lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CANZ3JQT825NXA16wequ3YPP-StVGVVQQm0DgHuCk_ZY=aG20kQ@mail.gmail.com>
Date: Thu, 10 Jul 2025 10:16:00 +0800
From: Wang Haoran <haoranwangsec@...il.com>
To: martin.petersen@...cle.com
Cc: target-devel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: We found a bug in target_core_configfs.c for the latest linux

Hi, my name is Wang Haoran. We found a bug in the
target_lu_gp_members_show function located in
drivers/target/target_core_configfs.c in the latest Linux kernel
(version 6.15.5).
The function uses snprintf to format a device path string into a
fixed-size buffer buf, which has size LU_GROUP_NAME_BUF (defined as
256). However, the device name of
config_item_name(&dev->dev_group.cg_item) can be up to 255 characters.
When combined with config_item_name(&hba->hba_group.cg_item), '/',
newline, and null terminator, "%s/%s\n" may exceed 256 bytes.
Since "snprintf" returns the total number of bytes that would have
been written, the return value cur_len may exceed length of buf, and a
buffer overflow would occur when executing memcpy(page+len, buf,
cur_len);
Replacing snprintf with scnprintf ensures the return value never
exceeds the specified buffer size, preventing such issues.

--- target_core_configfs.c 2025-07-06 17:04:26.000000000 +0800
+++ target_core_configfs.c 2025-07-09 18:43:05.926386901 +0800
@@ -2771,7 +2771,7 @@
  dev = lu_gp_mem->lu_gp_mem_dev;
  hba = dev->se_hba;

- cur_len = snprintf(buf, LU_GROUP_NAME_BUF, "%s/%s\n",
+ cur_len = scnprintf(buf, LU_GROUP_NAME_BUF, "%s/%s\n",
  config_item_name(&hba->hba_group.cg_item),
  config_item_name(&dev->dev_group.cg_item));
  cur_len++; /* Extra byte for NULL terminator */

Best regards,
Wang Haoran

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ