From patchwork Sun Mar 15 09:42:34 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Takashi Iwai X-Patchwork-Id: 11438775 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6788B92A for ; Sun, 15 Mar 2020 09:42:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 44B61206EB for ; Sun, 15 Mar 2020 09:42:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728137AbgCOJmr (ORCPT ); Sun, 15 Mar 2020 05:42:47 -0400 Received: from mx2.suse.de ([195.135.220.15]:58074 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726521AbgCOJmq (ORCPT ); Sun, 15 Mar 2020 05:42:46 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id EC0CFACA4; Sun, 15 Mar 2020 09:42:44 +0000 (UTC) From: Takashi Iwai To: linux-scsi@vger.kernel.org Cc: "James E . J . Bottomley" , "Martin K . Petersen" , Adaptec OEM Raid Solutions Subject: [PATCH v2 1/8] scsi: aacraid: Use scnprintf() for avoiding potential buffer overflow Date: Sun, 15 Mar 2020 10:42:34 +0100 Message-Id: <20200315094241.9086-2-tiwai@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200315094241.9086-1-tiwai@suse.de> References: <20200315094241.9086-1-tiwai@suse.de> Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Acked-by: Balsundar P Cc: "James E . J . Bottomley" Cc: "Martin K . Petersen" Cc: Adaptec OEM Raid Solutions Cc: linux-scsi@vger.kernel.org Signed-off-by: Takashi Iwai --- v1->v2: Align the remaining lines to the open parenthesis drivers/scsi/aacraid/linit.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/drivers/scsi/aacraid/linit.c b/drivers/scsi/aacraid/linit.c index b1d133de29ab..8b583eec25b5 100644 --- a/drivers/scsi/aacraid/linit.c +++ b/drivers/scsi/aacraid/linit.c @@ -1287,20 +1287,21 @@ static ssize_t aac_show_flags(struct device *cdev, if (nblank(dprintk(x))) len = snprintf(buf, PAGE_SIZE, "dprintk\n"); #ifdef AAC_DETAILED_STATUS_INFO - len += snprintf(buf + len, PAGE_SIZE - len, - "AAC_DETAILED_STATUS_INFO\n"); + len += scnprintf(buf + len, PAGE_SIZE - len, + "AAC_DETAILED_STATUS_INFO\n"); #endif if (dev->raw_io_interface && dev->raw_io_64) - len += snprintf(buf + len, PAGE_SIZE - len, - "SAI_READ_CAPACITY_16\n"); + len += scnprintf(buf + len, PAGE_SIZE - len, + "SAI_READ_CAPACITY_16\n"); if (dev->jbod) - len += snprintf(buf + len, PAGE_SIZE - len, "SUPPORTED_JBOD\n"); + len += scnprintf(buf + len, PAGE_SIZE - len, + "SUPPORTED_JBOD\n"); if (dev->supplement_adapter_info.supported_options2 & AAC_OPTION_POWER_MANAGEMENT) - len += snprintf(buf + len, PAGE_SIZE - len, - "SUPPORTED_POWER_MANAGEMENT\n"); + len += scnprintf(buf + len, PAGE_SIZE - len, + "SUPPORTED_POWER_MANAGEMENT\n"); if (dev->msi) - len += snprintf(buf + len, PAGE_SIZE - len, "PCI_HAS_MSI\n"); + len += scnprintf(buf + len, PAGE_SIZE - len, "PCI_HAS_MSI\n"); return len; } From patchwork Sun Mar 15 09:42:35 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Takashi Iwai X-Patchwork-Id: 11438777 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C772A13B1 for ; Sun, 15 Mar 2020 09:42:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id A7696206EB for ; Sun, 15 Mar 2020 09:42:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728138AbgCOJmr (ORCPT ); Sun, 15 Mar 2020 05:42:47 -0400 Received: from mx2.suse.de ([195.135.220.15]:58084 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728123AbgCOJmq (ORCPT ); Sun, 15 Mar 2020 05:42:46 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 2FD3FACB5; Sun, 15 Mar 2020 09:42:45 +0000 (UTC) From: Takashi Iwai To: linux-scsi@vger.kernel.org Cc: "James E . J . Bottomley" , "Martin K . Petersen" , Subbu Seetharaman , Ketan Mukadam , Jitendra Bhivare Subject: [PATCH v2 2/8] scsi: be2iscsi: Use scnprintf() for avoiding potential buffer overflow Date: Sun, 15 Mar 2020 10:42:35 +0100 Message-Id: <20200315094241.9086-3-tiwai@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200315094241.9086-1-tiwai@suse.de> References: <20200315094241.9086-1-tiwai@suse.de> Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Cc: "James E . J . Bottomley" Cc: "Martin K . Petersen" Cc: Subbu Seetharaman Cc: Ketan Mukadam Cc: Jitendra Bhivare Cc: linux-scsi@vger.kernel.org Signed-off-by: Takashi Iwai --- v1->v2: Align the remaining lines to the open parenthesis drivers/scsi/be2iscsi/be_mgmt.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/drivers/scsi/be2iscsi/be_mgmt.c b/drivers/scsi/be2iscsi/be_mgmt.c index d4febaadfaa3..a2d69b287c7b 100644 --- a/drivers/scsi/be2iscsi/be_mgmt.c +++ b/drivers/scsi/be2iscsi/be_mgmt.c @@ -1178,12 +1178,12 @@ beiscsi_active_session_disp(struct device *dev, struct device_attribute *attr, if (test_bit(ulp_num, (void *)&phba->fw_config.ulp_supported)) { avlbl_cids = BEISCSI_ULP_AVLBL_CID(phba, ulp_num); total_cids = BEISCSI_GET_CID_COUNT(phba, ulp_num); - len += snprintf(buf+len, PAGE_SIZE - len, - "ULP%d : %d\n", ulp_num, - (total_cids - avlbl_cids)); + len += scnprintf(buf+len, PAGE_SIZE - len, + "ULP%d : %d\n", ulp_num, + (total_cids - avlbl_cids)); } else - len += snprintf(buf+len, PAGE_SIZE - len, - "ULP%d : %d\n", ulp_num, 0); + len += scnprintf(buf+len, PAGE_SIZE - len, + "ULP%d : %d\n", ulp_num, 0); } return len; @@ -1208,12 +1208,12 @@ beiscsi_free_session_disp(struct device *dev, struct device_attribute *attr, for (ulp_num = 0; ulp_num < BEISCSI_ULP_COUNT; ulp_num++) { if (test_bit(ulp_num, (void *)&phba->fw_config.ulp_supported)) - len += snprintf(buf+len, PAGE_SIZE - len, - "ULP%d : %d\n", ulp_num, - BEISCSI_ULP_AVLBL_CID(phba, ulp_num)); + len += scnprintf(buf+len, PAGE_SIZE - len, + "ULP%d : %d\n", ulp_num, + BEISCSI_ULP_AVLBL_CID(phba, ulp_num)); else - len += snprintf(buf+len, PAGE_SIZE - len, - "ULP%d : %d\n", ulp_num, 0); + len += scnprintf(buf+len, PAGE_SIZE - len, + "ULP%d : %d\n", ulp_num, 0); } return len; From patchwork Sun Mar 15 09:42:36 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Takashi Iwai X-Patchwork-Id: 11438787 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C41931392 for ; Sun, 15 Mar 2020 09:42:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 9AE4A206EB for ; Sun, 15 Mar 2020 09:42:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728158AbgCOJmv (ORCPT ); Sun, 15 Mar 2020 05:42:51 -0400 Received: from mx2.suse.de ([195.135.220.15]:58100 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728133AbgCOJmu (ORCPT ); Sun, 15 Mar 2020 05:42:50 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 6EED5ACC3; Sun, 15 Mar 2020 09:42:45 +0000 (UTC) From: Takashi Iwai To: linux-scsi@vger.kernel.org Cc: "James E . J . Bottomley" , "Martin K . Petersen" , Satish Kharat , Sesidhar Baddela , Karan Tilak Kumar Subject: [PATCH v2 3/8] scsi: fnic: Use scnprintf() for avoiding potential buffer overflow Date: Sun, 15 Mar 2020 10:42:36 +0100 Message-Id: <20200315094241.9086-4-tiwai@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200315094241.9086-1-tiwai@suse.de> References: <20200315094241.9086-1-tiwai@suse.de> Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Cc: "James E . J . Bottomley" Cc: "Martin K . Petersen" Cc: Satish Kharat Cc: Sesidhar Baddela Cc: Karan Tilak Kumar Cc: linux-scsi@vger.kernel.org Signed-off-by: Takashi Iwai --- v1->v2: no change drivers/scsi/fnic/fnic_trace.c | 58 +++++++++++++++++++++--------------------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/drivers/scsi/fnic/fnic_trace.c b/drivers/scsi/fnic/fnic_trace.c index a0d01aea28f7..9d52d83161ed 100644 --- a/drivers/scsi/fnic/fnic_trace.c +++ b/drivers/scsi/fnic/fnic_trace.c @@ -138,7 +138,7 @@ int fnic_get_trace_data(fnic_dbgfs_t *fnic_dbgfs_prt) * Dump trace buffer entry to memory file * and increment read index @rd_idx */ - len += snprintf(fnic_dbgfs_prt->buffer + len, + len += scnprintf(fnic_dbgfs_prt->buffer + len, (trace_max_pages * PAGE_SIZE * 3) - len, "%16llu.%09lu %-50s %8x %8x %16llx %16llx " "%16llx %16llx %16llx\n", (u64)val.tv_sec, @@ -180,7 +180,7 @@ int fnic_get_trace_data(fnic_dbgfs_t *fnic_dbgfs_prt) * Dump trace buffer entry to memory file * and increment read index @rd_idx */ - len += snprintf(fnic_dbgfs_prt->buffer + len, + len += scnprintf(fnic_dbgfs_prt->buffer + len, (trace_max_pages * PAGE_SIZE * 3) - len, "%16llu.%09lu %-50s %8x %8x %16llx %16llx " "%16llx %16llx %16llx\n", (u64)val.tv_sec, @@ -220,12 +220,12 @@ int fnic_get_stats_data(struct stats_debug_info *debug, struct timespec64 val1, val2; ktime_get_real_ts64(&val1); - len = snprintf(debug->debug_buffer + len, buf_size - len, + len = scnprintf(debug->debug_buffer + len, buf_size - len, "------------------------------------------\n" "\t\tTime\n" "------------------------------------------\n"); - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "Current time : [%lld:%ld]\n" "Last stats reset time: [%lld:%09ld]\n" "Last stats read time: [%lld:%ld]\n" @@ -243,11 +243,11 @@ int fnic_get_stats_data(struct stats_debug_info *debug, stats->stats_timestamps.last_read_time = val1; - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "------------------------------------------\n" "\t\tIO Statistics\n" "------------------------------------------\n"); - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "Number of Active IOs: %lld\nMaximum Active IOs: %lld\n" "Number of IOs: %lld\nNumber of IO Completions: %lld\n" "Number of IO Failures: %lld\nNumber of IO NOT Found: %lld\n" @@ -280,16 +280,16 @@ int fnic_get_stats_data(struct stats_debug_info *debug, (u64)atomic64_read(&stats->io_stats.io_btw_10000_to_30000_msec), (u64)atomic64_read(&stats->io_stats.io_greater_than_30000_msec)); - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "\nCurrent Max IO time : %lld\n", (u64)atomic64_read(&stats->io_stats.current_max_io_time)); - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "\n------------------------------------------\n" "\t\tAbort Statistics\n" "------------------------------------------\n"); - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "Number of Aborts: %lld\n" "Number of Abort Failures: %lld\n" "Number of Abort Driver Timeouts: %lld\n" @@ -318,12 +318,12 @@ int fnic_get_stats_data(struct stats_debug_info *debug, (u64)atomic64_read(&stats->abts_stats.abort_issued_btw_50_to_60_sec), (u64)atomic64_read(&stats->abts_stats.abort_issued_greater_than_60_sec)); - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "\n------------------------------------------\n" "\t\tTerminate Statistics\n" "------------------------------------------\n"); - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "Number of Terminates: %lld\n" "Maximum Terminates: %lld\n" "Number of Terminate Driver Timeouts: %lld\n" @@ -337,12 +337,12 @@ int fnic_get_stats_data(struct stats_debug_info *debug, (u64)atomic64_read(&stats->term_stats.terminate_io_not_found), (u64)atomic64_read(&stats->term_stats.terminate_failures)); - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "\n------------------------------------------\n" "\t\tReset Statistics\n" "------------------------------------------\n"); - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "Number of Device Resets: %lld\n" "Number of Device Reset Failures: %lld\n" "Number of Device Reset Aborts: %lld\n" @@ -368,12 +368,12 @@ int fnic_get_stats_data(struct stats_debug_info *debug, &stats->reset_stats.fnic_reset_completions), (u64)atomic64_read(&stats->reset_stats.fnic_reset_failures)); - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "\n------------------------------------------\n" "\t\tFirmware Statistics\n" "------------------------------------------\n"); - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "Number of Active FW Requests %lld\n" "Maximum FW Requests: %lld\n" "Number of FW out of resources: %lld\n" @@ -383,12 +383,12 @@ int fnic_get_stats_data(struct stats_debug_info *debug, (u64)atomic64_read(&stats->fw_stats.fw_out_of_resources), (u64)atomic64_read(&stats->fw_stats.io_fw_errs)); - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "\n------------------------------------------\n" "\t\tVlan Discovery Statistics\n" "------------------------------------------\n"); - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "Number of Vlan Discovery Requests Sent %lld\n" "Vlan Response Received with no FCF VLAN ID: %lld\n" "No solicitations recvd after vlan set, expiry count: %lld\n" @@ -398,7 +398,7 @@ int fnic_get_stats_data(struct stats_debug_info *debug, (u64)atomic64_read(&stats->vlan_stats.sol_expiry_count), (u64)atomic64_read(&stats->vlan_stats.flogi_rejects)); - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "\n------------------------------------------\n" "\t\tOther Important Statistics\n" "------------------------------------------\n"); @@ -406,7 +406,7 @@ int fnic_get_stats_data(struct stats_debug_info *debug, jiffies_to_timespec64(stats->misc_stats.last_isr_time, &val1); jiffies_to_timespec64(stats->misc_stats.last_ack_time, &val2); - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "Last ISR time: %llu (%8llu.%09lu)\n" "Last ACK time: %llu (%8llu.%09lu)\n" "Max ISR jiffies: %llu\n" @@ -452,7 +452,7 @@ int fnic_get_stats_data(struct stats_debug_info *debug, (u64)atomic64_read(&stats->misc_stats.rport_not_ready), (u64)atomic64_read(&stats->misc_stats.frame_errors)); - len += snprintf(debug->debug_buffer + len, buf_size - len, + len += scnprintf(debug->debug_buffer + len, buf_size - len, "Firmware reported port speed: %llu\n", (u64)atomic64_read( &stats->misc_stats.current_port_speed)); @@ -742,7 +742,7 @@ int fnic_fc_trace_get_data(fnic_dbgfs_t *fnic_dbgfs_prt, u8 rdata_flag) rd_idx = fc_trace_entries.rd_idx; wr_idx = fc_trace_entries.wr_idx; if (rdata_flag == 0) { - len += snprintf(fnic_dbgfs_prt->buffer + len, + len += scnprintf(fnic_dbgfs_prt->buffer + len, (fnic_fc_trace_max_pages * PAGE_SIZE * 3) - len, "Time Stamp (UTC)\t\t" "Host No: F Type: len: FCoE_FRAME:\n"); @@ -762,11 +762,11 @@ int fnic_fc_trace_get_data(fnic_dbgfs_t *fnic_dbgfs_prt, u8 rdata_flag) } else { fc_trace = (char *)tdata; for (j = 0; j < FC_TRC_SIZE_BYTES; j++) { - len += snprintf(fnic_dbgfs_prt->buffer + len, + len += scnprintf(fnic_dbgfs_prt->buffer + len, (fnic_fc_trace_max_pages * PAGE_SIZE * 3) - len, "%02x", fc_trace[j] & 0xff); } /* for loop */ - len += snprintf(fnic_dbgfs_prt->buffer + len, + len += scnprintf(fnic_dbgfs_prt->buffer + len, (fnic_fc_trace_max_pages * PAGE_SIZE * 3) - len, "\n"); } @@ -810,7 +810,7 @@ void copy_and_format_trace_data(struct fc_trace_hdr *tdata, time64_to_tm(tdata->time_stamp.tv_sec, 0, &tm); fmt = "%02d:%02d:%04ld %02d:%02d:%02d.%09lu ns%8x %c%8x\t"; - len += snprintf(fnic_dbgfs_prt->buffer + len, + len += scnprintf(fnic_dbgfs_prt->buffer + len, max_size - len, fmt, tm.tm_mon + 1, tm.tm_mday, tm.tm_year + 1900, @@ -823,25 +823,25 @@ void copy_and_format_trace_data(struct fc_trace_hdr *tdata, for (j = 0; j < min_t(u8, tdata->frame_len, (u8)(FC_TRC_SIZE_BYTES - FC_TRC_HEADER_SIZE)); j++) { if (tdata->frame_type == FNIC_FC_LE) { - len += snprintf(fnic_dbgfs_prt->buffer + len, + len += scnprintf(fnic_dbgfs_prt->buffer + len, max_size - len, "%c", fc_trace[j]); } else { - len += snprintf(fnic_dbgfs_prt->buffer + len, + len += scnprintf(fnic_dbgfs_prt->buffer + len, max_size - len, "%02x", fc_trace[j] & 0xff); - len += snprintf(fnic_dbgfs_prt->buffer + len, + len += scnprintf(fnic_dbgfs_prt->buffer + len, max_size - len, " "); if (j == ethhdr_len || j == ethhdr_len + fcoehdr_len || j == ethhdr_len + fcoehdr_len + fchdr_len || (i > 3 && j%fchdr_len == 0)) { - len += snprintf(fnic_dbgfs_prt->buffer + len += scnprintf(fnic_dbgfs_prt->buffer + len, max_size - len, "\n\t\t\t\t\t\t\t\t"); i++; } } /* end of else*/ } /* End of for loop*/ - len += snprintf(fnic_dbgfs_prt->buffer + len, + len += scnprintf(fnic_dbgfs_prt->buffer + len, max_size - len, "\n"); *orig_len = len; } From patchwork Sun Mar 15 09:42:37 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Takashi Iwai X-Patchwork-Id: 11438789 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0C35F92A for ; Sun, 15 Mar 2020 09:42:53 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id EA41E206E9 for ; Sun, 15 Mar 2020 09:42:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728160AbgCOJmw (ORCPT ); Sun, 15 Mar 2020 05:42:52 -0400 Received: from mx2.suse.de ([195.135.220.15]:58190 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728133AbgCOJmw (ORCPT ); Sun, 15 Mar 2020 05:42:52 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 1504EACB5; Sun, 15 Mar 2020 09:42:47 +0000 (UTC) From: Takashi Iwai To: linux-scsi@vger.kernel.org Cc: "James E . J . Bottomley" , "Martin K . Petersen" , Achim Leubner Subject: [PATCH v2 4/8] scsi: gdth: Use scnprintf() for avoiding potential buffer overflow Date: Sun, 15 Mar 2020 10:42:37 +0100 Message-Id: <20200315094241.9086-5-tiwai@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200315094241.9086-1-tiwai@suse.de> References: <20200315094241.9086-1-tiwai@suse.de> Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Cc: "James E . J . Bottomley" Cc: "Martin K . Petersen" Cc: Achim Leubner Cc: linux-scsi@vger.kernel.org Signed-off-by: Takashi Iwai --- v1->v2: no change drivers/scsi/gdth_proc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/gdth_proc.c b/drivers/scsi/gdth_proc.c index 381d849726ac..34149842cf1c 100644 --- a/drivers/scsi/gdth_proc.c +++ b/drivers/scsi/gdth_proc.c @@ -193,7 +193,7 @@ int gdth_show_info(struct seq_file *m, struct Scsi_Host *host) for (i = 1; i < MAX_RES_ARGS; i++) { if (reserve_list[i] == 0xff) break; - hlen += snprintf(hrec + hlen , 161 - hlen, ",%d", reserve_list[i]); + hlen += scnprintf(hrec + hlen , 161 - hlen, ",%d", reserve_list[i]); } } seq_printf(m, From patchwork Sun Mar 15 09:42:38 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Takashi Iwai X-Patchwork-Id: 11438783 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1BCB092A for ; Sun, 15 Mar 2020 09:42:50 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id EFBCC206BE for ; Sun, 15 Mar 2020 09:42:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728152AbgCOJmt (ORCPT ); Sun, 15 Mar 2020 05:42:49 -0400 Received: from mx2.suse.de ([195.135.220.15]:58140 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728123AbgCOJms (ORCPT ); Sun, 15 Mar 2020 05:42:48 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id ADC1FACE8; Sun, 15 Mar 2020 09:42:47 +0000 (UTC) From: Takashi Iwai To: linux-scsi@vger.kernel.org Cc: "James E . J . Bottomley" , "Martin K . Petersen" , Brian King Subject: [PATCH v2 5/8] scsi: ipr: Use scnprintf() for avoiding potential buffer overflow Date: Sun, 15 Mar 2020 10:42:38 +0100 Message-Id: <20200315094241.9086-6-tiwai@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200315094241.9086-1-tiwai@suse.de> References: <20200315094241.9086-1-tiwai@suse.de> Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Cc: "James E . J . Bottomley" Cc: "Martin K . Petersen" Cc: Brian King Cc: linux-scsi@vger.kernel.org Signed-off-by: Takashi Iwai --- v1->v2: no change drivers/scsi/ipr.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c index cd8db1349871..d48a8fa997b9 100644 --- a/drivers/scsi/ipr.c +++ b/drivers/scsi/ipr.c @@ -1299,9 +1299,9 @@ static char *__ipr_format_res_path(u8 *res_path, char *buffer, int len) char *p = buffer; *p = '\0'; - p += snprintf(p, buffer + len - p, "%02X", res_path[0]); + p += scnprintf(p, buffer + len - p, "%02X", res_path[0]); for (i = 1; res_path[i] != 0xff && ((i * 3) < len); i++) - p += snprintf(p, buffer + len - p, "-%02X", res_path[i]); + p += scnprintf(p, buffer + len - p, "-%02X", res_path[i]); return buffer; } @@ -1322,7 +1322,7 @@ static char *ipr_format_res_path(struct ipr_ioa_cfg *ioa_cfg, char *p = buffer; *p = '\0'; - p += snprintf(p, buffer + len - p, "%d/", ioa_cfg->host->host_no); + p += scnprintf(p, buffer + len - p, "%d/", ioa_cfg->host->host_no); __ipr_format_res_path(res_path, p, len - (buffer - p)); return buffer; } From patchwork Sun Mar 15 09:42:39 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Takashi Iwai X-Patchwork-Id: 11438779 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6CCCA1392 for ; Sun, 15 Mar 2020 09:42:49 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 4BCB2206BE for ; Sun, 15 Mar 2020 09:42:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728149AbgCOJmt (ORCPT ); Sun, 15 Mar 2020 05:42:49 -0400 Received: from mx2.suse.de ([195.135.220.15]:58156 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728141AbgCOJms (ORCPT ); Sun, 15 Mar 2020 05:42:48 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id B2C43AD2D; Sun, 15 Mar 2020 09:42:47 +0000 (UTC) From: Takashi Iwai To: linux-scsi@vger.kernel.org Cc: "James E . J . Bottomley" , "Martin K . Petersen" , Kashyap Desai , Sumit Saxena , Shivasharan S Subject: [PATCH v2 6/8] scsi: megaraid_sas: Use scnprintf() for avoiding potential buffer overflow Date: Sun, 15 Mar 2020 10:42:39 +0100 Message-Id: <20200315094241.9086-7-tiwai@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200315094241.9086-1-tiwai@suse.de> References: <20200315094241.9086-1-tiwai@suse.de> Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Also corrected the wrongly passed limit size. The remaining buffer size must be decremented. Cc: "James E . J . Bottomley" Cc: "Martin K . Petersen" Cc: Kashyap Desai Cc: Sumit Saxena Cc: Shivasharan S Cc: linux-scsi@vger.kernel.org Signed-off-by: Takashi Iwai --- v1->v2: Align the remaining lines to the open parenthesis drivers/scsi/megaraid/megaraid_sas_base.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c index 5bebdd397580..babe85d7b537 100644 --- a/drivers/scsi/megaraid/megaraid_sas_base.c +++ b/drivers/scsi/megaraid/megaraid_sas_base.c @@ -2987,9 +2987,10 @@ megasas_dump_sys_regs(void __iomem *reg_set, char *buf) u32 __iomem *reg = (u32 __iomem *)reg_set; for (i = 0; i < sz / sizeof(u32); i++) { - bytes_wrote += snprintf(loc + bytes_wrote, PAGE_SIZE, - "%08x: %08x\n", (i * 4), - readl(®[i])); + bytes_wrote += scnprintf(loc + bytes_wrote, + PAGE_SIZE - bytes_wrote, + "%08x: %08x\n", (i * 4), + readl(®[i])); } return bytes_wrote; } From patchwork Sun Mar 15 09:42:40 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Takashi Iwai X-Patchwork-Id: 11438781 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D2EA613B1 for ; Sun, 15 Mar 2020 09:42:49 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id B3756206E9 for ; Sun, 15 Mar 2020 09:42:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728154AbgCOJmt (ORCPT ); Sun, 15 Mar 2020 05:42:49 -0400 Received: from mx2.suse.de ([195.135.220.15]:58162 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728145AbgCOJms (ORCPT ); Sun, 15 Mar 2020 05:42:48 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id B691FAD5C; Sun, 15 Mar 2020 09:42:47 +0000 (UTC) From: Takashi Iwai To: linux-scsi@vger.kernel.org Cc: "James E . J . Bottomley" , "Martin K . Petersen" Subject: [PATCH v2 7/8] scsi: core: Use scnprintf() for avoiding potential buffer overflow Date: Sun, 15 Mar 2020 10:42:40 +0100 Message-Id: <20200315094241.9086-8-tiwai@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200315094241.9086-1-tiwai@suse.de> References: <20200315094241.9086-1-tiwai@suse.de> Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Reviewed-by: Bart van Assche Cc: "James E . J . Bottomley" Cc: "Martin K . Petersen" Cc: linux-scsi@vger.kernel.org Signed-off-by: Takashi Iwai --- v1->v2: no change drivers/scsi/scsi_sysfs.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c index c3a30ba4ae08..163dbcb741c1 100644 --- a/drivers/scsi/scsi_sysfs.c +++ b/drivers/scsi/scsi_sysfs.c @@ -1045,14 +1045,14 @@ sdev_show_blacklist(struct device *dev, struct device_attribute *attr, name = sdev_bflags_name[i]; if (name) - len += snprintf(buf + len, PAGE_SIZE - len, - "%s%s", len ? " " : "", name); + len += scnprintf(buf + len, PAGE_SIZE - len, + "%s%s", len ? " " : "", name); else - len += snprintf(buf + len, PAGE_SIZE - len, - "%sINVALID_BIT(%d)", len ? " " : "", i); + len += scnprintf(buf + len, PAGE_SIZE - len, + "%sINVALID_BIT(%d)", len ? " " : "", i); } if (len) - len += snprintf(buf + len, PAGE_SIZE - len, "\n"); + len += scnprintf(buf + len, PAGE_SIZE - len, "\n"); return len; } static DEVICE_ATTR(blacklist, S_IRUGO, sdev_show_blacklist, NULL); From patchwork Sun Mar 15 09:42:41 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Takashi Iwai X-Patchwork-Id: 11438785 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1A2931392 for ; Sun, 15 Mar 2020 09:42:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 03B14206E9 for ; Sun, 15 Mar 2020 09:42:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728156AbgCOJmu (ORCPT ); Sun, 15 Mar 2020 05:42:50 -0400 Received: from mx2.suse.de ([195.135.220.15]:58168 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728147AbgCOJmu (ORCPT ); Sun, 15 Mar 2020 05:42:50 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id C1040AC91; Sun, 15 Mar 2020 09:42:47 +0000 (UTC) From: Takashi Iwai To: linux-scsi@vger.kernel.org Cc: "James E . J . Bottomley" , "Martin K . Petersen" , Don Brace Subject: [PATCH v2 8/8] scsi: smartpqi: Use scnprintf() for avoiding potential buffer overflow Date: Sun, 15 Mar 2020 10:42:41 +0100 Message-Id: <20200315094241.9086-9-tiwai@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200315094241.9086-1-tiwai@suse.de> References: <20200315094241.9086-1-tiwai@suse.de> Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Cc: "James E . J . Bottomley" Cc: "Martin K . Petersen" Cc: Don Brace Cc: linux-scsi@vger.kernel.org Signed-off-by: Takashi Iwai --- v1->v2: no change drivers/scsi/smartpqi/smartpqi_init.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c index b7492568e02f..cd157f11eb22 100644 --- a/drivers/scsi/smartpqi/smartpqi_init.c +++ b/drivers/scsi/smartpqi/smartpqi_init.c @@ -1614,28 +1614,28 @@ static void pqi_dev_info(struct pqi_ctrl_info *ctrl_info, "%d:%d:", ctrl_info->scsi_host->host_no, device->bus); if (device->target_lun_valid) - count += snprintf(buffer + count, + count += scnprintf(buffer + count, PQI_DEV_INFO_BUFFER_LENGTH - count, "%d:%d", device->target, device->lun); else - count += snprintf(buffer + count, + count += scnprintf(buffer + count, PQI_DEV_INFO_BUFFER_LENGTH - count, "-:-"); if (pqi_is_logical_device(device)) - count += snprintf(buffer + count, + count += scnprintf(buffer + count, PQI_DEV_INFO_BUFFER_LENGTH - count, " %08x%08x", *((u32 *)&device->scsi3addr), *((u32 *)&device->scsi3addr[4])); else - count += snprintf(buffer + count, + count += scnprintf(buffer + count, PQI_DEV_INFO_BUFFER_LENGTH - count, " %016llx", device->sas_address); - count += snprintf(buffer + count, PQI_DEV_INFO_BUFFER_LENGTH - count, + count += scnprintf(buffer + count, PQI_DEV_INFO_BUFFER_LENGTH - count, " %s %.8s %.16s ", pqi_device_type(device), device->vendor, @@ -1643,19 +1643,19 @@ static void pqi_dev_info(struct pqi_ctrl_info *ctrl_info, if (pqi_is_logical_device(device)) { if (device->devtype == TYPE_DISK) - count += snprintf(buffer + count, + count += scnprintf(buffer + count, PQI_DEV_INFO_BUFFER_LENGTH - count, "SSDSmartPathCap%c En%c %-12s", device->raid_bypass_configured ? '+' : '-', device->raid_bypass_enabled ? '+' : '-', pqi_raid_level_to_string(device->raid_level)); } else { - count += snprintf(buffer + count, + count += scnprintf(buffer + count, PQI_DEV_INFO_BUFFER_LENGTH - count, "AIO%c", device->aio_enabled ? '+' : '-'); if (device->devtype == TYPE_DISK || device->devtype == TYPE_ZBC) - count += snprintf(buffer + count, + count += scnprintf(buffer + count, PQI_DEV_INFO_BUFFER_LENGTH - count, " qd=%-6d", device->queue_depth); } @@ -6191,14 +6191,14 @@ static ssize_t pqi_lockup_action_show(struct device *dev, for (i = 0; i < ARRAY_SIZE(pqi_lockup_actions); i++) { if (pqi_lockup_actions[i].action == pqi_lockup_action) - count += snprintf(buffer + count, PAGE_SIZE - count, + count += scnprintf(buffer + count, PAGE_SIZE - count, "[%s] ", pqi_lockup_actions[i].name); else - count += snprintf(buffer + count, PAGE_SIZE - count, + count += scnprintf(buffer + count, PAGE_SIZE - count, "%s ", pqi_lockup_actions[i].name); } - count += snprintf(buffer + count, PAGE_SIZE - count, "\n"); + count += scnprintf(buffer + count, PAGE_SIZE - count, "\n"); return count; }