* [PATCH] nvmet: fixup buffer overrun in nvmet_subsys_attr_serial()
@ 2021-08-27 9:29 Hannes Reinecke
2021-08-27 16:26 ` Christoph Hellwig
0 siblings, 1 reply; 4+ messages in thread
From: Hannes Reinecke @ 2021-08-27 9:29 UTC (permalink / raw)
To: Christoph Hellwig
Cc: Martin K. Petersen, Sagi Grimberg, linux-nvme, Hannes Reinecke
The serial number is copied into the buffer via memcpy_and_pad()
with the length NVMET_SN_MAX_SIZE. So when printing out we also
need to take just that length as anything beyond that will be
uninitialized.
Signed-off-by: Hannes Reinecke <hare@suse.de>
---
drivers/nvme/target/configfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c
index 008be02fbac9..255db21b73ee 100644
--- a/drivers/nvme/target/configfs.c
+++ b/drivers/nvme/target/configfs.c
@@ -1113,7 +1113,7 @@ static ssize_t nvmet_subsys_attr_serial_show(struct config_item *item,
{
struct nvmet_subsys *subsys = to_subsys(item);
- return snprintf(page, PAGE_SIZE, "%s\n", subsys->serial);
+ return snprintf(page, NVMET_SN_MAX_SIZE, "%s\n", subsys->serial);
}
static ssize_t
--
2.29.2
_______________________________________________
Linux-nvme mailing list
Linux-nvme@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-nvme
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] nvmet: fixup buffer overrun in nvmet_subsys_attr_serial()
2021-08-27 9:29 [PATCH] nvmet: fixup buffer overrun in nvmet_subsys_attr_serial() Hannes Reinecke
@ 2021-08-27 16:26 ` Christoph Hellwig
2021-09-01 12:22 ` Christoph Hellwig
0 siblings, 1 reply; 4+ messages in thread
From: Christoph Hellwig @ 2021-08-27 16:26 UTC (permalink / raw)
To: Hannes Reinecke
Cc: Christoph Hellwig, Martin K. Petersen, Sagi Grimberg, linux-nvme
On Fri, Aug 27, 2021 at 11:29:26AM +0200, Hannes Reinecke wrote:
> The serial number is copied into the buffer via memcpy_and_pad()
> with the length NVMET_SN_MAX_SIZE. So when printing out we also
> need to take just that length as anything beyond that will be
> uninitialized.
>
> Signed-off-by: Hannes Reinecke <hare@suse.de>
The normal way to print a potentially unterminated fixed length string
would be something like:
diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c
index f74485c705ff2..d784f3c200b4c 100644
--- a/drivers/nvme/target/configfs.c
+++ b/drivers/nvme/target/configfs.c
@@ -1067,7 +1067,8 @@ static ssize_t nvmet_subsys_attr_serial_show(struct config_item *item,
{
struct nvmet_subsys *subsys = to_subsys(item);
- return snprintf(page, PAGE_SIZE, "%s\n", subsys->serial);
+ return snprintf(page, PAGE_SIZE, "%*s\n",
+ NVMET_SN_MAX_SIZE, subsys->serial);
}
static ssize_t
_______________________________________________
Linux-nvme mailing list
Linux-nvme@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-nvme
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] nvmet: fixup buffer overrun in nvmet_subsys_attr_serial()
2021-08-27 16:26 ` Christoph Hellwig
@ 2021-09-01 12:22 ` Christoph Hellwig
2021-09-06 6:59 ` Hannes Reinecke
0 siblings, 1 reply; 4+ messages in thread
From: Christoph Hellwig @ 2021-09-01 12:22 UTC (permalink / raw)
To: Hannes Reinecke
Cc: Christoph Hellwig, Martin K. Petersen, Sagi Grimberg, linux-nvme
On Fri, Aug 27, 2021 at 06:26:36PM +0200, Christoph Hellwig wrote:
> On Fri, Aug 27, 2021 at 11:29:26AM +0200, Hannes Reinecke wrote:
> > The serial number is copied into the buffer via memcpy_and_pad()
> > with the length NVMET_SN_MAX_SIZE. So when printing out we also
> > need to take just that length as anything beyond that will be
> > uninitialized.
> >
> > Signed-off-by: Hannes Reinecke <hare@suse.de>
>
> The normal way to print a potentially unterminated fixed length string
> would be something like:
Does this version still look ok to you?
>
> diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c
> index f74485c705ff2..d784f3c200b4c 100644
> --- a/drivers/nvme/target/configfs.c
> +++ b/drivers/nvme/target/configfs.c
> @@ -1067,7 +1067,8 @@ static ssize_t nvmet_subsys_attr_serial_show(struct config_item *item,
> {
> struct nvmet_subsys *subsys = to_subsys(item);
>
> - return snprintf(page, PAGE_SIZE, "%s\n", subsys->serial);
> + return snprintf(page, PAGE_SIZE, "%*s\n",
> + NVMET_SN_MAX_SIZE, subsys->serial);
> }
>
> static ssize_t
---end quoted text---
_______________________________________________
Linux-nvme mailing list
Linux-nvme@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-nvme
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] nvmet: fixup buffer overrun in nvmet_subsys_attr_serial()
2021-09-01 12:22 ` Christoph Hellwig
@ 2021-09-06 6:59 ` Hannes Reinecke
0 siblings, 0 replies; 4+ messages in thread
From: Hannes Reinecke @ 2021-09-06 6:59 UTC (permalink / raw)
To: Christoph Hellwig; +Cc: Martin K. Petersen, Sagi Grimberg, linux-nvme
On 9/1/21 2:22 PM, Christoph Hellwig wrote:
> On Fri, Aug 27, 2021 at 06:26:36PM +0200, Christoph Hellwig wrote:
>> On Fri, Aug 27, 2021 at 11:29:26AM +0200, Hannes Reinecke wrote:
>>> The serial number is copied into the buffer via memcpy_and_pad()
>>> with the length NVMET_SN_MAX_SIZE. So when printing out we also
>>> need to take just that length as anything beyond that will be
>>> uninitialized.
>>>
>>> Signed-off-by: Hannes Reinecke <hare@suse.de>
>>
>> The normal way to print a potentially unterminated fixed length string
>> would be something like:
>
> Does this version still look ok to you?
>
>>
>> diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c
>> index f74485c705ff2..d784f3c200b4c 100644
>> --- a/drivers/nvme/target/configfs.c
>> +++ b/drivers/nvme/target/configfs.c
>> @@ -1067,7 +1067,8 @@ static ssize_t nvmet_subsys_attr_serial_show(struct config_item *item,
>> {
>> struct nvmet_subsys *subsys = to_subsys(item);
>>
>> - return snprintf(page, PAGE_SIZE, "%s\n", subsys->serial);
>> + return snprintf(page, PAGE_SIZE, "%*s\n",
>> + NVMET_SN_MAX_SIZE, subsys->serial);
>> }
>>
>> static ssize_t
> ---end quoted text---
>
Yes, it does; will be sending an updated patch.
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare@suse.de +49 911 74053 688
SUSE Software Solutions GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), Geschäftsführer: Felix Imendörffer
_______________________________________________
Linux-nvme mailing list
Linux-nvme@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-nvme
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-09-06 6:59 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-27 9:29 [PATCH] nvmet: fixup buffer overrun in nvmet_subsys_attr_serial() Hannes Reinecke
2021-08-27 16:26 ` Christoph Hellwig
2021-09-01 12:22 ` Christoph Hellwig
2021-09-06 6:59 ` Hannes Reinecke
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.