Received: by 10.223.176.46 with SMTP id f43csp178481wra; Tue, 23 Jan 2018 18:38:10 -0800 (PST) X-Google-Smtp-Source: AH8x226yOKrKY7H+1iAzphImfPnc85WWhGcbsIwI2BbG9xeRlFqvpcoRM/dVDpspcZvn19OjoTyy X-Received: by 10.101.81.7 with SMTP id f7mr9764185pgq.449.1516761490489; Tue, 23 Jan 2018 18:38:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516761490; cv=none; d=google.com; s=arc-20160816; b=L8lyswZta+xzD82kYPJPdFF/CRXgZ07Kv1LGXIeyyMw4FKzadKPy+FeAknWkqC4Mco VXpCYtSuh8Uh+Iqv4xDgxYF12x+qHIqer6iepb4RhvsF6ABJ3C095ibw2M6Cfu7k9mZp 9dpm9OixyLuNrTQbxpP7m5iOEWSEqlmJcU5M37YGlDCTK/x5Q51zW8qg2EDu5UuXsMBe FYqzWfdbw0/Lpj3AwgkAdnjuA/3kpAwuymBINqEcuoP3NSuC+2hhFPAR9y0Au8W+zDGO Sh/AQk+IHPqm/3PXdgkKFdETEG8C03hoUtyT8GL/AJO5T8GEJTU10/a6Ihw8ZiwllCWm f0bQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=5UrZ9di4ZcBUdzksx+oMtHY7rNGv6Qh6/vIdM1Idgec=; b=Bw2+ce1xivJ+jo7UgIExG2ZEUSuoK3ki71HSk0etWcAjQ1wwf/ah39Pr6E950di/f6 8lwrxqUUqEwzi5HZjmkwDjphOfDQNP1r40gohb/DwzbfSDMYGCSNZ//k26pD4ncAzEFy 9Upojw6RnCKkS2bvdix2k9gNUwckaGcCX86ItW1YeW0144oPZwk/qVlM69eekGicHit5 UQm/BSDoeJmY7QiHOdzyB3cWXljyT4/dzg654SdtwCSrQS2G7p7fo3lLL9cSAIdwLV2o 5D0gw8xpeWTiOUQ/9bh85bzLVAfkgID8Gg70pTAPy91NPDhY4w2D1cfTkN/3Az9An8e6 R1Jw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=samsung.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e7-v6si5389804plk.625.2018.01.23.18.37.56; Tue, 23 Jan 2018 18:38:10 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=samsung.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752245AbeAXCf5 (ORCPT + 99 others); Tue, 23 Jan 2018 21:35:57 -0500 Received: from osg.samsung.com ([64.30.133.232]:38111 "EHLO osg.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751940AbeAXCfz (ORCPT ); Tue, 23 Jan 2018 21:35:55 -0500 Received: from localhost (localhost [127.0.0.1]) by osg.samsung.com (Postfix) with ESMTP id 1530A31818; Tue, 23 Jan 2018 18:35:55 -0800 (PST) X-Virus-Scanned: Debian amavisd-new at dev.s-opensource.com Received: from osg.samsung.com ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SvfYagJZiUK0; Tue, 23 Jan 2018 18:35:54 -0800 (PST) Received: from localhost.localdomain (c-24-9-64-241.hsd1.co.comcast.net [24.9.64.241]) by osg.samsung.com (Postfix) with ESMTPSA id B412E3180C; Tue, 23 Jan 2018 18:35:53 -0800 (PST) From: Shuah Khan To: valentina.manea.m@gmail.com, shuah@kernel.org, gregkh@linuxfoundation.org, jdieter@lesbg.com Cc: Shuah Khan , peter.senna@gmail.com, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH 4.4] usbip: Fix potential format overflow in userspace tools Date: Tue, 23 Jan 2018 19:35:32 -0700 Message-Id: <20180124023532.32340-2-shuahkh@osg.samsung.com> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20180124023532.32340-1-shuahkh@osg.samsung.com> References: <20180124023532.32340-1-shuahkh@osg.samsung.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Upstream commit e5dfa3f902b9 ("usbip: Fix potential format overflow in userspace tools") The usbip userspace tools call sprintf()/snprintf() and don't check for the return value which can lead the paths to overflow, truncating the final file in the path. More urgently, GCC 7 now warns that these aren't checked with -Wformat-overflow, and with -Werror enabled in configure.ac, that makes these tools unbuildable. This patch fixes these problems by replacing sprintf() with snprintf() in one place and adding checks for the return value of snprintf(). Signed-off-by: Shuah Khan --- tools/usb/usbip/libsrc/usbip_common.c | 9 ++++++++- tools/usb/usbip/libsrc/usbip_host_driver.c | 27 ++++++++++++++++++++++----- 2 files changed, 30 insertions(+), 6 deletions(-) diff --git a/tools/usb/usbip/libsrc/usbip_common.c b/tools/usb/usbip/libsrc/usbip_common.c index ac73710473de..8000445ff884 100644 --- a/tools/usb/usbip/libsrc/usbip_common.c +++ b/tools/usb/usbip/libsrc/usbip_common.c @@ -215,9 +215,16 @@ int read_usb_interface(struct usbip_usb_device *udev, int i, struct usbip_usb_interface *uinf) { char busid[SYSFS_BUS_ID_SIZE]; + int size; struct udev_device *sif; - sprintf(busid, "%s:%d.%d", udev->busid, udev->bConfigurationValue, i); + size = snprintf(busid, sizeof(busid), "%s:%d.%d", + udev->busid, udev->bConfigurationValue, i); + if (size < 0 || (unsigned int)size >= sizeof(busid)) { + err("busid length %i >= %lu or < 0", size, + (unsigned long)sizeof(busid)); + return -1; + } sif = udev_device_new_from_subsystem_sysname(udev_context, "usb", busid); if (!sif) { diff --git a/tools/usb/usbip/libsrc/usbip_host_driver.c b/tools/usb/usbip/libsrc/usbip_host_driver.c index bef08d5c44e8..14c2916b4fec 100644 --- a/tools/usb/usbip/libsrc/usbip_host_driver.c +++ b/tools/usb/usbip/libsrc/usbip_host_driver.c @@ -39,13 +39,19 @@ struct udev *udev_context; static int32_t read_attr_usbip_status(struct usbip_usb_device *udev) { char status_attr_path[SYSFS_PATH_MAX]; + int size; int fd; int length; char status; int value = 0; - snprintf(status_attr_path, SYSFS_PATH_MAX, "%s/usbip_status", - udev->path); + size = snprintf(status_attr_path, SYSFS_PATH_MAX, "%s/usbip_status", + udev->path); + if (size < 0 || (unsigned int)size >= sizeof(status_attr_path)) { + err("usbip_status path length %i >= %lu or < 0", size, + (unsigned long)sizeof(status_attr_path)); + return -1; + } fd = open(status_attr_path, O_RDONLY); if (fd < 0) { @@ -225,6 +231,7 @@ int usbip_host_export_device(struct usbip_exported_device *edev, int sockfd) { char attr_name[] = "usbip_sockfd"; char sockfd_attr_path[SYSFS_PATH_MAX]; + int size; char sockfd_buff[30]; int ret; @@ -244,10 +251,20 @@ int usbip_host_export_device(struct usbip_exported_device *edev, int sockfd) } /* only the first interface is true */ - snprintf(sockfd_attr_path, sizeof(sockfd_attr_path), "%s/%s", - edev->udev.path, attr_name); + size = snprintf(sockfd_attr_path, sizeof(sockfd_attr_path), "%s/%s", + edev->udev.path, attr_name); + if (size < 0 || (unsigned int)size >= sizeof(sockfd_attr_path)) { + err("exported device path length %i >= %lu or < 0", size, + (unsigned long)sizeof(sockfd_attr_path)); + return -1; + } - snprintf(sockfd_buff, sizeof(sockfd_buff), "%d\n", sockfd); + size = snprintf(sockfd_buff, sizeof(sockfd_buff), "%d\n", sockfd); + if (size < 0 || (unsigned int)size >= sizeof(sockfd_buff)) { + err("socket length %i >= %lu or < 0", size, + (unsigned long)sizeof(sockfd_buff)); + return -1; + } ret = write_sysfs_attribute(sockfd_attr_path, sockfd_buff, strlen(sockfd_buff)); -- 2.14.1