lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <20151018014738.538372839@linuxfoundation.org> Date: Sat, 17 Oct 2015 18:58:12 -0700 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-kernel@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, stable@...r.kernel.org, Dan Carpenter <dan.carpenter@...cle.com>, Don Brace <don.brace@...s.com>, James Bottomley <JBottomley@...n.com> Subject: [PATCH 4.2 179/258] hpsa: fix an sprintf() overflow in the reset handler 4.2-stable review patch. If anyone has any objections, please let me know. ------------------ From: Dan Carpenter <dan.carpenter@...cle.com> commit 2dc127bb299d1c7436a08e79193bd0251068356e upstream. The string "cmd %d RESET FAILED, new lockup detected" is not quite large enough so the sprintf() will overflow. I have increased the size of the buffer and also changed the sprintf calls to snprintf. Fixes: 73153fe533bc ('hpsa: use block layer tag for command allocation') Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com> Acked-by: Don Brace <don.brace@...s.com> Signed-off-by: James Bottomley <JBottomley@...n.com> Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org> --- drivers/scsi/hpsa.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) --- a/drivers/scsi/hpsa.c +++ b/drivers/scsi/hpsa.c @@ -5104,7 +5104,7 @@ static int hpsa_eh_device_reset_handler( int rc; struct ctlr_info *h; struct hpsa_scsi_dev_t *dev; - char msg[40]; + char msg[48]; /* find the controller to which the command to be aborted was sent */ h = sdev_to_hba(scsicmd->device); @@ -5122,16 +5122,18 @@ static int hpsa_eh_device_reset_handler( /* if controller locked up, we can guarantee command won't complete */ if (lockup_detected(h)) { - sprintf(msg, "cmd %d RESET FAILED, lockup detected", - hpsa_get_cmd_index(scsicmd)); + snprintf(msg, sizeof(msg), + "cmd %d RESET FAILED, lockup detected", + hpsa_get_cmd_index(scsicmd)); hpsa_show_dev_msg(KERN_WARNING, h, dev, msg); return FAILED; } /* this reset request might be the result of a lockup; check */ if (detect_controller_lockup(h)) { - sprintf(msg, "cmd %d RESET FAILED, new lockup detected", - hpsa_get_cmd_index(scsicmd)); + snprintf(msg, sizeof(msg), + "cmd %d RESET FAILED, new lockup detected", + hpsa_get_cmd_index(scsicmd)); hpsa_show_dev_msg(KERN_WARNING, h, dev, msg); return FAILED; } @@ -5145,7 +5147,8 @@ static int hpsa_eh_device_reset_handler( /* send a reset to the SCSI LUN which the command was sent to */ rc = hpsa_do_reset(h, dev, dev->scsi3addr, HPSA_RESET_TYPE_LUN, DEFAULT_REPLY_QUEUE); - sprintf(msg, "reset %s", rc == 0 ? "completed successfully" : "failed"); + snprintf(msg, sizeof(msg), "reset %s", + rc == 0 ? "completed successfully" : "failed"); hpsa_show_dev_msg(KERN_WARNING, h, dev, msg); return rc == 0 ? SUCCESS : FAILED; } -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists