Commit 94aa9d99 authored May 15, 2024 by Justin Tee Committed by Baogen Shang May 15, 2024

scsi: lpfc: Fix possible file string name overflow when updating firmware

stable inclusion
from stable-v5.10.210
commit 9bc7617a0d46f5c9e070cb93b08f8036c86aaaa1
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I9J6AL
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=9bc7617a0d46f5c9e070cb93b08f8036c86aaaa1



-------------------------

[ Upstream commit f5779b529240b715f0e358489ad0ed933bf77c97 ]

Because file_name and phba->ModelName are both declared a size 80 bytes,
the extra ".grp" file extension could cause an overflow into file_name.

Define a ELX_FW_NAME_SIZE macro with value 84.  84 incorporates the 4 extra
characters from ".grp".  file_name is changed to be declared as a char and
initialized to zeros i.e. null chars.

Signed-off-by: Justin Tee <justin.tee@broadcom.com>
Link: https://lore.kernel.org/r/20231031191224.150862-3-justintee8345@gmail.com


Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Baogen Shang <baogen.shang@windriver.com>

parent 34c4be6c

drivers/scsi/lpfc/lpfc.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -32,6 +32,7 @@
		struct lpfc_sli2_slim;

		#define ELX_MODEL_NAME_SIZE 80
		#define ELX_FW_NAME_SIZE 84

		#define LPFC_PCI_DEV_LP 0x1
		#define LPFC_PCI_DEV_OC 0x2

drivers/scsi/lpfc/lpfc_init.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -13026,7 +13026,7 @@ lpfc_write_firmware(const struct firmware fw, void context)
		int
		lpfc_sli4_request_firmware_update(struct lpfc_hba *phba, uint8_t fw_upgrade)
		{
		uint8_t file_name[ELX_MODEL_NAME_SIZE];
		char file_name[ELX_FW_NAME_SIZE] = {0};
		int ret;
		const struct firmware *fw;

		@@ -13035,7 +13035,7 @@ lpfc_sli4_request_firmware_update(struct lpfc_hba *phba, uint8_t fw_upgrade)
		LPFC_SLI_INTF_IF_TYPE_2)
		return -EPERM;

		snprintf(file_name, ELX_MODEL_NAME_SIZE, "%s.grp", phba->ModelName);
		scnprintf(file_name, sizeof(file_name), "%s.grp", phba->ModelName);

		if (fw_upgrade == INT_FW_UPGRADE) {
		ret = request_firmware_nowait(THIS_MODULE, FW_ACTION_HOTPLUG,