Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp38110img; Wed, 20 Mar 2019 13:29:50 -0700 (PDT) X-Google-Smtp-Source: APXvYqxYrsirw++64tSFyoKUig15XkONtRHuaRVg1yINJIMOss/YClanAg6NyS28ZtiIbDtTP4d7 X-Received: by 2002:aa7:8609:: with SMTP id p9mr9892094pfn.166.1553113790675; Wed, 20 Mar 2019 13:29:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553113790; cv=none; d=google.com; s=arc-20160816; b=QaC9+zHgjNHvVY1Hryr6G8Sxf87GucwNPwTcVsvHytB9kkOvzgjOt3uk8Lk9DRA6Tn Tg92h49Pob7EH75j61C0s3WCJKj0J1ZIQn+YyveUr/Vg6NPs6SP6g6keRLQv8AQ0BeaZ k2Tb5Q8kv1xwCJFjbOSaKJUiUy/kcw75QT0ZHVojS3Q11+OpnGxCy+CFOhcMjFkz0qKL KM4OFNdToY4RjHC64fIypiXX1gdol5nkyMwWx88UzTVUFjGOOKyvhS79fnG+1ZknB0uM 0RKXvS9cL95HrJi6AOjLBMia9XNqUvfQ5+0nRT7dXbq3XxUY/bIA0VTRK2kDhezb72AQ 2fvQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=yOP4kBeaoZXWEwRI+mKfBI9bQmDoLp3KE37zQ33rsaY=; b=o8xTLJD4vT4XLf3iBa4CYoRs6eEndWlDqcmLBKtLEf/ySc22x5gqUUxjQQLPRAce57 vkZMmZ/90/yakSBrqpwowBWuEUq6MCysPgaPeltKson2QTpQVEXM15g/D73XlXPqwHPP p+sJBLR242TkDTGgUGt6LZguXErX45acxujBRzw3oNNF42v9NBTsUF5uPPaq4CF7i2+K 8jlGxJEnqzq+gCeVov/X+xir17sjPIZ6aGx7/BfHAQNi3yG5QDlXoEW04Z7qYpbVKhc4 4i0dAIEEgTwUto3tnz/AsYghToBn+ziEFDmitZUNo7OeGfb82hbU/Ofi+8bQFX3pw3Xa iqoQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@broadcom.com header.s=google header.b=FY7pzPFC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=broadcom.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a22si2443989pfn.155.2019.03.20.13.29.13; Wed, 20 Mar 2019 13:29:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@broadcom.com header.s=google header.b=FY7pzPFC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=broadcom.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727565AbfCTU1G (ORCPT + 99 others); Wed, 20 Mar 2019 16:27:06 -0400 Received: from mail-pf1-f194.google.com ([209.85.210.194]:45081 "EHLO mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726742AbfCTU1F (ORCPT ); Wed, 20 Mar 2019 16:27:05 -0400 Received: by mail-pf1-f194.google.com with SMTP id v21so2709854pfm.12 for ; Wed, 20 Mar 2019 13:27:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=yOP4kBeaoZXWEwRI+mKfBI9bQmDoLp3KE37zQ33rsaY=; b=FY7pzPFC6Vjrpd6t0AghbNbXghbdsKwH/U8vRM+uXfOGDKFtgxy73/VLqGmGWzCh2F rKuMFp8RanWp2n8qnnaQJaJoO4kG/BiM3Q6m+K1luTd0TriPU6SseefIUIXKe+CvLVKV ilyV5rZj0BEyNItn8UHQjLXokCfzTzS63A+lo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=yOP4kBeaoZXWEwRI+mKfBI9bQmDoLp3KE37zQ33rsaY=; b=HTe4ffFrXfRK/pOPkKi4x+ECJV+SvZvQv6XMPbLBzVgnH00i3XdhI+nGtemUNQzo5B 5uwn47tUxO+yifM8xUZuoEPVwWk846G6grYcWJ5AYNPYsERCtY13wr45CPMo61tAGefv W0Byf4rwFbbKS1hDBbNTpVFtJfZwCKEBXYPDl+wNkmlatJzga1d9ZJrMWwrzQGsjGIoM Q2a50oVF1ltXqYIjJQnajQ26wzmvQuWvwxpuu6ZQJtbmHw9i98DTXjTN2Qb3An+ntSBZ NwpEKl1ESOKYwJ6nc6xvnIHT/RIxUTO8CYJ/jEcwpn399lZLBIz+DPGfn/0rWcrPPPvb wRWw== X-Gm-Message-State: APjAAAV8MgnxWpaRrRouvDeEnWFDljWXq9LmKPZ0mYE3chG+kHP6Bujh N/LZxpQ3C97h50a91YlxqCvm7A== X-Received: by 2002:a17:902:24:: with SMTP id 33mr10088065pla.259.1553113625143; Wed, 20 Mar 2019 13:27:05 -0700 (PDT) Received: from [10.69.37.149] ([192.19.223.250]) by smtp.gmail.com with ESMTPSA id e14sm399317pgv.68.2019.03.20.13.27.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 20 Mar 2019 13:27:04 -0700 (PDT) Subject: Re: [PATCH 5/8] scsi: lpfc: change snprintf to scnprintf for possible overflow To: Greg KH Cc: Kees Cook , Willy Tarreau , Silvio Cesare , LKML , Dick Kennedy , Dan Carpenter , Will Deacon References: <20190112152844.26550-1-w@1wt.eu> <20190112152844.26550-5-w@1wt.eu> <20190320173951.GA27003@kroah.com> From: James Smart Message-ID: Date: Wed, 20 Mar 2019 13:27:02 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.3 MIME-Version: 1.0 In-Reply-To: <20190320173951.GA27003@kroah.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 3/20/2019 10:39 AM, Greg KH wrote: > On Tue, Jan 15, 2019 at 02:41:17PM -0800, James Smart wrote: >> On 1/14/2019 5:15 PM, Kees Cook wrote: >>> On Sat, Jan 12, 2019 at 7:29 AM Willy Tarreau wrote: >>>> From: Silvio Cesare >>>> >>>> Change snprintf to scnprintf. There are generally two cases where using >>>> snprintf causes problems. >>>> >>>> 1) Uses of size += snprintf(buf, SIZE - size, fmt, ...) >>>> In this case, if snprintf would have written more characters than what the >>>> buffer size (SIZE) is, then size will end up larger than SIZE. In later >>>> uses of snprintf, SIZE - size will result in a negative number, leading >>>> to problems. Note that size might already be too large by using >>>> size = snprintf before the code reaches a case of size += snprintf. >>>> >>>> 2) If size is ultimately used as a length parameter for a copy back to user >>>> space, then it will potentially allow for a buffer overflow and information >>>> disclosure when size is greater than SIZE. When the size is used to index >>>> the buffer directly, we can have memory corruption. This also means when >>>> size = snprintf... is used, it may also cause problems since size may become >>>> large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel >>>> configuration. >>>> >>>> The solution to these issues is to use scnprintf which returns the number of >>>> characters actually written to the buffer, so the size variable will never >>>> exceed SIZE. >>>> >>>> Signed-off-by: Silvio Cesare >>>> Cc: James Smart >>>> Cc: Dick Kennedy >>>> Cc: Dan Carpenter >>>> Cc: Kees Cook >>>> Cc: Will Deacon >>>> Cc: Greg KH >>>> Signed-off-by: Willy Tarreau >>> I think this needs Cc: stable. >>> >>> Reviewed-by: Kees Cook >>> >>> -Kees >>> >> >> Reviewed-by:  James Smart > What ever happened to this patch? Did it get dropped somehow? > > thanks, > > greg k-h I assume it wasn't pulled in by the scsi maintainers. I'll go ping them. -- james