Received: by 10.223.176.46 with SMTP id f43csp175842wra; Tue, 23 Jan 2018 18:34:38 -0800 (PST) X-Google-Smtp-Source: AH8x227Lb4nGTwM3K7HLPABpJOdT/C/BBFOGCkvxohVvVL7I2MtAbiMfAlb+s7+1atZRDBzznDbv X-Received: by 10.98.217.135 with SMTP id b7mr11394223pfl.239.1516761278298; Tue, 23 Jan 2018 18:34:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516761278; cv=none; d=google.com; s=arc-20160816; b=bmQQRjOpW+MbLRcBbnWywUvYe+aeHRv3Eb4dkHkEamuyRiCqPezrQ9iKMQjS0joSoc Jc/JX8PEZQq+fsJDscEvjzPnAp8qqediPE5prmpWDamjVzNoCq6GJiZDXkaApvPoP1oB 580CIs10VgJOiF3H/r6jsW3ofRfvXGyV8EMHD6nBBXwd608Ws+oBTTCz1tVkTz15yjqi 8czS5JrXaO4NNSqh3CWOQWxh5+N0VAnHBXgXdxBlgi64Aj0Wj8Jjf9dUZnoeD3rf2/4g D9ggLfcjE93FnUPYmt1snU2tyxT4UJDLHY2vFpaawujgqPVvWiQGBBVgL49pbbxhKDJC Axjw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=xJR1XgxbkYyfzBdfz5Kbgb2tY0S83NS2W4vBqMflzys=; b=gBOHC5MulnykhIpfoyAnncMkGCaypA48Z2IDfkGKwSwBoG39aDGS8kH56ph+ceVe33 qFOQZAMEZYVatbiyyiWFcaxasbJvrzVlbiZ0aK9oNL1QZjUs+8SZZ1qaTzk502x7s3Ws f/ak8sZP9CaLZi7cOC1xCn5bhJIWhfk098elvCQZR+ow+hKdC2b+Bj7qVhE83ZfCXCiP 5wMMHyLOAJDubk9irkfwR56CmD/KIsvvK0gLMd455sKEpzXJCTyNtHoUEEJtNAtmPiV3 3NZ80xMIpqqcPUsAGrMngeBMPyR3p9HxXbJfJ5FqKZik4Dt8ibXRXxR90Edro9jZ5nA0 vE4A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=samsung.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 62-v6si5414926pld.136.2018.01.23.18.34.24; Tue, 23 Jan 2018 18:34:38 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=samsung.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752377AbeAXCc4 (ORCPT + 99 others); Tue, 23 Jan 2018 21:32:56 -0500 Received: from osg.samsung.com ([64.30.133.232]:43397 "EHLO osg.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751975AbeAXCck (ORCPT ); Tue, 23 Jan 2018 21:32:40 -0500 Received: from localhost (localhost [127.0.0.1]) by osg.samsung.com (Postfix) with ESMTP id 10C01317FB; Tue, 23 Jan 2018 18:32:40 -0800 (PST) X-Virus-Scanned: Debian amavisd-new at dev.s-opensource.com Received: from osg.samsung.com ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id avDeXDNyHi_t; Tue, 23 Jan 2018 18:32:35 -0800 (PST) Received: from localhost.localdomain (c-24-9-64-241.hsd1.co.comcast.net [24.9.64.241]) by osg.samsung.com (Postfix) with ESMTPSA id 99FA5317E7; Tue, 23 Jan 2018 18:32:34 -0800 (PST) From: Shuah Khan To: valentina.manea.m@gmail.com, shuah@kernel.org, gregkh@linuxfoundation.org, jdieter@lesbg.com Cc: peter.senna@gmail.com, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Shuah Khan Subject: [PATCH 4.9] usbip: Fix potential format overflow in userspace tools Date: Tue, 23 Jan 2018 19:32:12 -0700 Message-Id: <20180124023212.32005-2-shuahkh@osg.samsung.com> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20180124023212.32005-1-shuahkh@osg.samsung.com> References: <20180124023212.32005-1-shuahkh@osg.samsung.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jonathan Dieter Upstream commit e5dfa3f902b9 ("usbip: Fix potential format overflow in userspace tools") The usbip userspace tools call sprintf()/snprintf() and don't check for the return value which can lead the paths to overflow, truncating the final file in the path. More urgently, GCC 7 now warns that these aren't checked with -Wformat-overflow, and with -Werror enabled in configure.ac, that makes these tools unbuildable. This patch fixes these problems by replacing sprintf() with snprintf() in one place and adding checks for the return value of snprintf(). Reviewed-by: Peter Senna Tschudin Signed-off-by: Jonathan Dieter Acked-by: Shuah Khan Signed-off-by: Greg Kroah-Hartman Signed-off-by: Shuah Khan --- tools/usb/usbip/libsrc/usbip_common.c | 9 ++++++++- tools/usb/usbip/libsrc/usbip_host_common.c | 28 +++++++++++++++++++++++----- 2 files changed, 31 insertions(+), 6 deletions(-) diff --git a/tools/usb/usbip/libsrc/usbip_common.c b/tools/usb/usbip/libsrc/usbip_common.c index ac73710473de..8000445ff884 100644 --- a/tools/usb/usbip/libsrc/usbip_common.c +++ b/tools/usb/usbip/libsrc/usbip_common.c @@ -215,9 +215,16 @@ int read_usb_interface(struct usbip_usb_device *udev, int i, struct usbip_usb_interface *uinf) { char busid[SYSFS_BUS_ID_SIZE]; + int size; struct udev_device *sif; - sprintf(busid, "%s:%d.%d", udev->busid, udev->bConfigurationValue, i); + size = snprintf(busid, sizeof(busid), "%s:%d.%d", + udev->busid, udev->bConfigurationValue, i); + if (size < 0 || (unsigned int)size >= sizeof(busid)) { + err("busid length %i >= %lu or < 0", size, + (unsigned long)sizeof(busid)); + return -1; + } sif = udev_device_new_from_subsystem_sysname(udev_context, "usb", busid); if (!sif) { diff --git a/tools/usb/usbip/libsrc/usbip_host_common.c b/tools/usb/usbip/libsrc/usbip_host_common.c index 9d415228883d..c10379439668 100644 --- a/tools/usb/usbip/libsrc/usbip_host_common.c +++ b/tools/usb/usbip/libsrc/usbip_host_common.c @@ -40,13 +40,20 @@ struct udev *udev_context; static int32_t read_attr_usbip_status(struct usbip_usb_device *udev) { char status_attr_path[SYSFS_PATH_MAX]; + int size; int fd; int length; char status; int value = 0; - snprintf(status_attr_path, SYSFS_PATH_MAX, "%s/usbip_status", - udev->path); + size = snprintf(status_attr_path, sizeof(status_attr_path), + "%s/usbip_status", udev->path); + if (size < 0 || (unsigned int)size >= sizeof(status_attr_path)) { + err("usbip_status path length %i >= %lu or < 0", size, + (unsigned long)sizeof(status_attr_path)); + return -1; + } + fd = open(status_attr_path, O_RDONLY); if (fd < 0) { @@ -218,6 +225,7 @@ int usbip_export_device(struct usbip_exported_device *edev, int sockfd) { char attr_name[] = "usbip_sockfd"; char sockfd_attr_path[SYSFS_PATH_MAX]; + int size; char sockfd_buff[30]; int ret; @@ -237,10 +245,20 @@ int usbip_export_device(struct usbip_exported_device *edev, int sockfd) } /* only the first interface is true */ - snprintf(sockfd_attr_path, sizeof(sockfd_attr_path), "%s/%s", - edev->udev.path, attr_name); + size = snprintf(sockfd_attr_path, sizeof(sockfd_attr_path), "%s/%s", + edev->udev.path, attr_name); + if (size < 0 || (unsigned int)size >= sizeof(sockfd_attr_path)) { + err("exported device path length %i >= %lu or < 0", size, + (unsigned long)sizeof(sockfd_attr_path)); + return -1; + } - snprintf(sockfd_buff, sizeof(sockfd_buff), "%d\n", sockfd); + size = snprintf(sockfd_buff, sizeof(sockfd_buff), "%d\n", sockfd); + if (size < 0 || (unsigned int)size >= sizeof(sockfd_buff)) { + err("socket length %i >= %lu or < 0", size, + (unsigned long)sizeof(sockfd_buff)); + return -1; + } ret = write_sysfs_attribute(sockfd_attr_path, sockfd_buff, strlen(sockfd_buff)); -- 2.14.1