lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <742d4aa2-254f-b86d-ff1e-d7c33add8771@solarflare.com>
Date:   Mon, 16 Mar 2020 11:51:13 +0000
From:   Martin Habets <mhabets@...arflare.com>
To:     Takashi Iwai <tiwai@...e.de>, <netdev@...r.kernel.org>
CC:     "David S . Miller" <davem@...emloft.net>,
        Edward Cree <ecree@...arflare.com>,
        Solarflare linux maintainers <linux-net-drivers@...arflare.com>
Subject: Re: [PATCH v2 5/6] net: sfc: Use scnprintf() for avoiding potential
 buffer overflow

On 15/03/2020 09:35, Takashi Iwai wrote:
> Since snprintf() returns the would-be-output size instead of the
> actual output size, the succeeding calls may go beyond the given
> buffer limit.  Fix it by replacing with scnprintf().
> 
> Cc: "David S . Miller" <davem@...emloft.net>
> Cc: Edward Cree <ecree@...arflare.com>
> Cc: Martin Habets <mhabets@...arflare.com>
> Cc: Solarflare linux maintainers <linux-net-drivers@...arflare.com>
> Cc: netdev@...r.kernel.org
> Signed-off-by: Takashi Iwai <tiwai@...e.de>

Acked-by: Martin Habets <mhabets@...arflare.com>

> ---
> v1->v2: Align the remaining lines to the open parenthesis
> 
>  drivers/net/ethernet/sfc/mcdi.c | 32 ++++++++++++++++++--------------
>  1 file changed, 18 insertions(+), 14 deletions(-)
> 
> diff --git a/drivers/net/ethernet/sfc/mcdi.c b/drivers/net/ethernet/sfc/mcdi.c
> index 2713300343c7..15c731d04065 100644
> --- a/drivers/net/ethernet/sfc/mcdi.c
> +++ b/drivers/net/ethernet/sfc/mcdi.c
> @@ -212,12 +212,14 @@ static void efx_mcdi_send_request(struct efx_nic *efx, unsigned cmd,
>  		 * progress on a NIC at any one time.  So no need for locking.
>  		 */
>  		for (i = 0; i < hdr_len / 4 && bytes < PAGE_SIZE; i++)
> -			bytes += snprintf(buf + bytes, PAGE_SIZE - bytes,
> -					  " %08x", le32_to_cpu(hdr[i].u32[0]));
> +			bytes += scnprintf(buf + bytes, PAGE_SIZE - bytes,
> +					   " %08x",
> +					   le32_to_cpu(hdr[i].u32[0]));
>  
>  		for (i = 0; i < inlen / 4 && bytes < PAGE_SIZE; i++)
> -			bytes += snprintf(buf + bytes, PAGE_SIZE - bytes,
> -					  " %08x", le32_to_cpu(inbuf[i].u32[0]));
> +			bytes += scnprintf(buf + bytes, PAGE_SIZE - bytes,
> +					   " %08x",
> +					   le32_to_cpu(inbuf[i].u32[0]));
>  
>  		netif_info(efx, hw, efx->net_dev, "MCDI RPC REQ:%s\n", buf);
>  	}
> @@ -302,15 +304,15 @@ static void efx_mcdi_read_response_header(struct efx_nic *efx)
>  		 */
>  		for (i = 0; i < hdr_len && bytes < PAGE_SIZE; i++) {
>  			efx->type->mcdi_read_response(efx, &hdr, (i * 4), 4);
> -			bytes += snprintf(buf + bytes, PAGE_SIZE - bytes,
> -					  " %08x", le32_to_cpu(hdr.u32[0]));
> +			bytes += scnprintf(buf + bytes, PAGE_SIZE - bytes,
> +					   " %08x", le32_to_cpu(hdr.u32[0]));
>  		}
>  
>  		for (i = 0; i < data_len && bytes < PAGE_SIZE; i++) {
>  			efx->type->mcdi_read_response(efx, &hdr,
>  					mcdi->resp_hdr_len + (i * 4), 4);
> -			bytes += snprintf(buf + bytes, PAGE_SIZE - bytes,
> -					  " %08x", le32_to_cpu(hdr.u32[0]));
> +			bytes += scnprintf(buf + bytes, PAGE_SIZE - bytes,
> +					   " %08x", le32_to_cpu(hdr.u32[0]));
>  		}
>  
>  		netif_info(efx, hw, efx->net_dev, "MCDI RPC RESP:%s\n", buf);
> @@ -1417,9 +1419,11 @@ void efx_mcdi_print_fwver(struct efx_nic *efx, char *buf, size_t len)
>  	}
>  
>  	ver_words = (__le16 *)MCDI_PTR(outbuf, GET_VERSION_OUT_VERSION);
> -	offset = snprintf(buf, len, "%u.%u.%u.%u",
> -			  le16_to_cpu(ver_words[0]), le16_to_cpu(ver_words[1]),
> -			  le16_to_cpu(ver_words[2]), le16_to_cpu(ver_words[3]));
> +	offset = scnprintf(buf, len, "%u.%u.%u.%u",
> +			   le16_to_cpu(ver_words[0]),
> +			   le16_to_cpu(ver_words[1]),
> +			   le16_to_cpu(ver_words[2]),
> +			   le16_to_cpu(ver_words[3]));
>  
>  	/* EF10 may have multiple datapath firmware variants within a
>  	 * single version.  Report which variants are running.
> @@ -1427,9 +1431,9 @@ void efx_mcdi_print_fwver(struct efx_nic *efx, char *buf, size_t len)
>  	if (efx_nic_rev(efx) >= EFX_REV_HUNT_A0) {
>  		struct efx_ef10_nic_data *nic_data = efx->nic_data;
>  
> -		offset += snprintf(buf + offset, len - offset, " rx%x tx%x",
> -				   nic_data->rx_dpcpu_fw_id,
> -				   nic_data->tx_dpcpu_fw_id);
> +		offset += scnprintf(buf + offset, len - offset, " rx%x tx%x",
> +				    nic_data->rx_dpcpu_fw_id,
> +				    nic_data->tx_dpcpu_fw_id);
>  
>  		/* It's theoretically possible for the string to exceed 31
>  		 * characters, though in practice the first three version
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ