From patchwork Tue Oct 31 19:12:17 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Justin Tee X-Patchwork-Id: 740914 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2C35DC4332F for ; Tue, 31 Oct 2023 18:59:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233631AbjJaS7K (ORCPT ); Tue, 31 Oct 2023 14:59:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39882 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233231AbjJaS7J (ORCPT ); Tue, 31 Oct 2023 14:59:09 -0400 Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com [IPv6:2607:f8b0:4864:20::62b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 763B6E6 for ; Tue, 31 Oct 2023 11:59:07 -0700 (PDT) Received: by mail-pl1-x62b.google.com with SMTP id d9443c01a7336-1ca85ff26afso11041475ad.1 for ; Tue, 31 Oct 2023 11:59:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1698778747; x=1699383547; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=dQtbotzg2x+a6R9yFCDaJO3CuC1xbKUS9GOGH5x4dw8=; b=W5kMEgc2BNSN41+eVHReiejjwqAGrb5BZ3YIeykcj+DNuzy4/99tZDVrE9W/k0/mIP MFGhTUCj+f4IQp3vCPmWvcwQ0Xx0S7nj4SB7pDrvv0n28HHuuqF8LSDOrEKRrPdmVt1m Ac+Ci6d0kjxFK8TZahAtAvCg5UBcYW78I7gpsKKSR1bdkBSI42VBRMQtVzmUEndxvCmG deccz9d3xbpiweTxJU4SCx8OQ4dgOh48MNiZ6Fgj729G9yfl3n8mmfmy8bJ/qA0wcshJ oHKHJjWT6bP3C0GcwpwwYKv/PW3gYgi9SPS2NpmUjfEK2ZF9eNamAEhHbXaZNelbPT+W Rzng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698778747; x=1699383547; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=dQtbotzg2x+a6R9yFCDaJO3CuC1xbKUS9GOGH5x4dw8=; b=qbZTAfHegr0JD+Pz2CeUcJLHN4aimYJe7HmsIiXAJXziTQpmCZhPEtITv6/Sjr+u66 nBspfLSu4l3UanydWeGEKk36x3O/0WlceCD7doFRDip9pym+6LKvQuIlIU5tjkG2lmlA xMicn7rPcp5Vr+udp7RSc7OhWzO6U2IGOHSa0duz+dZmySCUi3MxBQBNyIbH9BeayHiC W2fZEE3/wcZ5wiT23ilKHYQa4iht2zjm/IwVU/DwMQQZN9bXI6/O95IHsD5mYyUoQ0vd vM+R58lXoPd0PBr07MH+paQTW3fFbpg0+PzulA6tudNJuUy3lHSvOT80uDRH87Q3BIvJ O5Zw== X-Gm-Message-State: AOJu0Ywg9RtcV+8dj5x0ECRenKW0iLeWwf4A/m368CV+w1gyaNlbMbzv rA2aWcrLeMxAjvnRxeUDer1km0MgpcM= X-Google-Smtp-Source: AGHT+IEHmlTUkOh074CIL+ZWYXqkqVgOYLFXmHTeX5u6OIR3KofnxL4RDZIC7z24p3QUpp2hhwW6IQ== X-Received: by 2002:a17:902:f214:b0:1cc:27fa:1fb7 with SMTP id m20-20020a170902f21400b001cc27fa1fb7mr11602594plc.5.1698778746692; Tue, 31 Oct 2023 11:59:06 -0700 (PDT) Received: from dhcp-10-231-55-133.dhcp.broadcom.net ([192.19.223.252]) by smtp.gmail.com with ESMTPSA id bh6-20020a170902a98600b001c9d6923e7dsm1628657plb.222.2023.10.31.11.59.05 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 31 Oct 2023 11:59:06 -0700 (PDT) From: Justin Tee To: linux-scsi@vger.kernel.org Cc: jsmart2021@gmail.com, justin.tee@broadcom.com, Justin Tee Subject: [PATCH 2/9] lpfc: Fix possible file string name overflow when updating firmware Date: Tue, 31 Oct 2023 12:12:17 -0700 Message-Id: <20231031191224.150862-3-justintee8345@gmail.com> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20231031191224.150862-1-justintee8345@gmail.com> References: <20231031191224.150862-1-justintee8345@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org Because file_name and phba->ModelName are both declared a size 80 bytes, the extra ".grp" file extension could cause an overflow into file_name. Define a ELX_FW_NAME_SIZE macro with value 84. 84 incorporates the 4 extra characters from ".grp". file_name is changed to be declared as a char and initialized to zeros i.e. null chars. Signed-off-by: Justin Tee --- drivers/scsi/lpfc/lpfc.h | 1 + drivers/scsi/lpfc/lpfc_init.c | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h index af15f7a22d25..04d608ea9106 100644 --- a/drivers/scsi/lpfc/lpfc.h +++ b/drivers/scsi/lpfc/lpfc.h @@ -33,6 +33,7 @@ struct lpfc_sli2_slim; #define ELX_MODEL_NAME_SIZE 80 +#define ELX_FW_NAME_SIZE 84 #define LPFC_PCI_DEV_LP 0x1 #define LPFC_PCI_DEV_OC 0x2 diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c index 9e59c050103d..2c336953e56c 100644 --- a/drivers/scsi/lpfc/lpfc_init.c +++ b/drivers/scsi/lpfc/lpfc_init.c @@ -14725,7 +14725,7 @@ lpfc_write_firmware(const struct firmware *fw, void *context) int lpfc_sli4_request_firmware_update(struct lpfc_hba *phba, uint8_t fw_upgrade) { - uint8_t file_name[ELX_MODEL_NAME_SIZE]; + char file_name[ELX_FW_NAME_SIZE] = {0}; int ret; const struct firmware *fw; @@ -14734,7 +14734,7 @@ lpfc_sli4_request_firmware_update(struct lpfc_hba *phba, uint8_t fw_upgrade) LPFC_SLI_INTF_IF_TYPE_2) return -EPERM; - snprintf(file_name, ELX_MODEL_NAME_SIZE, "%s.grp", phba->ModelName); + scnprintf(file_name, sizeof(file_name), "%s.grp", phba->ModelName); if (fw_upgrade == INT_FW_UPGRADE) { ret = request_firmware_nowait(THIS_MODULE, FW_ACTION_UEVENT,