Re: [PATCH] scsi: libfc: Fix potential buffer overflow in fc_ct_ms_fill()

Next message: Martin K. Petersen: "Re: [PATCH v3] scsi: ufs: core: Fix data race in CPU latency PM QoS request handling"
Previous message: Coiby Xu: "Re: [PATCH] ima: setting security.ima to fix security.evm for a file with IMA signature"
In reply to: Martin K. Petersen: "Re: [PATCH] scsi: libfc: Fix potential buffer overflow in fc_ct_ms_fill()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Martin K. Petersen

Date: Mon Sep 29 2025 - 22:37:09 EST

On Mon, 15 Sep 2025 11:37:57 -0700, Alok Tiwari wrote:

> The fc_ct_ms_fill() helper currently formats the OS name and version
> into entry->value using "%s v%s". Since init_utsname()->sysname and
> ->release are unbounded strings, snprintf() may attempt to write more
> than FC_FDMI_HBA_ATTR_OSNAMEVERSION_LEN bytes, triggering a
> -Wformat-truncation warning with W=1.
>
> In file included from drivers/scsi/libfc/fc_elsct.c:18:
> drivers/scsi/libfc/fc_encode.h: In function ‘fc_ct_ms_fill.constprop’:
> drivers/scsi/libfc/fc_encode.h:359:30: error: ‘%s’ directive output may
> be truncated writing up to 64 bytes into a region of size between 62
> and 126 [-Werror=format-truncation=]
> 359 | "%s v%s",
> | ^~
> 360 | init_utsname()->sysname,
> 361 | init_utsname()->release);
> | ~~~~~~~~~~~~~~~~~~~~~~~
> drivers/scsi/libfc/fc_encode.h:357:17: note: ‘snprintf’ output between
> 3 and 131 bytes into a destination of size 128
> 357 | snprintf((char *)&entry->value,
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 358 | FC_FDMI_HBA_ATTR_OSNAMEVERSION_LEN,
> | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 359 | "%s v%s",
> | ~~~~~~~~~
> 360 | init_utsname()->sysname,
> | ~~~~~~~~~~~~~~~~~~~~~~~~
> 361 | init_utsname()->release);
> | ~~~~~~~~~~~~~~~~~~~~~~~~
>
> [...]

Applied to 6.18/scsi-queue, thanks!

[1/1] scsi: libfc: Fix potential buffer overflow in fc_ct_ms_fill()
https://git.kernel.org/mkp/scsi/c/072fdd4b0be9

--
Martin K. Petersen