Patch "nvmet: prevent sprintf() overflow in nvmet_subsys_nsid_exists()" has been added to the 6.6-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 26 May 2024 15:32:21 -0400

This is a note to let you know that I've just added the patch titled

    nvmet: prevent sprintf() overflow in nvmet_subsys_nsid_exists()

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     nvmet-prevent-sprintf-overflow-in-nvmet_subsys_nsid_.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 875f0954230eecfcb7a93f0ddd41936b8a34b843
Author: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Date:   Wed May 8 10:43:04 2024 +0300

    nvmet: prevent sprintf() overflow in nvmet_subsys_nsid_exists()
    
    [ Upstream commit d15dcd0f1a4753b57e66c64c8dc2a9779ff96aab ]
    
    The nsid value is a u32 that comes from nvmet_req_find_ns().  It's
    endian data and we're on an error path and both of those raise red
    flags.  So let's make this safer.
    
    1) Make the buffer large enough for any u32.
    2) Remove the unnecessary initialization.
    3) Use snprintf() instead of sprintf() for even more safety.
    4) The sprintf() function returns the number of bytes printed, not
       counting the NUL terminator. It is impossible for the return value to
       be <= 0 so delete that.
    
    Fixes: 505363957fad ("nvmet: fix nvme status code when namespace is disabled")
    Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
    Reviewed-by: Sagi Grimberg <sagi@xxxxxxxxxxx>
    Signed-off-by: Keith Busch <kbusch@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c
index 3670a1103863b..f999e18e4561d 100644
--- a/drivers/nvme/target/configfs.c
+++ b/drivers/nvme/target/configfs.c
@@ -619,10 +619,9 @@ static struct configfs_attribute *nvmet_ns_attrs[] = {
 bool nvmet_subsys_nsid_exists(struct nvmet_subsys *subsys, u32 nsid)
 {
 	struct config_item *ns_item;
-	char name[4] = {};
+	char name[12];
 
-	if (sprintf(name, "%u", nsid) <= 0)
-		return false;
+	snprintf(name, sizeof(name), "%u", nsid);
 	mutex_lock(&subsys->namespaces_group.cg_subsys->su_mutex);
 	ns_item = config_group_find_item(&subsys->namespaces_group, name);
 	mutex_unlock(&subsys->namespaces_group.cg_subsys->su_mutex);







