Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp768081imu; Wed, 16 Jan 2019 07:18:04 -0800 (PST) X-Google-Smtp-Source: ALg8bN6TVhndChtMuJ4FdO1H8YHcaC3PY+bEesUzTbrfuUoXC7jEcaXJarCO49rSw4QubdcA3rqJ X-Received: by 2002:a62:3888:: with SMTP id f130mr10147513pfa.132.1547651884852; Wed, 16 Jan 2019 07:18:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547651884; cv=none; d=google.com; s=arc-20160816; b=RDAkGF2XXS+wWWyuyn9ehHXthF4Fz+kduluUxuV6hlpSXGdanMB1vhQYtgtbGau2Tl JQBpY6s1dvbgm7xiqoYtI77i/FN0Y5AKSjatJsQ0PRGM4c/t4F9/vzBuf4VK8qu8DJ1I L6OM6xRNRuxuiuKMSvziP6fELhyjBWYwg6wj3czxyAYjwG3mX5x/RJcZUdF0KkkwtbPD q4UXG76PR66pHGo7NLlqHlfAAtqY2Mlz9yMs0KlKRHnrssRznvL4jn+SKCPTcqGQz6Rg s/VhJFLIkjNLZQJ1ughOAY5gSsNp2PrEGbNb8ezhQJbEf3wnRcnrNvCJAXAW/WohlQDb hdAA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=geXaSVEWs6LE1rIkZivOjUut+JxyUtZy42EGp1ow4K8=; b=Yo1mYL/U7b/cjYr0lEgcCrNFAm4dNQtOSJ50J45+ntSoceme2kcAEmGwNoK3q1GrW4 dzKcf1v3mIOxr35f47Xr02j7LND+O/8FouRsTfApIOJPAMP7FjKKjnJRBSKF5u64OF5+ ybU+xgK4iaufnlFx0dN1XD8fRZSpWTUic6GlI/B1+S1W1Nk2zbdz/cQOgBmdZu5YC87W PafsEIpVH2GKakgRSzDSlYkSC8en3umI/ua9KY64slRXtAuKpSe9wcVWy9ck5C22CMsx 8/YwEpDDwNhH/T+/SaK+G9thkNyWLBz21QjVEWpF5M7iln9CbDIf6O+MIJNc/ggzVsq/ 4H/A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@broadcom.com header.s=google header.b=LLMXk1Ry; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=broadcom.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x5si6024094pga.440.2019.01.16.07.17.42; Wed, 16 Jan 2019 07:18:04 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@broadcom.com header.s=google header.b=LLMXk1Ry; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=broadcom.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387821AbfAOWlW (ORCPT + 99 others); Tue, 15 Jan 2019 17:41:22 -0500 Received: from mail-pf1-f194.google.com ([209.85.210.194]:33049 "EHLO mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729846AbfAOWlW (ORCPT ); Tue, 15 Jan 2019 17:41:22 -0500 Received: by mail-pf1-f194.google.com with SMTP id c123so2019898pfb.0 for ; Tue, 15 Jan 2019 14:41:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=geXaSVEWs6LE1rIkZivOjUut+JxyUtZy42EGp1ow4K8=; b=LLMXk1RykLJNt7AnWx6zld47izrbXPivBbDFHBCTJRbQrw83+WUHAIbRf27pd5r+tO TaJ9R3KmrFGahEd86sxW408ViN5RnyarllknC7YFLSqa7kpicwhSX3osj/jtd+p//KJJ KCaZs8fvPqNrn2gTfbm17enZlrmS3IV+DIM5I= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=geXaSVEWs6LE1rIkZivOjUut+JxyUtZy42EGp1ow4K8=; b=rg9s1YdZZyLqDou/idIFNJQefSmzjO8AqCXvpEfx+3R45bXQ0nNgYx2dytY+aCVKsk DEP1L/GICqlUM0eytnm8g7d7N6xXmJ6nfdA5O1Z6ScXwpp+RHXYFVI9VyomklO0IfuOv ah3QqCC3iUO7KmrJrXI7zsNwOca292MIm4SVH0uDiMHXfaG2v3AKgM1aoZfZdMy3irHn z+XyajL9/X/EEVu9cmnpJuAPdmOFU4VYxO1yAOWW2jTgSxQ9Lls5zCeHg3J5te+C2lo2 ryqtVM2vsf1+8LJ/8hzC5uh2fzMdabFW+4P0b3p96VHFnp2zgvnxq8gUlN5VFTsYdP9S yBpg== X-Gm-Message-State: AJcUuke0tUzreE6cdimf/gU6zOb1jgEKUee76H54cTT/IMmhjlJ6DktG wc8R0kNKYkbdO8Qnr2jjwrHXvg== X-Received: by 2002:a63:165e:: with SMTP id 30mr5887565pgw.103.1547592081070; Tue, 15 Jan 2019 14:41:21 -0800 (PST) Received: from [10.69.52.190] ([192.19.223.250]) by smtp.gmail.com with ESMTPSA id r8sm4791269pgr.48.2019.01.15.14.41.19 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 15 Jan 2019 14:41:19 -0800 (PST) Subject: Re: [PATCH 5/8] scsi: lpfc: change snprintf to scnprintf for possible overflow To: Kees Cook , Willy Tarreau Cc: Silvio Cesare , LKML , Dick Kennedy , Dan Carpenter , Will Deacon , Greg KH References: <20190112152844.26550-1-w@1wt.eu> <20190112152844.26550-5-w@1wt.eu> From: James Smart Message-ID: Date: Tue, 15 Jan 2019 14:41:17 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 1/14/2019 5:15 PM, Kees Cook wrote: > On Sat, Jan 12, 2019 at 7:29 AM Willy Tarreau wrote: >> From: Silvio Cesare >> >> Change snprintf to scnprintf. There are generally two cases where using >> snprintf causes problems. >> >> 1) Uses of size += snprintf(buf, SIZE - size, fmt, ...) >> In this case, if snprintf would have written more characters than what the >> buffer size (SIZE) is, then size will end up larger than SIZE. In later >> uses of snprintf, SIZE - size will result in a negative number, leading >> to problems. Note that size might already be too large by using >> size = snprintf before the code reaches a case of size += snprintf. >> >> 2) If size is ultimately used as a length parameter for a copy back to user >> space, then it will potentially allow for a buffer overflow and information >> disclosure when size is greater than SIZE. When the size is used to index >> the buffer directly, we can have memory corruption. This also means when >> size = snprintf... is used, it may also cause problems since size may become >> large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel >> configuration. >> >> The solution to these issues is to use scnprintf which returns the number of >> characters actually written to the buffer, so the size variable will never >> exceed SIZE. >> >> Signed-off-by: Silvio Cesare >> Cc: James Smart >> Cc: Dick Kennedy >> Cc: Dan Carpenter >> Cc: Kees Cook >> Cc: Will Deacon >> Cc: Greg KH >> Signed-off-by: Willy Tarreau > I think this needs Cc: stable. > > Reviewed-by: Kees Cook > > -Kees > Reviewed-by:  James Smart -- james