• Tony Battersby's avatar
    scsi: core: Fix legacy /proc parsing buffer overflow · 9426d3ce
    Tony Battersby authored
    (lightly modified commit message mostly by Linus Torvalds)
    
    The parsing code for /proc/scsi/scsi is disgusting and broken.  We should
    have just used 'sscanf()' or something simple like that, but the logic may
    actually predate our kernel sscanf library routine for all I know.  It
    certainly predates both git and BK histories.
    
    And we can't change it to be something sane like that now, because the
    string matching at the start is done case-insensitively, and the separator
    parsing between numbers isn't done at all, so *any* separator will work,
    including a possible terminating NUL character.
    
    This interface is root-only, and entirely for legacy use, so there is
    absolutely no point in trying to tighten up the parsing.  Because any
    separator has traditionally worked, it's entirely possible that people have
    used random characters rather than the suggested space.
    
    So don't bother to try to pretty it up, and let's just make a minimal patch
    that can be back-ported and we can forget about this whole sorry thing for
    another two decades.
    
    Just make it at least not read past the end of the supplied data.
    
    Link: https://lore.kernel.org/linux-scsi/b570f5fe-cb7c-863a-6ed9-f6774c219b88@cybernetics.com/
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Martin K Petersen <martin.petersen@oracle.com>
    Cc: James Bottomley <jejb@linux.ibm.com>
    Cc: Willy Tarreau <w@1wt.eu>
    Cc: stable@kernel.org
    Fixes: 1da177e4 ("Linux-2.6.12-rc2")
    Signed-off-by: default avatarTony Battersby <tonyb@cybernetics.com>
    Signed-off-by: default avatarMartin K Petersen <martin.petersen@oracle.com>
    9426d3ce
scsi_proc.c 13.3 KB