Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp2967437pxb;
        Mon, 18 Apr 2022 12:11:47 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyX7A6X0KNgo6nLxGRmuafcZBwE69qTZ7mSm435ZphgMtIP92nwcfWL/L7k7ol//sdHZVFu
X-Received: by 2002:a17:902:ed89:b0:15a:d3e:ada6 with SMTP id e9-20020a170902ed8900b0015a0d3eada6mr106366plj.94.1650309107311;
        Mon, 18 Apr 2022 12:11:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1650309107; cv=none;
        d=google.com; s=arc-20160816;
        b=Qddhr7Fm4OgbZzPa5tzGTehK1ObiwMbOQomYxWOXGe0NFm0FMyHc8EKX1zpnj9771M
         ApZ62j1VeIkmk4E2MC3wM54IAzOkkTnFHSRH5lNL06vrhcCR+L0qqg9Vg7xcZiin2R3p
         vYzyMHCM9WmfrZE+Kz3O6UfBYvEncQQ+MSOtreIcd6U6j8P28Yw7D3QzLoA0LPuFdSYf
         wqU0g2YygNt80WqN9Hdecmp0P2TBmXwybFmuf0NR/hfXeqqEeXcL0Y1fhPEfxAtwb7yO
         +FACZwV9NGDIB9W/7HQkKoGqGXCp3mXljQM7If1jlvKY0OonvfeW2iash+nXTsE6+42u
         64zA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=V8XwVHbmXf7gYP2gtuXVib0kfpje2JtVHal/AyUky2I=;
        b=0pW+jFvpap1WVlpFLTZMtYMzyeKyKB6yg/VaGDdaAra/cb+c9IpoS+ped7/wxfgMHT
         Txv63m9jKdQVdtZzHQosqlWTmwxSRO0PlJArPF9AQtWmIDWDptNXSPKQh/oozKd/BB46
         aYo3cDWc2uPPhzfjWVvyrhX+J3VKIPcJXqKWPx4YJCNZXFt47/pvsOHhkuNlymH4Am0J
         W2tGeOVCE4DqiR3NaPSCLsVTmAiqDaBVfSU3RqfX575uVCGHoRt4gxS/m5ydpFKGbbGj
         7avDa0U/MNsfedGdtm9ip79V34MqPbvzUSsBKpDU9Q3ZggynMWMc6yEoJAm7oQmEhe0T
         QUOg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=oifCUZBI;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id e13-20020a17090ab38d00b001d2a7b7f612si141777pjr.8.2022.04.18.12.11.30;
        Mon, 18 Apr 2022 12:11:47 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=oifCUZBI;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S238812AbiDRM0f (ORCPT <rfc822;alexander.kapshuk@gmail.com>
        + 99 others); Mon, 18 Apr 2022 08:26:35 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33520 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S238655AbiDRMZg (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 18 Apr 2022 08:25:36 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4662520BEC;
        Mon, 18 Apr 2022 05:19:36 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 8EE8A60F0A;
        Mon, 18 Apr 2022 12:19:35 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 990EFC385A1;
        Mon, 18 Apr 2022 12:19:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1650284375;
        bh=nPwFMTObJZF4cTLhVCXsSyXs7ixQvWyzMUK/7568deg=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=oifCUZBIJtIaBI0/OLYdQ6/lYfCg5X02ewUSR7DkSIABB2FidCnpljgFswg4+irh0
         OmHLBCK6iXuIegShMPWZAWr0zIoM1l1kyQUtVw0r54PMr+UaVlEYuuv/jwtrD0Ld1d
         CGtIOFcrfkeOn2wF+JvKRhn9Qc+JhR0nmRou/How=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Karsten Graul <kgraul@linux.ibm.com>,
        Jakub Kicinski <kuba@kernel.org>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.17 094/219] net/smc: use memcpy instead of snprintf to avoid out of bounds read
Date:   Mon, 18 Apr 2022 14:11:03 +0200
Message-Id: <20220418121209.336563326@linuxfoundation.org>
X-Mailer: git-send-email 2.35.3
In-Reply-To: <20220418121203.462784814@linuxfoundation.org>
References: <20220418121203.462784814@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Karsten Graul <kgraul@linux.ibm.com>

[ Upstream commit b1871fd48efc567650dbdc974e5a2342a03fe0d2 ]

Using snprintf() to convert not null-terminated strings to null
terminated strings may cause out of bounds read in the source string.
Therefore use memcpy() and terminate the target string with a null
afterwards.

Fixes: fa0866625543 ("net/smc: add support for user defined EIDs")
Fixes: 3c572145c24e ("net/smc: add generic netlink support for system EID")
Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/smc/smc_clc.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c
index ce27399b38b1..f9f3f59c79de 100644
--- a/net/smc/smc_clc.c
+++ b/net/smc/smc_clc.c
@@ -191,7 +191,8 @@ static int smc_nl_ueid_dumpinfo(struct sk_buff *skb, u32 portid, u32 seq,
 			  flags, SMC_NETLINK_DUMP_UEID);
 	if (!hdr)
 		return -ENOMEM;
-	snprintf(ueid_str, sizeof(ueid_str), "%s", ueid);
+	memcpy(ueid_str, ueid, SMC_MAX_EID_LEN);
+	ueid_str[SMC_MAX_EID_LEN] = 0;
 	if (nla_put_string(skb, SMC_NLA_EID_TABLE_ENTRY, ueid_str)) {
 		genlmsg_cancel(skb, hdr);
 		return -EMSGSIZE;
@@ -252,7 +253,8 @@ int smc_nl_dump_seid(struct sk_buff *skb, struct netlink_callback *cb)
 		goto end;
 
 	smc_ism_get_system_eid(&seid);
-	snprintf(seid_str, sizeof(seid_str), "%s", seid);
+	memcpy(seid_str, seid, SMC_MAX_EID_LEN);
+	seid_str[SMC_MAX_EID_LEN] = 0;
 	if (nla_put_string(skb, SMC_NLA_SEID_ENTRY, seid_str))
 		goto err;
 	read_lock(&smc_clc_eid_table.lock);
-- 
2.35.1