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 01/76] target: Drop incorrect ABORT_TASK put for completed commands Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 02/76] USB: serial: add Google simple serial SubClass support Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 04/76] KVM: fix spin_lock_init order on x86 Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 05/76] KVM: VMX: avoid guest hang on invalid invept instruction Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 06/76] EDAC, amd64_edac: Shift wrapping issue in f1x_get_norm_dct_addr() Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 07/76] PCI: Disable IO/MEM decoding for devices with non-compliant BARs Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 08/76] x86/apic: Fix suspicious RCU usage in smp_trace_call_function_interrupt() Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 09/76] x86/iopl: Fix iopl capability check on Xen PV Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 10/76] sg: fix dxferp in from_to case Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 11/76] aacraid: Fix memory leak in aac_fib_map_free Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 12/76] be2iscsi: set the boot_kset pointer to NULL in case of failure Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 13/76] usb: retry reset if a device times out Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 14/76] usb: hub: fix a typo in hub_port_init() leading to wrong logic Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 15/76] USB: uas: Reduce can_queue to MAX_CMNDS Greg Kroah-Hartman
2016-04-11 11:52 ` Jiri Slaby
2016-04-12 14:14 ` Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 16/76] USB: cdc-acm: more sanity checking Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 17/76] USB: iowarrior: fix oops with malicious USB descriptors Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 18/76] USB: usb_driver_claim_interface: add sanity checking Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 19/76] USB: mct_u232: add sanity checking in probe Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 20/76] USB: digi_acceleport: do sanity checking for the number of ports Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 21/76] USB: cypress_m8: add endpoint sanity check Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 22/76] USB: serial: cp210x: Adding GE Healthcare Device ID Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 23/76] USB: serial: ftdi_sio: Add support for ICP DAS I-756xU devices Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 25/76] [media] pwc: Add USB id for Philips Spc880nc webcam Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 26/76] Input: powermate - fix oops with malicious USB descriptors Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 27/76] ALSA: usb-audio: Fix NULL dereference in create_fixed_stream_quirk() Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 28/76] ALSA: usb-audio: Add sanity checks for endpoint accesses Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 29/76] ALSA: usb-audio: Minor code cleanup in create_fixed_stream_quirk() Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 30/76] ALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream() call Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 31/76] Bluetooth: btusb: Add new AR3012 ID 13d3:3395 Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 32/76] Bluetooth: btusb: Add a new AR3012 ID 04ca:3014 Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 33/76] Bluetooth: btusb: Add a new AR3012 ID 13d3:3472 Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 34/76] crypto: ccp - Add hash state import and export support Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 35/76] crypto: ccp - Limit the amount of information exported Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 36/76] crypto: ccp - Dont assume export/import areas are aligned Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 37/76] crypto: ccp - memset request context to zero during import Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 38/76] HID: logitech: fix Dual Action gamepad support Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 39/76] net: irda: Fix use-after-free in irtty_open() Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 40/76] 8250: use callbacks to access UART_DLL/UART_DLM Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 41/76] [media] saa7134: Fix bytesperline not being set correctly for planar formats Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 42/76] [media] adv7511: TX_EDID_PRESENT is still 1 after a disconnect Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 43/76] [media] bttv: Width must be a multiple of 16 when capturing planar formats Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 44/76] [media] media: v4l2-compat-ioctl32: fix missing length copy in put_v4l2_buffer32 Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 45/76] ALSA: intel8x0: Add clock quirk entry for AD1981B on IBM ThinkPad X41 Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 46/76] ALSA: hda - Fix unconditional GPIO toggle via automute Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 47/76] jbd2: fix FS corruption possibility in jbd2_journal_destroy() on umount path Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 48/76] bcache: fix cache_set_flush() NULL pointer dereference on OOM Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 49/76] watchdog: rc32434_wdt: fix ioctl error handling Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 50/76] Bluetooth: Add new AR3012 ID 0489:e095 Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 3.14 51/76] splice: handle zero nr_pages in splice_to_pipe() Greg Kroah-Hartman
2016-04-10 18:37 ` [PATCH 3.14 52/76] xtensa: ISS: dont hang if stdin EOF is reached Greg Kroah-Hartman
2016-04-10 18:37 ` [PATCH 3.14 53/76] xtensa: clear all DBREAKC registers on start Greg Kroah-Hartman
2016-04-10 18:37 ` [PATCH 3.14 54/76] xfs: fix two memory leaks in xfs_attr_list.c error paths Greg Kroah-Hartman
2016-04-10 18:37 ` [PATCH 3.14 55/76] md/raid5: Compare apples to apples (or sectors to sectors) Greg Kroah-Hartman
2016-04-10 18:37 ` [PATCH 3.14 56/76] md: multipath: dont hardcopy bio in .make_request path Greg Kroah-Hartman
2016-04-10 18:37 ` [PATCH 3.14 57/76] fs/coredump: prevent fsuid=0 dumps into user-controlled directories Greg Kroah-Hartman
2016-04-10 18:37 ` [PATCH 3.14 58/76] rapidio/rionet: fix deadlock on SMP Greg Kroah-Hartman
2016-04-10 18:37 ` Greg Kroah-Hartman [this message]
2016-04-10 18:37 ` [PATCH 3.14 60/76] ipr: Fix regression when loading firmware Greg Kroah-Hartman
2016-04-10 18:37 ` [PATCH 3.14 61/76] drm/radeon: Dont drop DP 2.7 Ghz link setup on some cards Greg Kroah-Hartman
2016-04-10 18:37 ` [PATCH 3.14 62/76] tracing: Have preempt(irqs)off trace preempt disabled functions Greg Kroah-Hartman
2016-04-10 18:37 ` [PATCH 3.14 63/76] tracing: Fix crash from reading trace_pipe with sendfile Greg Kroah-Hartman
2016-04-10 18:37 ` [PATCH 3.14 64/76] tracing: Fix trace_printk() to print when not using bprintk() Greg Kroah-Hartman
2016-04-10 18:37 ` [PATCH 3.14 65/76] bitops: Do not default to __clear_bit() for __clear_bit_unlock() Greg Kroah-Hartman
2016-04-10 18:37 ` [PATCH 3.14 66/76] scripts/coccinelle: modernize & Greg Kroah-Hartman
2016-04-10 18:37 ` [PATCH 3.14 67/76] kbuild/mkspec: fix grub2 installkernel issue Greg Kroah-Hartman
2016-04-10 18:37 ` [PATCH 3.14 68/76] target: Fix target_release_cmd_kref shutdown comp leak Greg Kroah-Hartman
2016-04-10 18:37 ` [PATCH 3.14 69/76] Input: ims-pcu - sanity check against missing interfaces Greg Kroah-Hartman
2016-04-10 18:37 ` [PATCH 3.14 70/76] Input: ati_remote2 - fix crashes on detecting device with invalid descriptor Greg Kroah-Hartman
2016-04-10 18:37 ` [PATCH 3.14 71/76] ocfs2/dlm: fix race between convert and recovery Greg Kroah-Hartman
2016-04-10 18:37 ` [PATCH 3.14 72/76] ocfs2/dlm: fix BUG in dlm_move_lockres_to_recovery_list Greg Kroah-Hartman
2016-04-10 18:37 ` [PATCH 3.14 73/76] mtd: onenand: fix deadlock in onenand_block_markbad Greg Kroah-Hartman
2016-04-10 18:37 ` [PATCH 3.14 74/76] sched/cputime: Fix steal time accounting vs. CPU hotplug Greg Kroah-Hartman
2016-04-10 18:37 ` [PATCH 3.14 75/76] perf/x86/intel: Use PAGE_SIZE for PEBS buffer size on Core2 Greg Kroah-Hartman
2016-04-11 7:01 ` Jiri Slaby
2016-04-12 14:14 ` Greg Kroah-Hartman
2016-04-10 18:37 ` [PATCH 3.14 76/76] perf/x86/intel: Fix PEBS data source interpretation on Nehalem/Westmere Greg Kroah-Hartman
2016-04-10 20:01 ` [PATCH 3.14 00/76] 3.14.66-stable review Guenter Roeck
2016-04-10 20:38 ` Greg Kroah-Hartman
2016-04-11 3:14 ` Guenter Roeck
2016-04-12 14:14 ` Greg Kroah-Hartman
2016-04-11 17:27 ` shuahkh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160410183518.231632991@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ben@decadent.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=shane.seymour@hpe.com \
--cc=stable@vger.kernel.org \
--cc=wuninsu@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).