Received: by 10.223.176.5 with SMTP id f5csp3403923wra; Mon, 29 Jan 2018 12:41:14 -0800 (PST) X-Google-Smtp-Source: AH8x225qBe7DxO68Go3wyEMK0OFy17aNSMhZKSWrNUVgQEcadhBjR53/hXkkGcsn5RicRA4KroMR X-Received: by 10.98.135.76 with SMTP id i73mr27569157pfe.183.1517258473943; Mon, 29 Jan 2018 12:41:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517258473; cv=none; d=google.com; s=arc-20160816; b=OhKDzCTgS60d2GC/LxvIS1rZ7wdbP0KALGaBjnBMGRtagvH7n+vRDlTiA9lh9HksD5 xQPL3LNVHNDWvmEx5uKtTugTvyDwCpFUkme0oVnFtwDgCDZpJbLuLjtMAc/TSd3mcDXk ppcf7raBZ7ldC/569Hplwq2racwgX/xfg3v5u5sWsY0ckEy4RYncqpSiq6gkS2X9PnKW YX/m+bAUWu+6Kb6PKmmJaYyaCAf/1OGyiZ7uZ4fTxlKx+UN1B0q/uK9t58sprEq5T/bW NpazSvm037toaV4gLn0Jyl3n/dhlDwvzRkdivGgGTNoaHUxwHDsiaWt485Jjpkz5yGxx lrFA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=SrpTcMHoK6ABdlgNCoEDHbGEi+5dvXShjIfHhliCzpQ=; b=zbbwncdjYhhG6g4ppH2Bu5iDkSfqEl8bXkaVxqF+yM/iXxxAqmbJ2pQqXVjiUufqTr JA11BF8M8mFktrFwXqJOkHNtFZwFDwtwMnw9uJI8dbSBASb7kC7q1lykoLgCYAH6JBl5 YhFqF533I0nJcpEsQrRS5X/4MzFGdd+3UJTFs0NHW2JDP8UsAa0+wnCbqezExysmSXFH 3GStp58KUCDbmxWrarLS4WuWmlg6T7MSLKTAUgd8p8R1xqeld8Y5LovMHnMQR0hmW9FC 6FQB/RI+aBfy4JGq6MlYRcGVofe9evufvySKXk0LhYzzUKfMFEPHJk+tVVHbcmQq3O/W vX/Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q7si447538pgt.517.2018.01.29.12.40.59; Mon, 29 Jan 2018 12:41:13 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754068AbeA2UNJ (ORCPT + 99 others); Mon, 29 Jan 2018 15:13:09 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:36744 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754047AbeA2UNH (ORCPT ); Mon, 29 Jan 2018 15:13:07 -0500 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 38DA02EE2; Mon, 29 Jan 2018 13:00:57 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Peter Senna Tschudin , Jonathan Dieter , Shuah Khan Subject: [PATCH 4.4 04/74] usbip: Fix potential format overflow in userspace tools Date: Mon, 29 Jan 2018 13:56:09 +0100 Message-Id: <20180129123847.719401890@linuxfoundation.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180129123847.507563674@linuxfoundation.org> References: <20180129123847.507563674@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jonathan Dieter commit e5dfa3f902b9a642ae8c6997d57d7c41e384a90b upstream. The usbip userspace tools call sprintf()/snprintf() and don't check for the return value which can lead the paths to overflow, truncating the final file in the path. More urgently, GCC 7 now warns that these aren't checked with -Wformat-overflow, and with -Werror enabled in configure.ac, that makes these tools unbuildable. This patch fixes these problems by replacing sprintf() with snprintf() in one place and adding checks for the return value of snprintf(). Reviewed-by: Peter Senna Tschudin Signed-off-by: Jonathan Dieter Acked-by: Shuah Khan Signed-off-by: Greg Kroah-Hartman --- tools/usb/usbip/libsrc/usbip_common.c | 9 ++++++++- tools/usb/usbip/libsrc/usbip_host_driver.c | 27 ++++++++++++++++++++++----- 2 files changed, 30 insertions(+), 6 deletions(-) --- a/tools/usb/usbip/libsrc/usbip_common.c +++ b/tools/usb/usbip/libsrc/usbip_common.c @@ -215,9 +215,16 @@ int read_usb_interface(struct usbip_usb_ struct usbip_usb_interface *uinf) { char busid[SYSFS_BUS_ID_SIZE]; + int size; struct udev_device *sif; - sprintf(busid, "%s:%d.%d", udev->busid, udev->bConfigurationValue, i); + size = snprintf(busid, sizeof(busid), "%s:%d.%d", + udev->busid, udev->bConfigurationValue, i); + if (size < 0 || (unsigned int)size >= sizeof(busid)) { + err("busid length %i >= %lu or < 0", size, + (unsigned long)sizeof(busid)); + return -1; + } sif = udev_device_new_from_subsystem_sysname(udev_context, "usb", busid); if (!sif) { --- a/tools/usb/usbip/libsrc/usbip_host_driver.c +++ b/tools/usb/usbip/libsrc/usbip_host_driver.c @@ -39,13 +39,19 @@ struct udev *udev_context; static int32_t read_attr_usbip_status(struct usbip_usb_device *udev) { char status_attr_path[SYSFS_PATH_MAX]; + int size; int fd; int length; char status; int value = 0; - snprintf(status_attr_path, SYSFS_PATH_MAX, "%s/usbip_status", - udev->path); + size = snprintf(status_attr_path, SYSFS_PATH_MAX, "%s/usbip_status", + udev->path); + if (size < 0 || (unsigned int)size >= sizeof(status_attr_path)) { + err("usbip_status path length %i >= %lu or < 0", size, + (unsigned long)sizeof(status_attr_path)); + return -1; + } fd = open(status_attr_path, O_RDONLY); if (fd < 0) { @@ -225,6 +231,7 @@ int usbip_host_export_device(struct usbi { char attr_name[] = "usbip_sockfd"; char sockfd_attr_path[SYSFS_PATH_MAX]; + int size; char sockfd_buff[30]; int ret; @@ -244,10 +251,20 @@ int usbip_host_export_device(struct usbi } /* only the first interface is true */ - snprintf(sockfd_attr_path, sizeof(sockfd_attr_path), "%s/%s", - edev->udev.path, attr_name); + size = snprintf(sockfd_attr_path, sizeof(sockfd_attr_path), "%s/%s", + edev->udev.path, attr_name); + if (size < 0 || (unsigned int)size >= sizeof(sockfd_attr_path)) { + err("exported device path length %i >= %lu or < 0", size, + (unsigned long)sizeof(sockfd_attr_path)); + return -1; + } - snprintf(sockfd_buff, sizeof(sockfd_buff), "%d\n", sockfd); + size = snprintf(sockfd_buff, sizeof(sockfd_buff), "%d\n", sockfd); + if (size < 0 || (unsigned int)size >= sizeof(sockfd_buff)) { + err("socket length %i >= %lu or < 0", size, + (unsigned long)sizeof(sockfd_buff)); + return -1; + } ret = write_sysfs_attribute(sockfd_attr_path, sockfd_buff, strlen(sockfd_buff));