All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] nvmet: fixup buffer overrun in nvmet_subsys_attr_serial()
@ 2021-08-27  9:29 Hannes Reinecke
  2021-08-27 16:26 ` Christoph Hellwig
  0 siblings, 1 reply; 4+ messages in thread
From: Hannes Reinecke @ 2021-08-27  9:29 UTC (permalink / raw)
  To: Christoph Hellwig
  Cc: Martin K. Petersen, Sagi Grimberg, linux-nvme, Hannes Reinecke

The serial number is copied into the buffer via memcpy_and_pad()
with the length NVMET_SN_MAX_SIZE. So when printing out we also
need to take just that length as anything beyond that will be
uninitialized.

Signed-off-by: Hannes Reinecke <hare@suse.de>
---
 drivers/nvme/target/configfs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c
index 008be02fbac9..255db21b73ee 100644
--- a/drivers/nvme/target/configfs.c
+++ b/drivers/nvme/target/configfs.c
@@ -1113,7 +1113,7 @@ static ssize_t nvmet_subsys_attr_serial_show(struct config_item *item,
 {
 	struct nvmet_subsys *subsys = to_subsys(item);
 
-	return snprintf(page, PAGE_SIZE, "%s\n", subsys->serial);
+	return snprintf(page, NVMET_SN_MAX_SIZE, "%s\n", subsys->serial);
 }
 
 static ssize_t
-- 
2.29.2


_______________________________________________
Linux-nvme mailing list
Linux-nvme@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-nvme

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH] nvmet: fixup buffer overrun in nvmet_subsys_attr_serial()
  2021-08-27  9:29 [PATCH] nvmet: fixup buffer overrun in nvmet_subsys_attr_serial() Hannes Reinecke
@ 2021-08-27 16:26 ` Christoph Hellwig
  2021-09-01 12:22   ` Christoph Hellwig
  0 siblings, 1 reply; 4+ messages in thread
From: Christoph Hellwig @ 2021-08-27 16:26 UTC (permalink / raw)
  To: Hannes Reinecke
  Cc: Christoph Hellwig, Martin K. Petersen, Sagi Grimberg, linux-nvme

On Fri, Aug 27, 2021 at 11:29:26AM +0200, Hannes Reinecke wrote:
> The serial number is copied into the buffer via memcpy_and_pad()
> with the length NVMET_SN_MAX_SIZE. So when printing out we also
> need to take just that length as anything beyond that will be
> uninitialized.
> 
> Signed-off-by: Hannes Reinecke <hare@suse.de>

The normal way to print a potentially unterminated fixed length string
would be something like:

diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c
index f74485c705ff2..d784f3c200b4c 100644
--- a/drivers/nvme/target/configfs.c
+++ b/drivers/nvme/target/configfs.c
@@ -1067,7 +1067,8 @@ static ssize_t nvmet_subsys_attr_serial_show(struct config_item *item,
 {
 	struct nvmet_subsys *subsys = to_subsys(item);
 
-	return snprintf(page, PAGE_SIZE, "%s\n", subsys->serial);
+	return snprintf(page, PAGE_SIZE, "%*s\n",
+			NVMET_SN_MAX_SIZE, subsys->serial);
 }
 
 static ssize_t

_______________________________________________
Linux-nvme mailing list
Linux-nvme@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-nvme

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH] nvmet: fixup buffer overrun in nvmet_subsys_attr_serial()
  2021-08-27 16:26 ` Christoph Hellwig
@ 2021-09-01 12:22   ` Christoph Hellwig
  2021-09-06  6:59     ` Hannes Reinecke
  0 siblings, 1 reply; 4+ messages in thread
From: Christoph Hellwig @ 2021-09-01 12:22 UTC (permalink / raw)
  To: Hannes Reinecke
  Cc: Christoph Hellwig, Martin K. Petersen, Sagi Grimberg, linux-nvme

On Fri, Aug 27, 2021 at 06:26:36PM +0200, Christoph Hellwig wrote:
> On Fri, Aug 27, 2021 at 11:29:26AM +0200, Hannes Reinecke wrote:
> > The serial number is copied into the buffer via memcpy_and_pad()
> > with the length NVMET_SN_MAX_SIZE. So when printing out we also
> > need to take just that length as anything beyond that will be
> > uninitialized.
> > 
> > Signed-off-by: Hannes Reinecke <hare@suse.de>
> 
> The normal way to print a potentially unterminated fixed length string
> would be something like:

Does this version still look ok to you?

> 
> diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c
> index f74485c705ff2..d784f3c200b4c 100644
> --- a/drivers/nvme/target/configfs.c
> +++ b/drivers/nvme/target/configfs.c
> @@ -1067,7 +1067,8 @@ static ssize_t nvmet_subsys_attr_serial_show(struct config_item *item,
>  {
>  	struct nvmet_subsys *subsys = to_subsys(item);
>  
> -	return snprintf(page, PAGE_SIZE, "%s\n", subsys->serial);
> +	return snprintf(page, PAGE_SIZE, "%*s\n",
> +			NVMET_SN_MAX_SIZE, subsys->serial);
>  }
>  
>  static ssize_t
---end quoted text---

_______________________________________________
Linux-nvme mailing list
Linux-nvme@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-nvme

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] nvmet: fixup buffer overrun in nvmet_subsys_attr_serial()
  2021-09-01 12:22   ` Christoph Hellwig
@ 2021-09-06  6:59     ` Hannes Reinecke
  0 siblings, 0 replies; 4+ messages in thread
From: Hannes Reinecke @ 2021-09-06  6:59 UTC (permalink / raw)
  To: Christoph Hellwig; +Cc: Martin K. Petersen, Sagi Grimberg, linux-nvme

On 9/1/21 2:22 PM, Christoph Hellwig wrote:
> On Fri, Aug 27, 2021 at 06:26:36PM +0200, Christoph Hellwig wrote:
>> On Fri, Aug 27, 2021 at 11:29:26AM +0200, Hannes Reinecke wrote:
>>> The serial number is copied into the buffer via memcpy_and_pad()
>>> with the length NVMET_SN_MAX_SIZE. So when printing out we also
>>> need to take just that length as anything beyond that will be
>>> uninitialized.
>>>
>>> Signed-off-by: Hannes Reinecke <hare@suse.de>
>>
>> The normal way to print a potentially unterminated fixed length string
>> would be something like:
> 
> Does this version still look ok to you?
> 
>>
>> diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c
>> index f74485c705ff2..d784f3c200b4c 100644
>> --- a/drivers/nvme/target/configfs.c
>> +++ b/drivers/nvme/target/configfs.c
>> @@ -1067,7 +1067,8 @@ static ssize_t nvmet_subsys_attr_serial_show(struct config_item *item,
>>   {
>>   	struct nvmet_subsys *subsys = to_subsys(item);
>>   
>> -	return snprintf(page, PAGE_SIZE, "%s\n", subsys->serial);
>> +	return snprintf(page, PAGE_SIZE, "%*s\n",
>> +			NVMET_SN_MAX_SIZE, subsys->serial);
>>   }
>>   
>>   static ssize_t
> ---end quoted text---
> 
Yes, it does; will be sending an updated patch.

Cheers,

Hannes
-- 
Dr. Hannes Reinecke                Kernel Storage Architect
hare@suse.de                              +49 911 74053 688
SUSE Software Solutions GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), Geschäftsführer: Felix Imendörffer

_______________________________________________
Linux-nvme mailing list
Linux-nvme@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-nvme

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-09-06  6:59 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-27  9:29 [PATCH] nvmet: fixup buffer overrun in nvmet_subsys_attr_serial() Hannes Reinecke
2021-08-27 16:26 ` Christoph Hellwig
2021-09-01 12:22   ` Christoph Hellwig
2021-09-06  6:59     ` Hannes Reinecke

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.