Re: [PATCH] scsi: target: configfs: bound snprintf return in tg_pt_gp_members_show

Next message: KobaK: "[PATCH v2] cxl/region: Validate partition index before array access"
Previous message: Thinh Nguyen: "Re: [PATCH v2 2/2] usb: dwc3: starfive: Add JHB100 USB 2.0 DRD controller"
In reply to: Greg Kroah-Hartman: "[PATCH] scsi: target: configfs: bound snprintf return in tg_pt_gp_members_show"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Martin K. Petersen

Date: Mon Apr 13 2026 - 22:44:47 EST

Greg,

> target_tg_pt_gp_members_show() formats LUN paths with snprintf() into
> a 256-byte stack buffer, then will memcpy cur_len bytes from that
> buffer. snprintf() returns the length the output would have had, which
> can exceed the buffer size when the fabric WWN is long because iSCSI
> IQN names can be up to 223 bytes. The check at the memcpy site only
> guards the destination page write, not the source read, so memcpy()
> will read past the stack buffer and copy adjacent stack contents to
> the sysfs reader, which when CONFIG_FORTIFY_SOURCE is enabled,
> fortify_panic() will be triggered.

Applied to 7.1/scsi-staging, thanks!

--
Martin K. Petersen