Commit 181aea89 authored by Takashi Iwai's avatar Takashi Iwai Committed by Martin K. Petersen

scsi: smartpqi: Use scnprintf() for avoiding potential buffer overflow

Since snprintf() returns the would-be-output size instead of the actual
output size, the succeeding calls may go beyond the given buffer limit.
Fix it by replacing with scnprintf().

Link: https://lore.kernel.org/r/20200315094241.9086-9-tiwai@suse.de
Cc: "James E . J . Bottomley" <jejb@linux.ibm.com>
Cc: "Martin K . Petersen" <martin.petersen@oracle.com>
Cc: Don Brace <don.brace@microsemi.com>
Cc: linux-scsi@vger.kernel.org
Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
parent 81546b32
...@@ -1614,28 +1614,28 @@ static void pqi_dev_info(struct pqi_ctrl_info *ctrl_info, ...@@ -1614,28 +1614,28 @@ static void pqi_dev_info(struct pqi_ctrl_info *ctrl_info,
"%d:%d:", ctrl_info->scsi_host->host_no, device->bus); "%d:%d:", ctrl_info->scsi_host->host_no, device->bus);
if (device->target_lun_valid) if (device->target_lun_valid)
count += snprintf(buffer + count, count += scnprintf(buffer + count,
PQI_DEV_INFO_BUFFER_LENGTH - count, PQI_DEV_INFO_BUFFER_LENGTH - count,
"%d:%d", "%d:%d",
device->target, device->target,
device->lun); device->lun);
else else
count += snprintf(buffer + count, count += scnprintf(buffer + count,
PQI_DEV_INFO_BUFFER_LENGTH - count, PQI_DEV_INFO_BUFFER_LENGTH - count,
"-:-"); "-:-");
if (pqi_is_logical_device(device)) if (pqi_is_logical_device(device))
count += snprintf(buffer + count, count += scnprintf(buffer + count,
PQI_DEV_INFO_BUFFER_LENGTH - count, PQI_DEV_INFO_BUFFER_LENGTH - count,
" %08x%08x", " %08x%08x",
*((u32 *)&device->scsi3addr), *((u32 *)&device->scsi3addr),
*((u32 *)&device->scsi3addr[4])); *((u32 *)&device->scsi3addr[4]));
else else
count += snprintf(buffer + count, count += scnprintf(buffer + count,
PQI_DEV_INFO_BUFFER_LENGTH - count, PQI_DEV_INFO_BUFFER_LENGTH - count,
" %016llx", device->sas_address); " %016llx", device->sas_address);
count += snprintf(buffer + count, PQI_DEV_INFO_BUFFER_LENGTH - count, count += scnprintf(buffer + count, PQI_DEV_INFO_BUFFER_LENGTH - count,
" %s %.8s %.16s ", " %s %.8s %.16s ",
pqi_device_type(device), pqi_device_type(device),
device->vendor, device->vendor,
...@@ -1643,19 +1643,19 @@ static void pqi_dev_info(struct pqi_ctrl_info *ctrl_info, ...@@ -1643,19 +1643,19 @@ static void pqi_dev_info(struct pqi_ctrl_info *ctrl_info,
if (pqi_is_logical_device(device)) { if (pqi_is_logical_device(device)) {
if (device->devtype == TYPE_DISK) if (device->devtype == TYPE_DISK)
count += snprintf(buffer + count, count += scnprintf(buffer + count,
PQI_DEV_INFO_BUFFER_LENGTH - count, PQI_DEV_INFO_BUFFER_LENGTH - count,
"SSDSmartPathCap%c En%c %-12s", "SSDSmartPathCap%c En%c %-12s",
device->raid_bypass_configured ? '+' : '-', device->raid_bypass_configured ? '+' : '-',
device->raid_bypass_enabled ? '+' : '-', device->raid_bypass_enabled ? '+' : '-',
pqi_raid_level_to_string(device->raid_level)); pqi_raid_level_to_string(device->raid_level));
} else { } else {
count += snprintf(buffer + count, count += scnprintf(buffer + count,
PQI_DEV_INFO_BUFFER_LENGTH - count, PQI_DEV_INFO_BUFFER_LENGTH - count,
"AIO%c", device->aio_enabled ? '+' : '-'); "AIO%c", device->aio_enabled ? '+' : '-');
if (device->devtype == TYPE_DISK || if (device->devtype == TYPE_DISK ||
device->devtype == TYPE_ZBC) device->devtype == TYPE_ZBC)
count += snprintf(buffer + count, count += scnprintf(buffer + count,
PQI_DEV_INFO_BUFFER_LENGTH - count, PQI_DEV_INFO_BUFFER_LENGTH - count,
" qd=%-6d", device->queue_depth); " qd=%-6d", device->queue_depth);
} }
...@@ -6191,14 +6191,14 @@ static ssize_t pqi_lockup_action_show(struct device *dev, ...@@ -6191,14 +6191,14 @@ static ssize_t pqi_lockup_action_show(struct device *dev,
for (i = 0; i < ARRAY_SIZE(pqi_lockup_actions); i++) { for (i = 0; i < ARRAY_SIZE(pqi_lockup_actions); i++) {
if (pqi_lockup_actions[i].action == pqi_lockup_action) if (pqi_lockup_actions[i].action == pqi_lockup_action)
count += snprintf(buffer + count, PAGE_SIZE - count, count += scnprintf(buffer + count, PAGE_SIZE - count,
"[%s] ", pqi_lockup_actions[i].name); "[%s] ", pqi_lockup_actions[i].name);
else else
count += snprintf(buffer + count, PAGE_SIZE - count, count += scnprintf(buffer + count, PAGE_SIZE - count,
"%s ", pqi_lockup_actions[i].name); "%s ", pqi_lockup_actions[i].name);
} }
count += snprintf(buffer + count, PAGE_SIZE - count, "\n"); count += scnprintf(buffer + count, PAGE_SIZE - count, "\n");
return count; return count;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment