| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251110152328.11-1-alsp705@gmail.com>
Date: Mon, 10 Nov 2025 18:23:26 +0300
From: Alexandr Sapozhnikov <alsp705@...il.com>
To: Christoph Hellwig <hch@....de>,
Sagi Grimberg <sagi@...mberg.me>,
Chaitanya Kulkarni <chaitanya.kulkarni@....com>,
Jens Axboe <axboe@...nel.dk>
Cc: Alexandr Sapozhnikov <alsp705@...il.com>,
linux-nvme@...ts.infradead.org,
linux-kernel@...r.kernel.org
Subject: [PATCH 5.10] nvmet: replace the dangerous sprintf function with the snprintf function
Replaced the dangerous sprintf function with a safer equivalent,
snprintf. This will improve driver security by checking for
out-of-bounds errors in the page array.
Fixes: 7e764179c867 ("nvmet: use type-name map for address family")
Signed-off-by: Alexandr Sapozhnikov <alsp705@...il.com>
---
drivers/nvme/target/configfs.c | 30 +++++++++++++++---------------
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c
index 37e1d7784e17..49dfeb4194b9 100644
--- a/drivers/nvme/target/configfs.c
+++ b/drivers/nvme/target/configfs.c
@@ -60,10 +60,10 @@ static ssize_t nvmet_addr_adrfam_show(struct config_item *item, char *page)
for (i = 1; i < ARRAY_SIZE(nvmet_addr_family); i++) {
if (nvmet_addr_family[i].type == adrfam)
- return sprintf(page, "%s\n", nvmet_addr_family[i].name);
+ return snprintf(page, PAGE_SIZE, "%s\n", nvmet_addr_family[i].name);
}
- return sprintf(page, "\n");
+ return snprintf(page, PAGE_SIZE, "\n");
}
static ssize_t nvmet_addr_adrfam_store(struct config_item *item,
@@ -162,10 +162,10 @@ static ssize_t nvmet_addr_treq_show(struct config_item *item, char *page)
for (i = 0; i < ARRAY_SIZE(nvmet_addr_treq); i++) {
if (treq == nvmet_addr_treq[i].type)
- return sprintf(page, "%s\n", nvmet_addr_treq[i].name);
+ return snprintf(page, PAGE_SIZE, "%s\n", nvmet_addr_treq[i].name);
}
- return sprintf(page, "\n");
+ return snprintf(page, PAGE_SIZE, "\n");
}
static ssize_t nvmet_addr_treq_store(struct config_item *item,
@@ -286,10 +286,10 @@ static ssize_t nvmet_addr_trtype_show(struct config_item *item,
for (i = 0; i < ARRAY_SIZE(nvmet_transport); i++) {
if (port->disc_addr.trtype == nvmet_transport[i].type)
- return sprintf(page, "%s\n", nvmet_transport[i].name);
+ return snprintf(page, PAGE_SIZE, "%s\n", nvmet_transport[i].name);
}
- return sprintf(page, "\n");
+ return snprintf(page, PAGE_SIZE, "\n");
}
static void nvmet_port_init_tsas_rdma(struct nvmet_port *port)
@@ -331,7 +331,7 @@ CONFIGFS_ATTR(nvmet_, addr_trtype);
*/
static ssize_t nvmet_ns_device_path_show(struct config_item *item, char *page)
{
- return sprintf(page, "%s\n", to_nvmet_ns(item)->device_path);
+ return snprintf(page, PAGE_SIZE, "%s\n", to_nvmet_ns(item)->device_path);
}
static ssize_t nvmet_ns_device_path_store(struct config_item *item,
@@ -412,7 +412,7 @@ CONFIGFS_ATTR(nvmet_ns_, p2pmem);
static ssize_t nvmet_ns_device_uuid_show(struct config_item *item, char *page)
{
- return sprintf(page, "%pUb\n", &to_nvmet_ns(item)->uuid);
+ return snprintf(page, PAGE_SIZE, "%pUb\n", &to_nvmet_ns(item)->uuid);
}
static ssize_t nvmet_ns_device_uuid_store(struct config_item *item,
@@ -440,7 +440,7 @@ CONFIGFS_ATTR(nvmet_ns_, device_uuid);
static ssize_t nvmet_ns_device_nguid_show(struct config_item *item, char *page)
{
- return sprintf(page, "%pUb\n", &to_nvmet_ns(item)->nguid);
+ return snprintf(page, PAGE_SIZE, "%pUb\n", &to_nvmet_ns(item)->nguid);
}
static ssize_t nvmet_ns_device_nguid_store(struct config_item *item,
@@ -486,7 +486,7 @@ CONFIGFS_ATTR(nvmet_ns_, device_nguid);
static ssize_t nvmet_ns_ana_grpid_show(struct config_item *item, char *page)
{
- return sprintf(page, "%u\n", to_nvmet_ns(item)->anagrpid);
+ return snprintf(page, PAGE_SIZE, "%u\n", to_nvmet_ns(item)->anagrpid);
}
static ssize_t nvmet_ns_ana_grpid_store(struct config_item *item,
@@ -519,7 +519,7 @@ CONFIGFS_ATTR(nvmet_ns_, ana_grpid);
static ssize_t nvmet_ns_enable_show(struct config_item *item, char *page)
{
- return sprintf(page, "%d\n", to_nvmet_ns(item)->enabled);
+ return snprintf(page, PAGE_SIZE, "%d\n", to_nvmet_ns(item)->enabled);
}
static ssize_t nvmet_ns_enable_store(struct config_item *item,
@@ -544,7 +544,7 @@ CONFIGFS_ATTR(nvmet_ns_, enable);
static ssize_t nvmet_ns_buffered_io_show(struct config_item *item, char *page)
{
- return sprintf(page, "%d\n", to_nvmet_ns(item)->buffered_io);
+ return snprintf(page, PAGE_SIZE, "%d\n", to_nvmet_ns(item)->buffered_io);
}
static ssize_t nvmet_ns_buffered_io_store(struct config_item *item,
@@ -714,7 +714,7 @@ static ssize_t nvmet_passthru_enable_show(struct config_item *item,
{
struct nvmet_subsys *subsys = to_subsys(item->ci_parent);
- return sprintf(page, "%d\n", subsys->passthru_ctrl ? 1 : 0);
+ return snprintf(page, PAGE_SIZE, "%d\n", subsys->passthru_ctrl ? 1 : 0);
}
static ssize_t nvmet_passthru_enable_store(struct config_item *item,
@@ -1348,10 +1348,10 @@ static ssize_t nvmet_ana_group_ana_state_show(struct config_item *item,
for (i = 0; i < ARRAY_SIZE(nvmet_ana_state); i++) {
if (state == nvmet_ana_state[i].type)
- return sprintf(page, "%s\n", nvmet_ana_state[i].name);
+ return snprintf(page, PAGE_SIZE, "%s\n", nvmet_ana_state[i].name);
}
- return sprintf(page, "\n");
+ return snprintf(page, PAGE_SIZE, "\n");
}
static ssize_t nvmet_ana_group_ana_state_store(struct config_item *item,
--
2.51.0
Powered by blists - more mailing lists