kernel/linux.git - Linux kernel stable tree (mirror)

Age	Commit message (Collapse)	Author	Files	Lines
2025-11-24	scsi: libfc: Fix potential buffer overflow in fc_ct_ms_fill()	Alok Tiwari	1	-1/+1
	[ Upstream commit 072fdd4b0be9b9051bdf75f36d0227aa705074ba ] The fc_ct_ms_fill() helper currently formats the OS name and version into entry->value using "%s v%s". Since init_utsname()->sysname and ->release are unbounded strings, snprintf() may attempt to write more than FC_FDMI_HBA_ATTR_OSNAMEVERSION_LEN bytes, triggering a -Wformat-truncation warning with W=1. In file included from drivers/scsi/libfc/fc_elsct.c:18: drivers/scsi/libfc/fc_encode.h: In function ‘fc_ct_ms_fill.constprop’: drivers/scsi/libfc/fc_encode.h:359:30: error: ‘%s’ directive output may be truncated writing up to 64 bytes into a region of size between 62 and 126 [-Werror=format-truncation=] 359 \| "%s v%s", \| ^~ 360 \| init_utsname()->sysname, 361 \| init_utsname()->release); \| ~~~~~~~~~~~~~~~~~~~~~~~ drivers/scsi/libfc/fc_encode.h:357:17: note: ‘snprintf’ output between 3 and 131 bytes into a destination of size 128 357 \| snprintf((char *)&entry->value, \| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 358 \| FC_FDMI_HBA_ATTR_OSNAMEVERSION_LEN, \| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 359 \| "%s v%s", \| ~~~~~~~~~ 360 \| init_utsname()->sysname, \| ~~~~~~~~~~~~~~~~~~~~~~~~ 361 \| init_utsname()->release); \| ~~~~~~~~~~~~~~~~~~~~~~~~ Fix this by using "%.62s v%.62s", which ensures sysname and release are truncated to fit within the 128-byte field defined by FC_FDMI_HBA_ATTR_OSNAMEVERSION_LEN. [mkp: clarified commit description] Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-02-28	scsi: libfc: Replace one-element arrays with flexible-array members	Gustavo A. R. Silva	1	-1/+1
	Use flexible-array members in struct fc_fdmi_attr_entry and fs_fdmi_attrs instead of one-element arrays, and refactor the code accordingly. Also, this helps with the ongoing efforts to globally enable -Warray-bounds and get us closer to being able to tighten the FORTIFY_SOURCE routines on memcpy(). https://github.com/KSPP/linux/issues/79 https://github.com/ClangBuiltLinux/linux/issues/1590 Link: https://lore.kernel.org/r/20220214223903.GA859464@embeddedor Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2021-06-10	scsi: libfc: Add FDMI-2 attributes	Javed Hasan	1	-6/+248
	Add all attributes for RHBA and RPA registration. Fallback mechanism is added between RBHA V2 and RHBA V1 attributes. In case RHBA get fails for V2 attributes we fall back to V1 attribute registration. Link: https://lore.kernel.org/r/20210603121623.10084-4-jhasan@marvell.com Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com> Signed-off-by: Javed Hasan <jhasan@marvell.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2021-06-10	scsi: libfc: Correct the condition check and invalid argument passed	Javed Hasan	1	-3/+5
	Incorrect condition check was leading to data corruption. Link: https://lore.kernel.org/r/20210603101404.7841-3-jhasan@marvell.com Fixes: 8fd9efca86d0 ("scsi: libfc: Work around -Warray-bounds warning") CC: stable@vger.kernel.org Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com> Signed-off-by: Javed Hasan <jhasan@marvell.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2020-10-30	scsi: libfc: Work around -Warray-bounds warning	Arnd Bergmann	1	-11/+19
	Building libfc with gcc -Warray-bounds identifies a number of cases in one file where a strncpy() is performed into a single-byte character array: In file included from include/linux/bitmap.h:9, from include/linux/cpumask.h:12, from include/linux/smp.h:13, from include/linux/lockdep.h:14, from include/linux/spinlock.h:59, from include/linux/debugobjects.h:6, from include/linux/timer.h:8, from include/scsi/libfc.h:11, from drivers/scsi/libfc/fc_elsct.c:17: In function 'strncpy', inlined from 'fc_ct_ms_fill.constprop' at drivers/scsi/libfc/fc_encode.h:235:3: include/linux/string.h:290:30: warning: '__builtin_strncpy' offset [56, 135] from the object at 'pp' is out of the bounds of referenced subobject 'value' with type '__u8[1]' {aka 'unsigned char[1]'} at offset 56 [-Warray-bounds] 290 \| #define __underlying_strncpy __builtin_strncpy \| ^ include/linux/string.h:300:9: note: in expansion of macro '__underlying_strncpy' 300 \| return __underlying_strncpy(p, q, size); \| ^~~~~~~~~~~~~~~~~~~~ This is not a bug because the 1-byte array is used as an odd way to express a variable-length data field here. I tried to convert it to a flexible-array member, but in the end could not figure out why the sizeof(struct fc_fdmi_???) are used the way they are, and how to properly convert those. Work around this instead by abstracting the string copy in a slightly higher-level function fc_ct_hdr_fill() helper that strscpy() and memset() to achieve the same result as strncpy() but does not require a zero-terminated input and does not get checked for the array overflow because gcc (so far) does not understand the behavior of strscpy(). Link: https://lore.kernel.org/r/20201026160705.3706396-2-arnd@kernel.org Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2020-10-30	scsi: libfc: Move scsi/fc_encode.h to libfc	Arnd Bergmann	1	-0/+699
	Most of this file is only used inside of libfc, so move it to where it is actually used, with only fc_fill_fc_hdr() left inside of the header. Link: https://lore.kernel.org/r/20201026160705.3706396-1-arnd@kernel.org Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>