Received: by 10.223.176.5 with SMTP id f5csp3381165wra; Mon, 29 Jan 2018 12:22:48 -0800 (PST) X-Google-Smtp-Source: AH8x226RenjXmZP+riftnVZSafvS1C9US5kb19DMQElqw00akFXrnRLUWL8X0mStVEH/h7HYQ26O X-Received: by 10.101.68.82 with SMTP id e18mr21361991pgq.413.1517257368266; Mon, 29 Jan 2018 12:22:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517257368; cv=none; d=google.com; s=arc-20160816; b=x1JGO1dl8GmuXnYeh7t9xseh08Q5mcu82++r6RmbCDX0m9caAa4UC4ssj3FfGQDvHz IUSEfT0Op+wIhkHMISyspdXJGw+MdPnANfO0/FDm5jXCXeYdI3L3AG27Wd+cqqL1+EKi RiKVvEV0wrwQcWajC0v8ig2hkSlmwbKSLPlHKZcCInTPYZWrlt7z1AiIobAO0koxUY1t 6QDaMl5HYmuAcy3uzy9R8TNQaRMyxBBV7Ndi2Vg2KSBeG3mV9jvZg4EUFJ74qIanUkS+ tZKmz3SPmLIl490+J3GEgjR6sO6QuMzPXPs/+syJSA/HASMcJWuOMPXOlek7cPfZh321 hRsQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=B+nvRQ8suhS0i24bxLUbF2Lerb/5FcWX37irf2HavQ4=; b=a0t6k2eoU6K0akMjaFjvHmhe5/RyGg7IjQZJfiCjixWpB2fayUubtmOVe6/GxFj4od wLA8mOXRrT5Uh7piAaoZjTCzW0VjBLnygk7n9oaEzgEDpet4OH0/SfZAFcdT6xreCo6z 0aXTyNXjNCwID+10Rwqa0yr5vqKWgaRTXED14rwuz01VC/rklWGk70o0BMLdA08Z5npf AIuYga69s4n/2qaYzc/kzj/WlHCKEuK4nL9RZiT8RCgV5SgL0LTO86WfwngY0tP9TMre Mn3gCoCK4doNy9Bzsh07xTftG/tml8gb4Lr4eIqmobtjeap9YOAxih4Ea6mfz1LXtYmo 8AgQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id bg11-v6si10132332plb.272.2018.01.29.12.22.33; Mon, 29 Jan 2018 12:22:48 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932622AbeA2UV2 (ORCPT + 99 others); Mon, 29 Jan 2018 15:21:28 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:45058 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754638AbeA2UQp (ORCPT ); Mon, 29 Jan 2018 15:16:45 -0500 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 41EAE2F8F; Mon, 29 Jan 2018 13:05:42 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Peter Senna Tschudin , Jonathan Dieter , Shuah Khan Subject: [PATCH 4.9 06/66] usbip: Fix potential format overflow in userspace tools Date: Mon, 29 Jan 2018 13:56:30 +0100 Message-Id: <20180129123840.164217085@linuxfoundation.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180129123839.842860149@linuxfoundation.org> References: <20180129123839.842860149@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jonathan Dieter commit e5dfa3f902b9a642ae8c6997d57d7c41e384a90b upstream. The usbip userspace tools call sprintf()/snprintf() and don't check for the return value which can lead the paths to overflow, truncating the final file in the path. More urgently, GCC 7 now warns that these aren't checked with -Wformat-overflow, and with -Werror enabled in configure.ac, that makes these tools unbuildable. This patch fixes these problems by replacing sprintf() with snprintf() in one place and adding checks for the return value of snprintf(). Reviewed-by: Peter Senna Tschudin Signed-off-by: Jonathan Dieter Acked-by: Shuah Khan Signed-off-by: Shuah Khan Signed-off-by: Greg Kroah-Hartman --- tools/usb/usbip/libsrc/usbip_common.c | 9 ++++++++- tools/usb/usbip/libsrc/usbip_host_common.c | 28 +++++++++++++++++++++++----- 2 files changed, 31 insertions(+), 6 deletions(-) --- a/tools/usb/usbip/libsrc/usbip_common.c +++ b/tools/usb/usbip/libsrc/usbip_common.c @@ -215,9 +215,16 @@ int read_usb_interface(struct usbip_usb_ struct usbip_usb_interface *uinf) { char busid[SYSFS_BUS_ID_SIZE]; + int size; struct udev_device *sif; - sprintf(busid, "%s:%d.%d", udev->busid, udev->bConfigurationValue, i); + size = snprintf(busid, sizeof(busid), "%s:%d.%d", + udev->busid, udev->bConfigurationValue, i); + if (size < 0 || (unsigned int)size >= sizeof(busid)) { + err("busid length %i >= %lu or < 0", size, + (long unsigned)sizeof(busid)); + return -1; + } sif = udev_device_new_from_subsystem_sysname(udev_context, "usb", busid); if (!sif) { --- a/tools/usb/usbip/libsrc/usbip_host_common.c +++ b/tools/usb/usbip/libsrc/usbip_host_common.c @@ -40,13 +40,20 @@ struct udev *udev_context; static int32_t read_attr_usbip_status(struct usbip_usb_device *udev) { char status_attr_path[SYSFS_PATH_MAX]; + int size; int fd; int length; char status; int value = 0; - snprintf(status_attr_path, SYSFS_PATH_MAX, "%s/usbip_status", - udev->path); + size = snprintf(status_attr_path, sizeof(status_attr_path), + "%s/usbip_status", udev->path); + if (size < 0 || (unsigned int)size >= sizeof(status_attr_path)) { + err("usbip_status path length %i >= %lu or < 0", size, + (long unsigned)sizeof(status_attr_path)); + return -1; + } + fd = open(status_attr_path, O_RDONLY); if (fd < 0) { @@ -218,6 +225,7 @@ int usbip_export_device(struct usbip_exp { char attr_name[] = "usbip_sockfd"; char sockfd_attr_path[SYSFS_PATH_MAX]; + int size; char sockfd_buff[30]; int ret; @@ -237,10 +245,20 @@ int usbip_export_device(struct usbip_exp } /* only the first interface is true */ - snprintf(sockfd_attr_path, sizeof(sockfd_attr_path), "%s/%s", - edev->udev.path, attr_name); + size = snprintf(sockfd_attr_path, sizeof(sockfd_attr_path), "%s/%s", + edev->udev.path, attr_name); + if (size < 0 || (unsigned int)size >= sizeof(sockfd_attr_path)) { + err("exported device path length %i >= %lu or < 0", size, + (long unsigned)sizeof(sockfd_attr_path)); + return -1; + } - snprintf(sockfd_buff, sizeof(sockfd_buff), "%d\n", sockfd); + size = snprintf(sockfd_buff, sizeof(sockfd_buff), "%d\n", sockfd); + if (size < 0 || (unsigned int)size >= sizeof(sockfd_buff)) { + err("socket length %i >= %lu or < 0", size, + (long unsigned)sizeof(sockfd_buff)); + return -1; + } ret = write_sysfs_attribute(sockfd_attr_path, sockfd_buff, strlen(sockfd_buff));