From patchwork Wed Mar 11 09:16:23 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Takashi Iwai X-Patchwork-Id: 11431179 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C544A17D5 for ; Wed, 11 Mar 2020 09:16:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id A47C02146E for ; Wed, 11 Mar 2020 09:16:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728668AbgCKJQg (ORCPT ); Wed, 11 Mar 2020 05:16:36 -0400 Received: from mx2.suse.de ([195.135.220.15]:47692 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726097AbgCKJQg (ORCPT ); Wed, 11 Mar 2020 05:16:36 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 92716AAB8; Wed, 11 Mar 2020 09:16:34 +0000 (UTC) From: Takashi Iwai To: "James E . J . Bottomley" , "Martin K . Petersen" Cc: linux-scsi@vger.kernel.org, Adaptec OEM Raid Solutions Subject: [PATCH 1/8] scsi: aacraid: Use scnprintf() for avoiding potential buffer overflow Date: Wed, 11 Mar 2020 10:16:23 +0100 Message-Id: <20200311091630.22565-2-tiwai@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200311091630.22565-1-tiwai@suse.de> References: <20200311091630.22565-1-tiwai@suse.de> Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Cc: Adaptec OEM Raid Solutions Signed-off-by: Takashi Iwai Acked-by: Balsundar P < Balsundar.P@microchip.com> Signed-off-by: Takashi Iwai --- drivers/scsi/aacraid/linit.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/scsi/aacraid/linit.c b/drivers/scsi/aacraid/linit.c index b1d133de29ab..046fef4ff1f0 100644 --- a/drivers/scsi/aacraid/linit.c +++ b/drivers/scsi/aacraid/linit.c @@ -1287,20 +1287,20 @@ static ssize_t aac_show_flags(struct device *cdev, if (nblank(dprintk(x))) len = snprintf(buf, PAGE_SIZE, "dprintk\n"); #ifdef AAC_DETAILED_STATUS_INFO - len += snprintf(buf + len, PAGE_SIZE - len, + len += scnprintf(buf + len, PAGE_SIZE - len, "AAC_DETAILED_STATUS_INFO\n"); #endif if (dev->raw_io_interface && dev->raw_io_64) - len += snprintf(buf + len, PAGE_SIZE - len, + len += scnprintf(buf + len, PAGE_SIZE - len, "SAI_READ_CAPACITY_16\n"); if (dev->jbod) - len += snprintf(buf + len, PAGE_SIZE - len, "SUPPORTED_JBOD\n"); + len += scnprintf(buf + len, PAGE_SIZE - len, "SUPPORTED_JBOD\n"); if (dev->supplement_adapter_info.supported_options2 & AAC_OPTION_POWER_MANAGEMENT) - len += snprintf(buf + len, PAGE_SIZE - len, + len += scnprintf(buf + len, PAGE_SIZE - len, "SUPPORTED_POWER_MANAGEMENT\n"); if (dev->msi) - len += snprintf(buf + len, PAGE_SIZE - len, "PCI_HAS_MSI\n"); + len += scnprintf(buf + len, PAGE_SIZE - len, "PCI_HAS_MSI\n"); return len; } From patchwork Wed Mar 11 09:16:24 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Takashi Iwai X-Patchwork-Id: 11431181 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DA72F17D5 for ; Wed, 11 Mar 2020 09:16:38 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id B65032146E for ; Wed, 11 Mar 2020 09:16:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728704AbgCKJQi (ORCPT ); Wed, 11 Mar 2020 05:16:38 -0400 Received: from mx2.suse.de ([195.135.220.15]:47704 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726160AbgCKJQg (ORCPT ); Wed, 11 Mar 2020 05:16:36 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id E138EAE85; Wed, 11 Mar 2020 09:16:34 +0000 (UTC) From: Takashi Iwai To: "James E . J . Bottomley" , "Martin K . Petersen" Cc: linux-scsi@vger.kernel.org, Subbu Seetharaman , Ketan Mukadam , Jitendra Bhivare Subject: [PATCH 2/8] scsi: be2iscsi: Use scnprintf() for avoiding potential buffer overflow Date: Wed, 11 Mar 2020 10:16:24 +0100 Message-Id: <20200311091630.22565-3-tiwai@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200311091630.22565-1-tiwai@suse.de> References: <20200311091630.22565-1-tiwai@suse.de> Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Cc: Subbu Seetharaman Cc: Ketan Mukadam Cc: Jitendra Bhivare Signed-off-by: Takashi Iwai --- drivers/scsi/be2iscsi/be_mgmt.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/scsi/be2iscsi/be_mgmt.c b/drivers/scsi/be2iscsi/be_mgmt.c index d4febaadfaa3..3ae8d2b4ea31 100644 --- a/drivers/scsi/be2iscsi/be_mgmt.c +++ b/drivers/scsi/be2iscsi/be_mgmt.c @@ -1178,11 +1178,11 @@ beiscsi_active_session_disp(struct device *dev, struct device_attribute *attr, if (test_bit(ulp_num, (void *)&phba->fw_config.ulp_supported)) { avlbl_cids = BEISCSI_ULP_AVLBL_CID(phba, ulp_num); total_cids = BEISCSI_GET_CID_COUNT(phba, ulp_num); - len += snprintf(buf+len, PAGE_SIZE - len, + len += scnprintf(buf+len, PAGE_SIZE - len, "ULP%d : %d\n", ulp_num, (total_cids - avlbl_cids)); } else - len += snprintf(buf+len, PAGE_SIZE - len, + len += scnprintf(buf+len, PAGE_SIZE - len, "ULP%d : %d\n", ulp_num, 0); } @@ -1208,11 +1208,11 @@ beiscsi_free_session_disp(struct device *dev, struct device_attribute *attr, for (ulp_num = 0; ulp_num < BEISCSI_ULP_COUNT; ulp_num++) { if (test_bit(ulp_num, (void *)&phba->fw_config.ulp_supported)) - len += snprintf(buf+len, PAGE_SIZE - len, + len += scnprintf(buf+len, PAGE_SIZE - len, "ULP%d : %d\n", ulp_num, BEISCSI_ULP_AVLBL_CID(phba, ulp_num)); else - len += snprintf(buf+len, PAGE_SIZE - len, + len += scnprintf(buf+len, PAGE_SIZE - len, "ULP%d : %d\n", ulp_num, 0); } From patchwork Wed Mar 11 09:16:25 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Takashi Iwai X-Patchwork-Id: 11431183 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 56F78139A for ; Wed, 11 Mar 2020 09:16:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 2BD1E20848 for ; Wed, 11 Mar 2020 09:16:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728708AbgCKJQi (ORCPT ); Wed, 11 Mar 2020 05:16:38 -0400 Received: from mx2.suse.de ([195.135.220.15]:47720 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728651AbgCKJQi (ORCPT ); Wed, 11 Mar 2020 05:16:38 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 3DFB8AE87; Wed, 11 Mar 2020 09:16:35 +0000 (UTC) From: Takashi Iwai To: "James E . J . Bottomley" , "Martin K . Petersen" Cc: linux-scsi@vger.kernel.org, Satish Kharat , Sesidhar Baddela , Karan Tilak Kumar Subject: [PATCH 3/8] scsi: fnic: Use scnprintf() for avoiding potential buffer overflow Date: Wed, 11 Mar 2020 10:16:25 +0100 Message-Id: <20200311091630.22565-4-tiwai@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200311091630.22565-1-tiwai@suse.de> References: <20200311091630.22565-1-tiwai@suse.de> Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Cc: Satish Kharat Cc: Sesidhar Baddela Cc: Karan Tilak Kumar Signed-off-by: Takashi Iwai --- drivers/scsi/fnic/fnic_trace.c | 58 +++++++++++++++++++++--------------------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/drivers/scsi/fnic/fnic_trace.c b/drivers/scsi/fnic/fnic_trace.c index a0d01aea28f7..9d52d83161ed 100644 --- a/drivers/scsi/fnic/fnic_trace.c +++ b/drivers/scsi/fnic/fnic_trace.c @@ -138,7 +138,7 @@ int fnic_get_trace_data(fnic_dbgfs_t *fnic_dbgfs_prt) * Dump trace buffer entry to memory file * and increment read index @rd_idx */ - len += snprintf(fnic_dbgfs_prt->buffer + len, + len += scnprintf(fnic_dbgfs_prt->buffer + len, (trace_max_pages * PAGE_SIZE * 3) - len, "%16llu.%09lu %-50s %8x %8x %16llx %16llx " "%16llx %16llx %16llx\n", (u64)val.tv_sec, @@ -180,7 +180,7 @@ int fnic_get_trace_data(fnic_dbgfs_t *fnic_dbgfs_prt) * Dump trace buffer entry to memory file * and increment read index @rd_idx */ - len += snprintf(fnic_dbgfs_prt->buffer + len, + len += scnprintf(fnic_dbgfs_prt->buffer + len, (trace_max_pages * PAGE_SIZE * 3) - len, "%16llu.%09lu %-50s %8x %8x %16llx %16llx " "%16llx %16llx %16llx\n", (u64)val.tv_sec, @@ -220,12 +220,12 @@ int fnic_get_stats_data(struct stats_debug_info *debug, struct timespec64 val1, val2; ktime_get_real_ts64(&val1); - len = snprintf(debug->debug_buffer + len, buf_size - len, + len = scnprintf(debug->debug_buffer + len, buf_size - len, "------------------------------------------\n" "\t\tTime\n" "------------------------------------------\n"); - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "Current time : [%lld:%ld]\n" "Last stats reset time: [%lld:%09ld]\n" "Last stats read time: [%lld:%ld]\n" @@ -243,11 +243,11 @@ int fnic_get_stats_data(struct stats_debug_info *debug, stats->stats_timestamps.last_read_time = val1; - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "------------------------------------------\n" "\t\tIO Statistics\n" "------------------------------------------\n"); - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "Number of Active IOs: %lld\nMaximum Active IOs: %lld\n" "Number of IOs: %lld\nNumber of IO Completions: %lld\n" "Number of IO Failures: %lld\nNumber of IO NOT Found: %lld\n" @@ -280,16 +280,16 @@ int fnic_get_stats_data(struct stats_debug_info *debug, (u64)atomic64_read(&stats->io_stats.io_btw_10000_to_30000_msec), (u64)atomic64_read(&stats->io_stats.io_greater_than_30000_msec)); - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "\nCurrent Max IO time : %lld\n", (u64)atomic64_read(&stats->io_stats.current_max_io_time)); - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "\n------------------------------------------\n" "\t\tAbort Statistics\n" "------------------------------------------\n"); - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "Number of Aborts: %lld\n" "Number of Abort Failures: %lld\n" "Number of Abort Driver Timeouts: %lld\n" @@ -318,12 +318,12 @@ int fnic_get_stats_data(struct stats_debug_info *debug, (u64)atomic64_read(&stats->abts_stats.abort_issued_btw_50_to_60_sec), (u64)atomic64_read(&stats->abts_stats.abort_issued_greater_than_60_sec)); - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "\n------------------------------------------\n" "\t\tTerminate Statistics\n" "------------------------------------------\n"); - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "Number of Terminates: %lld\n" "Maximum Terminates: %lld\n" "Number of Terminate Driver Timeouts: %lld\n" @@ -337,12 +337,12 @@ int fnic_get_stats_data(struct stats_debug_info *debug, (u64)atomic64_read(&stats->term_stats.terminate_io_not_found), (u64)atomic64_read(&stats->term_stats.terminate_failures)); - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "\n------------------------------------------\n" "\t\tReset Statistics\n" "------------------------------------------\n"); - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "Number of Device Resets: %lld\n" "Number of Device Reset Failures: %lld\n" "Number of Device Reset Aborts: %lld\n" @@ -368,12 +368,12 @@ int fnic_get_stats_data(struct stats_debug_info *debug, &stats->reset_stats.fnic_reset_completions), (u64)atomic64_read(&stats->reset_stats.fnic_reset_failures)); - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "\n------------------------------------------\n" "\t\tFirmware Statistics\n" "------------------------------------------\n"); - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "Number of Active FW Requests %lld\n" "Maximum FW Requests: %lld\n" "Number of FW out of resources: %lld\n" @@ -383,12 +383,12 @@ int fnic_get_stats_data(struct stats_debug_info *debug, (u64)atomic64_read(&stats->fw_stats.fw_out_of_resources), (u64)atomic64_read(&stats->fw_stats.io_fw_errs)); - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "\n------------------------------------------\n" "\t\tVlan Discovery Statistics\n" "------------------------------------------\n"); - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "Number of Vlan Discovery Requests Sent %lld\n" "Vlan Response Received with no FCF VLAN ID: %lld\n" "No solicitations recvd after vlan set, expiry count: %lld\n" @@ -398,7 +398,7 @@ int fnic_get_stats_data(struct stats_debug_info *debug, (u64)atomic64_read(&stats->vlan_stats.sol_expiry_count), (u64)atomic64_read(&stats->vlan_stats.flogi_rejects)); - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "\n------------------------------------------\n" "\t\tOther Important Statistics\n" "------------------------------------------\n"); @@ -406,7 +406,7 @@ int fnic_get_stats_data(struct stats_debug_info *debug, jiffies_to_timespec64(stats->misc_stats.last_isr_time, &val1); jiffies_to_timespec64(stats->misc_stats.last_ack_time, &val2); - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "Last ISR time: %llu (%8llu.%09lu)\n" "Last ACK time: %llu (%8llu.%09lu)\n" "Max ISR jiffies: %llu\n" @@ -452,7 +452,7 @@ int fnic_get_stats_data(struct stats_debug_info *debug, (u64)atomic64_read(&stats->misc_stats.rport_not_ready), (u64)atomic64_read(&stats->misc_stats.frame_errors)); - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "Firmware reported port speed: %llu\n", (u64)atomic64_read( &stats->misc_stats.current_port_speed)); @@ -742,7 +742,7 @@ int fnic_fc_trace_get_data(fnic_dbgfs_t *fnic_dbgfs_prt, u8 rdata_flag) rd_idx = fc_trace_entries.rd_idx; wr_idx = fc_trace_entries.wr_idx; if (rdata_flag == 0) { - len += snprintf(fnic_dbgfs_prt->buffer + len, + len += scnprintf(fnic_dbgfs_prt->buffer + len, (fnic_fc_trace_max_pages * PAGE_SIZE * 3) - len, "Time Stamp (UTC)\t\t" "Host No: F Type: len: FCoE_FRAME:\n"); @@ -762,11 +762,11 @@ int fnic_fc_trace_get_data(fnic_dbgfs_t *fnic_dbgfs_prt, u8 rdata_flag) } else { fc_trace = (char *)tdata; for (j = 0; j < FC_TRC_SIZE_BYTES; j++) { - len += snprintf(fnic_dbgfs_prt->buffer + len, + len += scnprintf(fnic_dbgfs_prt->buffer + len, (fnic_fc_trace_max_pages * PAGE_SIZE * 3) - len, "%02x", fc_trace[j] & 0xff); } /* for loop */ - len += snprintf(fnic_dbgfs_prt->buffer + len, + len += scnprintf(fnic_dbgfs_prt->buffer + len, (fnic_fc_trace_max_pages * PAGE_SIZE * 3) - len, "\n"); } @@ -810,7 +810,7 @@ void copy_and_format_trace_data(struct fc_trace_hdr *tdata, time64_to_tm(tdata->time_stamp.tv_sec, 0, &tm); fmt = "%02d:%02d:%04ld %02d:%02d:%02d.%09lu ns%8x %c%8x\t"; - len += snprintf(fnic_dbgfs_prt->buffer + len, + len += scnprintf(fnic_dbgfs_prt->buffer + len, max_size - len, fmt, tm.tm_mon + 1, tm.tm_mday, tm.tm_year + 1900, @@ -823,25 +823,25 @@ void copy_and_format_trace_data(struct fc_trace_hdr *tdata, for (j = 0; j < min_t(u8, tdata->frame_len, (u8)(FC_TRC_SIZE_BYTES - FC_TRC_HEADER_SIZE)); j++) { if (tdata->frame_type == FNIC_FC_LE) { - len += snprintf(fnic_dbgfs_prt->buffer + len, + len += scnprintf(fnic_dbgfs_prt->buffer + len, max_size - len, "%c", fc_trace[j]); } else { - len += snprintf(fnic_dbgfs_prt->buffer + len, + len += scnprintf(fnic_dbgfs_prt->buffer + len, max_size - len, "%02x", fc_trace[j] & 0xff); - len += snprintf(fnic_dbgfs_prt->buffer + len, + len += scnprintf(fnic_dbgfs_prt->buffer + len, max_size - len, " "); if (j == ethhdr_len || j == ethhdr_len + fcoehdr_len || j == ethhdr_len + fcoehdr_len + fchdr_len || (i > 3 && j%fchdr_len == 0)) { - len += snprintf(fnic_dbgfs_prt->buffer + len += scnprintf(fnic_dbgfs_prt->buffer + len, max_size - len, "\n\t\t\t\t\t\t\t\t"); i++; } } /* end of else*/ } /* End of for loop*/ - len += snprintf(fnic_dbgfs_prt->buffer + len, + len += scnprintf(fnic_dbgfs_prt->buffer + len, max_size - len, "\n"); *orig_len = len; } From patchwork Wed Mar 11 09:16:26 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Takashi Iwai X-Patchwork-Id: 11431193 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C992818EC for ; Wed, 11 Mar 2020 09:16:41 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id AFDFD2146E for ; Wed, 11 Mar 2020 09:16:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728712AbgCKJQl (ORCPT ); Wed, 11 Mar 2020 05:16:41 -0400 Received: from mx2.suse.de ([195.135.220.15]:47860 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728651AbgCKJQk (ORCPT ); Wed, 11 Mar 2020 05:16:40 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 1BBBDAD82; Wed, 11 Mar 2020 09:16:37 +0000 (UTC) From: Takashi Iwai To: "James E . J . Bottomley" , "Martin K . Petersen" Cc: linux-scsi@vger.kernel.org, Achim Leubner Subject: [PATCH 4/8] scsi: gdth: Use scnprintf() for avoiding potential buffer overflow Date: Wed, 11 Mar 2020 10:16:26 +0100 Message-Id: <20200311091630.22565-5-tiwai@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200311091630.22565-1-tiwai@suse.de> References: <20200311091630.22565-1-tiwai@suse.de> Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Cc: Achim Leubner Signed-off-by: Takashi Iwai --- drivers/scsi/gdth_proc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/gdth_proc.c b/drivers/scsi/gdth_proc.c index 381d849726ac..34149842cf1c 100644 --- a/drivers/scsi/gdth_proc.c +++ b/drivers/scsi/gdth_proc.c @@ -193,7 +193,7 @@ int gdth_show_info(struct seq_file *m, struct Scsi_Host *host) for (i = 1; i < MAX_RES_ARGS; i++) { if (reserve_list[i] == 0xff) break; - hlen += snprintf(hrec + hlen , 161 - hlen, ",%d", reserve_list[i]); + hlen += scnprintf(hrec + hlen , 161 - hlen, ",%d", reserve_list[i]); } } seq_printf(m, From patchwork Wed Mar 11 09:16:27 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Takashi Iwai X-Patchwork-Id: 11431191 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9206818E8 for ; Wed, 11 Mar 2020 09:16:41 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 7C80E21655 for ; Wed, 11 Mar 2020 09:16:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728739AbgCKJQk (ORCPT ); Wed, 11 Mar 2020 05:16:40 -0400 Received: from mx2.suse.de ([195.135.220.15]:47778 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726097AbgCKJQj (ORCPT ); Wed, 11 Mar 2020 05:16:39 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 9F377AB3D; Wed, 11 Mar 2020 09:16:37 +0000 (UTC) From: Takashi Iwai To: "James E . J . Bottomley" , "Martin K . Petersen" Cc: linux-scsi@vger.kernel.org, Brian King Subject: [PATCH 5/8] scsi: ipr: Use scnprintf() for avoiding potential buffer overflow Date: Wed, 11 Mar 2020 10:16:27 +0100 Message-Id: <20200311091630.22565-6-tiwai@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200311091630.22565-1-tiwai@suse.de> References: <20200311091630.22565-1-tiwai@suse.de> Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Cc: Brian King Signed-off-by: Takashi Iwai --- drivers/scsi/ipr.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c index ae45cbe98ae2..155832d54efa 100644 --- a/drivers/scsi/ipr.c +++ b/drivers/scsi/ipr.c @@ -1299,9 +1299,9 @@ static char *__ipr_format_res_path(u8 *res_path, char *buffer, int len) char *p = buffer; *p = '\0'; - p += snprintf(p, buffer + len - p, "%02X", res_path[0]); + p += scnprintf(p, buffer + len - p, "%02X", res_path[0]); for (i = 1; res_path[i] != 0xff && ((i * 3) < len); i++) - p += snprintf(p, buffer + len - p, "-%02X", res_path[i]); + p += scnprintf(p, buffer + len - p, "-%02X", res_path[i]); return buffer; } @@ -1322,7 +1322,7 @@ static char *ipr_format_res_path(struct ipr_ioa_cfg *ioa_cfg, char *p = buffer; *p = '\0'; - p += snprintf(p, buffer + len - p, "%d/", ioa_cfg->host->host_no); + p += scnprintf(p, buffer + len - p, "%d/", ioa_cfg->host->host_no); __ipr_format_res_path(res_path, p, len - (buffer - p)); return buffer; } From patchwork Wed Mar 11 09:16:28 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Takashi Iwai X-Patchwork-Id: 11431189 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5ECED139A for ; Wed, 11 Mar 2020 09:16:41 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 47EA820848 for ; Wed, 11 Mar 2020 09:16:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728741AbgCKJQk (ORCPT ); Wed, 11 Mar 2020 05:16:40 -0400 Received: from mx2.suse.de ([195.135.220.15]:47794 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728671AbgCKJQj (ORCPT ); Wed, 11 Mar 2020 05:16:39 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id B5069ADEB; Wed, 11 Mar 2020 09:16:37 +0000 (UTC) From: Takashi Iwai To: "James E . J . Bottomley" , "Martin K . Petersen" Cc: linux-scsi@vger.kernel.org, Kashyap Desai , Sumit Saxena , Shivasharan S Subject: [PATCH 6/8] scsi: megaraid_sas: Use scnprintf() for avoiding potential buffer overflow Date: Wed, 11 Mar 2020 10:16:28 +0100 Message-Id: <20200311091630.22565-7-tiwai@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200311091630.22565-1-tiwai@suse.de> References: <20200311091630.22565-1-tiwai@suse.de> Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Cc: Kashyap Desai Cc: Sumit Saxena Cc: Shivasharan S Signed-off-by: Takashi Iwai --- drivers/scsi/megaraid/megaraid_sas_base.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c index 5bebdd397580..c3554bb12071 100644 --- a/drivers/scsi/megaraid/megaraid_sas_base.c +++ b/drivers/scsi/megaraid/megaraid_sas_base.c @@ -2987,7 +2987,8 @@ megasas_dump_sys_regs(void __iomem *reg_set, char *buf) u32 __iomem *reg = (u32 __iomem *)reg_set; for (i = 0; i < sz / sizeof(u32); i++) { - bytes_wrote += snprintf(loc + bytes_wrote, PAGE_SIZE, + bytes_wrote += scnprintf(loc + bytes_wrote, + PAGE_SIZE - bytes_wrote, "%08x: %08x\n", (i * 4), readl(®[i])); } From patchwork Wed Mar 11 09:16:29 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Takashi Iwai X-Patchwork-Id: 11431185 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 78E71139A for ; Wed, 11 Mar 2020 09:16:40 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 62D6621655 for ; Wed, 11 Mar 2020 09:16:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728726AbgCKJQk (ORCPT ); Wed, 11 Mar 2020 05:16:40 -0400 Received: from mx2.suse.de ([195.135.220.15]:47806 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728673AbgCKJQj (ORCPT ); Wed, 11 Mar 2020 05:16:39 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id BC4E8AC1E; Wed, 11 Mar 2020 09:16:37 +0000 (UTC) From: Takashi Iwai To: "James E . J . Bottomley" , "Martin K . Petersen" Cc: linux-scsi@vger.kernel.org Subject: [PATCH 7/8] scsi: core: Use scnprintf() for avoiding potential buffer overflow Date: Wed, 11 Mar 2020 10:16:29 +0100 Message-Id: <20200311091630.22565-8-tiwai@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200311091630.22565-1-tiwai@suse.de> References: <20200311091630.22565-1-tiwai@suse.de> Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Signed-off-by: Takashi Iwai Reviewed-by: Bart van Assche --- drivers/scsi/scsi_sysfs.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c index c3a30ba4ae08..6b3644246d3a 100644 --- a/drivers/scsi/scsi_sysfs.c +++ b/drivers/scsi/scsi_sysfs.c @@ -1045,14 +1045,14 @@ sdev_show_blacklist(struct device *dev, struct device_attribute *attr, name = sdev_bflags_name[i]; if (name) - len += snprintf(buf + len, PAGE_SIZE - len, + len += scnprintf(buf + len, PAGE_SIZE - len, "%s%s", len ? " " : "", name); else - len += snprintf(buf + len, PAGE_SIZE - len, + len += scnprintf(buf + len, PAGE_SIZE - len, "%sINVALID_BIT(%d)", len ? " " : "", i); } if (len) - len += snprintf(buf + len, PAGE_SIZE - len, "\n"); + len += scnprintf(buf + len, PAGE_SIZE - len, "\n"); return len; } static DEVICE_ATTR(blacklist, S_IRUGO, sdev_show_blacklist, NULL); From patchwork Wed Mar 11 09:16:30 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Takashi Iwai X-Patchwork-Id: 11431187 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 26E431800 for ; Wed, 11 Mar 2020 09:16:41 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 1173F21655 for ; Wed, 11 Mar 2020 09:16:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728753AbgCKJQk (ORCPT ); Wed, 11 Mar 2020 05:16:40 -0400 Received: from mx2.suse.de ([195.135.220.15]:47814 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728692AbgCKJQj (ORCPT ); Wed, 11 Mar 2020 05:16:39 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id D21FAAE63; Wed, 11 Mar 2020 09:16:37 +0000 (UTC) From: Takashi Iwai To: "James E . J . Bottomley" , "Martin K . Petersen" Cc: linux-scsi@vger.kernel.org, Don Brace Subject: [PATCH 8/8] scsi: smartpqi: Use scnprintf() for avoiding potential buffer overflow Date: Wed, 11 Mar 2020 10:16:30 +0100 Message-Id: <20200311091630.22565-9-tiwai@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200311091630.22565-1-tiwai@suse.de> References: <20200311091630.22565-1-tiwai@suse.de> Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Cc: Don Brace Signed-off-by: Takashi Iwai --- drivers/scsi/smartpqi/smartpqi_init.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c index b7492568e02f..cd157f11eb22 100644 --- a/drivers/scsi/smartpqi/smartpqi_init.c +++ b/drivers/scsi/smartpqi/smartpqi_init.c @@ -1614,28 +1614,28 @@ static void pqi_dev_info(struct pqi_ctrl_info *ctrl_info, "%d:%d:", ctrl_info->scsi_host->host_no, device->bus); if (device->target_lun_valid) - count += snprintf(buffer + count, + count += scnprintf(buffer + count, PQI_DEV_INFO_BUFFER_LENGTH - count, "%d:%d", device->target, device->lun); else - count += snprintf(buffer + count, + count += scnprintf(buffer + count, PQI_DEV_INFO_BUFFER_LENGTH - count, "-:-"); if (pqi_is_logical_device(device)) - count += snprintf(buffer + count, + count += scnprintf(buffer + count, PQI_DEV_INFO_BUFFER_LENGTH - count, " %08x%08x", *((u32 *)&device->scsi3addr), *((u32 *)&device->scsi3addr[4])); else - count += snprintf(buffer + count, + count += scnprintf(buffer + count, PQI_DEV_INFO_BUFFER_LENGTH - count, " %016llx", device->sas_address); - count += snprintf(buffer + count, PQI_DEV_INFO_BUFFER_LENGTH - count, + count += scnprintf(buffer + count, PQI_DEV_INFO_BUFFER_LENGTH - count, " %s %.8s %.16s ", pqi_device_type(device), device->vendor, @@ -1643,19 +1643,19 @@ static void pqi_dev_info(struct pqi_ctrl_info *ctrl_info, if (pqi_is_logical_device(device)) { if (device->devtype == TYPE_DISK) - count += snprintf(buffer + count, + count += scnprintf(buffer + count, PQI_DEV_INFO_BUFFER_LENGTH - count, "SSDSmartPathCap%c En%c %-12s", device->raid_bypass_configured ? '+' : '-', device->raid_bypass_enabled ? '+' : '-', pqi_raid_level_to_string(device->raid_level)); } else { - count += snprintf(buffer + count, + count += scnprintf(buffer + count, PQI_DEV_INFO_BUFFER_LENGTH - count, "AIO%c", device->aio_enabled ? '+' : '-'); if (device->devtype == TYPE_DISK || device->devtype == TYPE_ZBC) - count += snprintf(buffer + count, + count += scnprintf(buffer + count, PQI_DEV_INFO_BUFFER_LENGTH - count, " qd=%-6d", device->queue_depth); } @@ -6191,14 +6191,14 @@ static ssize_t pqi_lockup_action_show(struct device *dev, for (i = 0; i < ARRAY_SIZE(pqi_lockup_actions); i++) { if (pqi_lockup_actions[i].action == pqi_lockup_action) - count += snprintf(buffer + count, PAGE_SIZE - count, + count += scnprintf(buffer + count, PAGE_SIZE - count, "[%s] ", pqi_lockup_actions[i].name); else - count += snprintf(buffer + count, PAGE_SIZE - count, + count += scnprintf(buffer + count, PAGE_SIZE - count, "%s ", pqi_lockup_actions[i].name); } - count += snprintf(buffer + count, PAGE_SIZE - count, "\n"); + count += scnprintf(buffer + count, PAGE_SIZE - count, "\n"); return count; }