From patchwork Tue Jul 25 17:30:34 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Linus Torvalds X-Patchwork-Id: 125776 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:9010:0:b0:3e4:2afc:c1 with SMTP id l16csp2685678vqg; Tue, 25 Jul 2023 12:25:42 -0700 (PDT) X-Google-Smtp-Source: APBJJlGBRpzAeDXCXUbA2K55ir2IxgZoDmsqWdeox4L4YzCBUtP1XteWjJr0lqj5/yWoBhvjePP1 X-Received: by 2002:ac2:446b:0:b0:4fe:a2c:24b0 with SMTP id y11-20020ac2446b000000b004fe0a2c24b0mr1388106lfl.26.1690313142322; Tue, 25 Jul 2023 12:25:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690313142; cv=none; d=google.com; s=arc-20160816; b=HMIqbRoBbo++x1ZXPsidok8r+FURjBh4q9pdSbJxhpYOEaq23ANTV0+rdmujZgiBiG cYtxqmSxVRICjuqaDPqjyAM0/+zIiGK69NJOeqjfh+ajLQiAJ1Zvnkuwu1uRWpncczTE 0IP1aBwZpYgvphuNfPpp5wbE/iNmZ4mMx/tFPfJZjwC/H1gRpiF09ZRKZ6J/QPxWRJ+P fLbsxrIaZYA/23+ax4Zp2Q+AT3TZ6W2/yiYSJWlXqwbMwuz0ePL7MaEXtcmSmr22I/M6 7N+GmklmVeKvBxQ5CrAOtVLiAnObYKIXb+wbUVjX4TA+Nr8ylXA2CBIcKFYrm8J/KfpQ cgjQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:mime-version :dkim-signature; bh=8YN90U0y2k0M2aE2B56swcEJYHG48HYNScT8gjLzv1g=; fh=TGFavnWZda8jucUf9Nf2Qxax5OkXqDlWojgUfOpkt/c=; b=R0zlzkoWB7StKnwnSeYeJ7OMnC2CtuzIZC9QVNmZoJF6KiU9iuFZJnE88y/9Eehn7V Wffv50wtZD3w1yfzAstGGSUPHeQxklPSEUD0OZheCX/tOKGdDLoceMkHQdM8MaS5gonk ckCU2/uC/R9lsU2XL5Ln4+BkGs/SLXR2VONMb4hOLpz2aPbCAgOV8N8B2JmS+iLQcFrI eOz8lQQSbk9Ew4y+NEd0PUWjgmIFxtV9FPE3NCcfR7t87S4i532yr9dEI2T1BwM48url KKQGgmqYec/s0Qk9KoBEdpkOGsoRJ79uBjwUNIZ1kkvc9Hqs8j1cJVQPYa+TRnS83BMI ZIPA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=ZJwwDLRu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y26-20020aa7d51a000000b00522313699d9si3109507edq.583.2023.07.25.12.25.18; Tue, 25 Jul 2023 12:25:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=ZJwwDLRu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232326AbjGYRbG (ORCPT + 99 others); Tue, 25 Jul 2023 13:31:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36984 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232296AbjGYRbB (ORCPT ); Tue, 25 Jul 2023 13:31:01 -0400 Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EA8A91FDA for ; Tue, 25 Jul 2023 10:30:54 -0700 (PDT) Received: by mail-lj1-x22e.google.com with SMTP id 38308e7fff4ca-2b95d5ee18dso85899571fa.1 for ; Tue, 25 Jul 2023 10:30:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; t=1690306253; x=1690911053; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=8YN90U0y2k0M2aE2B56swcEJYHG48HYNScT8gjLzv1g=; b=ZJwwDLRu176HMR5qzMaHhX18OD3COCIpYWvMhNUZWNie9kJqck3CvNO7Pw/jjSH+aG PFbmwhj6Er8ecIfcWMeGPxjGevPwWL7jEA9hHEM8jnCbVyFvNH5Asw2p/C+WMCJQWBYi CXmhlCSflKNj9Ui8fMP1/DsrUFRQ/IY+ZNXoQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690306253; x=1690911053; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=8YN90U0y2k0M2aE2B56swcEJYHG48HYNScT8gjLzv1g=; b=HZm6a30K91WXwfv67gPY2DUHcwj0GQMAoF5tTPvl2kIxNiUCHfLWXAz3Qrgwbywyjk 3a6gRBkz5lRpz2g/ZSE6dGczcBeXJFdneSJLpulTr8/ugira3Vzlz+IlDazMxpQd8czt 0mQF9nGNl/HqftpCjab6H3k8gHxLpp68M7CtzojX2Q6/WLqXhn+P7yxco2z8dMkykc2G 7gYtq27smG96ZqiH2cmGrBT1sYYFRlac4FLlq8rmCZo87vges+OTo40L+RGMJ1+d91f/ OLzYJYPOorydYV8UnUdgLQY5FAlQVx/FkPq+6KaWe7I4V3+kA1fxMst6JGcY3ZmLWfBq 7mZQ== X-Gm-Message-State: ABy/qLZb+URcww6ahu+8YY2Iujqw1CuhHM/Pr/JY9yxHE8AAhmDOE+Kp u+NTklJpzVYE/xenHVf6ZdtIfO+xXxWDCfAETmGsXGwe X-Received: by 2002:a2e:b0e2:0:b0:2b6:e13f:cfd7 with SMTP id h2-20020a2eb0e2000000b002b6e13fcfd7mr9870459ljl.4.1690306252936; Tue, 25 Jul 2023 10:30:52 -0700 (PDT) Received: from mail-ed1-f53.google.com (mail-ed1-f53.google.com. [209.85.208.53]) by smtp.gmail.com with ESMTPSA id lg23-20020a170906f89700b0098733a40bb7sm8512783ejb.155.2023.07.25.10.30.51 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 25 Jul 2023 10:30:51 -0700 (PDT) Received: by mail-ed1-f53.google.com with SMTP id 4fb4d7f45d1cf-51ff0e3d8c1so8314752a12.0 for ; Tue, 25 Jul 2023 10:30:51 -0700 (PDT) X-Received: by 2002:a05:6402:2052:b0:522:3cf4:9d86 with SMTP id bc18-20020a056402205200b005223cf49d86mr3657239edb.33.1690306251162; Tue, 25 Jul 2023 10:30:51 -0700 (PDT) MIME-Version: 1.0 From: Linus Torvalds Date: Tue, 25 Jul 2023 10:30:34 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: SCSI: fix parsing of /proc/scsci/scsi file To: Martin K Petersen , James Bottomley , Tony Battersby , Willy Tarreau Cc: linux-scsi , Linux Kernel Mailing List X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1772419352726575857 X-GMAIL-MSGID: 1772421793821377426 This is the simplified version of the fix proposed by Tony Battersby for the horrid scsi /proc parsing code. It doesn't make it prettier, it just makes it less buggy. That parsing code hasn't been changed in git or BK times, so it's at least two decades since anybody touched it, and judging by how nasty it is, it's probably more than that. This is v2 with the additional bug noted by Tony hopefully fixed. Linus From 574fe269f5aaf62a3ec862bf430adf91a20823bd Mon Sep 17 00:00:00 2001 From: Linus Torvalds Date: Tue, 25 Jul 2023 10:09:31 -0700 Subject: [PATCH] scsi: fix legacy /proc parsing buffer overflow The parsing code for /proc/scsi/scsi is disgusting and broken. We should have just used 'sscanf()' or something simple like that, but the logic may actually predate our kernel sscanf library routine for all I know. It certainly predates both git and BK histories. And we can't change it to be something sane like that now, because the string matching at the start is done case-insensitively, and the separator parsing between numbers isn't done at all, so *any* separator will work, including a possible terminating NUL character. This interface is root-only, and entirely for legacy use, so there is absolutely no point in trying to tighten up the parsing. Because any separator has traditionally worked, it's entirely possioble that people have used random characters rather than the suggested space. So don't bother to try to pretty it up, and let's just make a minimal patch that can be back-ported and we can forget about this whole sorry thing for another two decades. Just make it at least not traverse the terminating NUL. Reported-by: Tony Battersby Link: https://lore.kernel.org/linux-scsi/b570f5fe-cb7c-863a-6ed9-f6774c219b88@cybernetics.com/ Cc: Martin K Petersen Cc: James Bottomley Cc: Willy Tarreau Cc: stable@kernel.org Signed-off-by: Linus Torvalds --- drivers/scsi/scsi_proc.c | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/drivers/scsi/scsi_proc.c b/drivers/scsi/scsi_proc.c index 4a6eb1741be0..8aa8208ceb7f 100644 --- a/drivers/scsi/scsi_proc.c +++ b/drivers/scsi/scsi_proc.c @@ -383,6 +383,9 @@ static int scsi_remove_single_device(uint host, uint channel, uint id, uint lun) return error; } +/* increment 'p', but not past the end */ +static inline char *next_p(char *p) { return p + !!*p; } + /** * proc_scsi_write - handle writes to /proc/scsi/scsi * @file: not used @@ -431,12 +434,12 @@ static ssize_t proc_scsi_write(struct file *file, const char __user *buf, * with "0 1 2 3" replaced by your "Host Channel Id Lun". */ if (!strncmp("scsi add-single-device", buffer, 22)) { - p = buffer + 23; + p = buffer + 22; - host = simple_strtoul(p, &p, 0); - channel = simple_strtoul(p + 1, &p, 0); - id = simple_strtoul(p + 1, &p, 0); - lun = simple_strtoul(p + 1, &p, 0); + host = simple_strtoul(next_p(p), &p, 0); + channel = simple_strtoul(next_p(p), &p, 0); + id = simple_strtoul(next_p(p), &p, 0); + lun = simple_strtoul(next_p(p), &p, 0); err = scsi_add_single_device(host, channel, id, lun); @@ -445,12 +448,12 @@ static ssize_t proc_scsi_write(struct file *file, const char __user *buf, * with "0 1 2 3" replaced by your "Host Channel Id Lun". */ } else if (!strncmp("scsi remove-single-device", buffer, 25)) { - p = buffer + 26; + p = buffer + 25; - host = simple_strtoul(p, &p, 0); - channel = simple_strtoul(p + 1, &p, 0); - id = simple_strtoul(p + 1, &p, 0); - lun = simple_strtoul(p + 1, &p, 0); + host = simple_strtoul(next_p(p), &p, 0); + channel = simple_strtoul(next_p(p), &p, 0); + id = simple_strtoul(next_p(p), &p, 0); + lun = simple_strtoul(next_p(p), &p, 0); err = scsi_remove_single_device(host, channel, id, lun); } -- 2.41.0.327.gaa9166bcc0