This is a note to let you know that I've just added the patch titled
hpsa: fix an sprintf() overflow in the reset handler
to the 4.2-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
hpsa-fix-an-sprintf-overflow-in-the-reset-handler.patch
and it can be found in the queue-4.2 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 2dc127bb299d1c7436a08e79193bd0251068356e Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Date: Thu, 4 Jun 2015 17:47:56 +0300
Subject: hpsa: fix an sprintf() overflow in the reset handler
From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
commit 2dc127bb299d1c7436a08e79193bd0251068356e upstream.
The string "cmd %d RESET FAILED, new lockup detected" is not quite
large enough so the sprintf() will overflow. I have increased the size
of the buffer and also changed the sprintf calls to snprintf.
Fixes: 73153fe533bc ('hpsa: use block layer tag for command allocation')
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Acked-by: Don Brace <don.brace@xxxxxxxx>
Signed-off-by: James Bottomley <JBottomley@xxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/scsi/hpsa.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
--- a/drivers/scsi/hpsa.c
+++ b/drivers/scsi/hpsa.c
@@ -5104,7 +5104,7 @@ static int hpsa_eh_device_reset_handler(
int rc;
struct ctlr_info *h;
struct hpsa_scsi_dev_t *dev;
- char msg[40];
+ char msg[48];
/* find the controller to which the command to be aborted was sent */
h = sdev_to_hba(scsicmd->device);
@@ -5122,16 +5122,18 @@ static int hpsa_eh_device_reset_handler(
/* if controller locked up, we can guarantee command won't complete */
if (lockup_detected(h)) {
- sprintf(msg, "cmd %d RESET FAILED, lockup detected",
- hpsa_get_cmd_index(scsicmd));
+ snprintf(msg, sizeof(msg),
+ "cmd %d RESET FAILED, lockup detected",
+ hpsa_get_cmd_index(scsicmd));
hpsa_show_dev_msg(KERN_WARNING, h, dev, msg);
return FAILED;
}
/* this reset request might be the result of a lockup; check */
if (detect_controller_lockup(h)) {
- sprintf(msg, "cmd %d RESET FAILED, new lockup detected",
- hpsa_get_cmd_index(scsicmd));
+ snprintf(msg, sizeof(msg),
+ "cmd %d RESET FAILED, new lockup detected",
+ hpsa_get_cmd_index(scsicmd));
hpsa_show_dev_msg(KERN_WARNING, h, dev, msg);
return FAILED;
}
@@ -5145,7 +5147,8 @@ static int hpsa_eh_device_reset_handler(
/* send a reset to the SCSI LUN which the command was sent to */
rc = hpsa_do_reset(h, dev, dev->scsi3addr, HPSA_RESET_TYPE_LUN,
DEFAULT_REPLY_QUEUE);
- sprintf(msg, "reset %s", rc == 0 ? "completed successfully" : "failed");
+ snprintf(msg, sizeof(msg), "reset %s",
+ rc == 0 ? "completed successfully" : "failed");
hpsa_show_dev_msg(KERN_WARNING, h, dev, msg);
return rc == 0 ? SUCCESS : FAILED;
}
Patches currently in stable-queue which might be from dan.carpenter@xxxxxxxxxx are
queue-4.2/hv-util-checking-the-wrong-variable.patch
queue-4.2/ath10k-fix-dma_mapping_error-handling.patch
queue-4.2/hpsa-fix-an-sprintf-overflow-in-the-reset-handler.patch
queue-4.2/extcon-fix-signedness-bugs-about-break-error-handling.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html