Received: by 10.223.176.5 with SMTP id f5csp1138638wra; Wed, 7 Feb 2018 13:24:44 -0800 (PST) X-Google-Smtp-Source: AH8x227VfDo31mam57X6zImXY0fZCkoCiV8Tgui/23QgVOg/K475wpXeeUGY1BtAmTDcZSd0DUZ3 X-Received: by 10.98.223.194 with SMTP id d63mr7313075pfl.17.1518038683953; Wed, 07 Feb 2018 13:24:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518038683; cv=none; d=google.com; s=arc-20160816; b=uWc4fB2TiZgv4bc0esTzSVj8Tg04PODaoSCVw63jMzeF2e22MUGsChMxgdtuHBUKe+ LUWIP2ITxecjxwPBbLSKOGA02AUr6EwRzaEUHSK6hHTymg7aErq/0lP4iuqrqZso3oh3 En/povv+vlxGA3vU5iOoI/12BrLkLALlwcHMYGEFJpI3e4DjQTr5NsIm8Q+6wVpkti5z TANk+T/Mg2ZLiKEi1PrFdXozWRoWHrdDXUX30CZ2iMcTXV/KIvswi+XTLMAFnow9QtUQ X8ltLoeNBeHE9nnc32MbDfHW74EowdYkg1djRksRlQeVi8WgPSNFy+3s3Ke2QAc+7Fdm V7sQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=RESX7CiUvvQ2tpu37/3rVgwPDbY4mYYX4fdg4ANKLrM=; b=JZBGl8KjFmPL4a1aDixGdH5xEe3h8uGDHTV9EMF/DIdPjkjJrf40Y35u/Gu4u/sjth WDvE5AocGslrGpSIKYsUSR4PgW9DgF5LbUD441eZDiDF5QQbu6Xl4M9YVskYDQQ4m91Y c/ojlaT1ZCc2bTB9Kzx6/G6NKPSGqFz77DIBFKMgfPrOG9BUZK5idvE9/9biqmxC/fIK SxIN+Vh+NoCZPmFZEGKxI/4Ac/q5IDvBfFOMoDwgEcYK6Q3XVP/tbZ7DKrM8FHdn9RsV F5qRnw++FVdnJpHzV7dt53qJIpQORxof96ZVXKN3DOB+pzPqIIBUDuyc51kGcSfH5NmP zs9g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=samsung.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g4si321955pfm.125.2018.02.07.13.24.29; Wed, 07 Feb 2018 13:24:43 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=samsung.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754949AbeBGVXS (ORCPT + 99 others); Wed, 7 Feb 2018 16:23:18 -0500 Received: from osg.samsung.com ([64.30.133.232]:64463 "EHLO osg.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932247AbeBGVVC (ORCPT ); Wed, 7 Feb 2018 16:21:02 -0500 Received: from localhost (localhost [127.0.0.1]) by osg.samsung.com (Postfix) with ESMTP id 0F9C21B2A4; Wed, 7 Feb 2018 13:21:02 -0800 (PST) X-Virus-Scanned: Debian amavisd-new at dev.s-opensource.com X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "References" Received: from osg.samsung.com ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nDljoJ0klvcw; Wed, 7 Feb 2018 13:21:01 -0800 (PST) Received: from localhost.localdomain (c-24-9-64-241.hsd1.co.comcast.net [24.9.64.241]) by osg.samsung.com (Postfix) with ESMTPSA id 299A51B271; Wed, 7 Feb 2018 13:20:56 -0800 (PST) From: Shuah Khan To: valentina.manea.m@gmail.com, shuah@kernel.org, gregkh@linuxfoundation.org, jdieter@lesbg.com Cc: Shuah Khan , peter.senna@gmail.com, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH 3.18 4/9] usbip: Fix potential format overflow in userspace tools Date: Wed, 7 Feb 2018 14:20:27 -0700 Message-Id: X-Mailer: git-send-email 2.14.1 In-Reply-To: References: In-Reply-To: References: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Upstream commit e5dfa3f902b9 ("usbip: Fix potential format overflow in userspace tools") The usbip userspace tools call sprintf()/snprintf() and don't check for the return value which can lead the paths to overflow, truncating the final file in the path. More urgently, GCC 7 now warns that these aren't checked with -Wformat-overflow, and with -Werror enabled in configure.ac, that makes these tools unbuildable. This patch fixes these problems by replacing sprintf() with snprintf() in one place and adding checks for the return value of snprintf(). Signed-off-by: Shuah Khan --- tools/usb/usbip/libsrc/usbip_common.c | 9 ++++++++- tools/usb/usbip/libsrc/usbip_host_driver.c | 27 ++++++++++++++++++++++----- 2 files changed, 30 insertions(+), 6 deletions(-) diff --git a/tools/usb/usbip/libsrc/usbip_common.c b/tools/usb/usbip/libsrc/usbip_common.c index ac73710473de..8000445ff884 100644 --- a/tools/usb/usbip/libsrc/usbip_common.c +++ b/tools/usb/usbip/libsrc/usbip_common.c @@ -215,9 +215,16 @@ int read_usb_interface(struct usbip_usb_device *udev, int i, struct usbip_usb_interface *uinf) { char busid[SYSFS_BUS_ID_SIZE]; + int size; struct udev_device *sif; - sprintf(busid, "%s:%d.%d", udev->busid, udev->bConfigurationValue, i); + size = snprintf(busid, sizeof(busid), "%s:%d.%d", + udev->busid, udev->bConfigurationValue, i); + if (size < 0 || (unsigned int)size >= sizeof(busid)) { + err("busid length %i >= %lu or < 0", size, + (unsigned long)sizeof(busid)); + return -1; + } sif = udev_device_new_from_subsystem_sysname(udev_context, "usb", busid); if (!sif) { diff --git a/tools/usb/usbip/libsrc/usbip_host_driver.c b/tools/usb/usbip/libsrc/usbip_host_driver.c index bef08d5c44e8..071b9ce99420 100644 --- a/tools/usb/usbip/libsrc/usbip_host_driver.c +++ b/tools/usb/usbip/libsrc/usbip_host_driver.c @@ -39,13 +39,19 @@ struct udev *udev_context; static int32_t read_attr_usbip_status(struct usbip_usb_device *udev) { char status_attr_path[SYSFS_PATH_MAX]; + int size; int fd; int length; char status; int value = 0; - snprintf(status_attr_path, SYSFS_PATH_MAX, "%s/usbip_status", - udev->path); + size = snprintf(status_attr_path, SYSFS_PATH_MAX, "%s/usbip_status", + udev->path); + if (size < 0 || (unsigned int)size >= sizeof(status_attr_path)) { + err("usbip_status path length %i >= %lu or < 0", size, + (unsigned long)sizeof(status_attr_path)); + return -1; + } fd = open(status_attr_path, O_RDONLY); if (fd < 0) { @@ -225,6 +231,7 @@ int usbip_host_export_device(struct usbip_exported_device *edev, int sockfd) { char attr_name[] = "usbip_sockfd"; char sockfd_attr_path[SYSFS_PATH_MAX]; + int size; char sockfd_buff[30]; int ret; @@ -244,10 +251,20 @@ int usbip_host_export_device(struct usbip_exported_device *edev, int sockfd) } /* only the first interface is true */ - snprintf(sockfd_attr_path, sizeof(sockfd_attr_path), "%s/%s", - edev->udev.path, attr_name); + size = snprintf(sockfd_attr_path, sizeof(sockfd_attr_path), "%s/%s", + edev->udev.path, attr_name); + if (size < 0 || (unsigned int)size >= sizeof(sockfd_attr_path)) { + err("exported device path length %i >= %lu or < 0", size, + (unsigned long)sizeof(sockfd_attr_path)); + return -1; + } - snprintf(sockfd_buff, sizeof(sockfd_buff), "%d\n", sockfd); + size = snprintf(sockfd_buff, sizeof(sockfd_buff), "%d\n", sockfd); + if (size < 0 || (unsigned int)size >= sizeof(sockfd_buff)) { + err("socket length %i >= %lu or < 0", size, + (unsigned long)sizeof(sockfd_buff)); + return -1; + } ret = write_sysfs_attribute(sockfd_attr_path, sockfd_buff, strlen(sockfd_buff)); -- 2.14.1