From nobody Sat Aug 31 10:54:04 2024 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WwsMd03Mbz5V4S7 for ; Sat, 31 Aug 2024 10:54:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WwsMc4JPNz54TZ for ; Sat, 31 Aug 2024 10:54:04 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725101644; a=rsa-sha256; cv=none; b=HMoIXpGLlrRNWIMrvd7wH7rUddOpGXmuqsnwQggM49ljiFraVzqf7DUIP2Atqc90w4+PBM ogE06KkNpyi7btS9m7WcSjNm5GJOo3eblzMOUIfNVRed5iAI5wpC29FbgkJX49FGkoQp5S p/REproff9xEjtIKA55as9AS4KmFaKiP1xXTQt7CZKPJFSSma5gQalrsMijPAqEKCLHBSY BFrI8CpjY9XldKHjG42LVnhtLLsUW25DrnPR0RyQijDXod9Lp2+2nZui5qNID0aGSIfOIx zT/yMtLZtqWke3H4PyAYGoowZV9PbBYmU46OrIaJQtwqcxvYUBqSXD9hLDtXrA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725101644; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=neP8iU4UmTTUUYIf8BwDo5A9xHR29dhx9qguSCjAo6s=; b=iMNSJP0V/F7IL/L/JBpFUMlzvV4lbXqYGycfFJTjW+hXm5taz54f9fKXDeroLlpJGO2NL5 731zP6xvMBEleooR+8BOuZKaSY6xiElyd3Qb27UWyrwBWUr2KzRGHq1i8esXxgckwwRNCd tjU3ieNJTniv5mL4OusDq6oFtxgd5AODK9Hx8cy7Rc+fBcFbGEubsf6yy246CAzQ3c4ZDq eHI8rZI9dq7Ld8xTiS3mD0sC6maMKboSi0SuqOFBJAfU0JAGkny4wchr1rlZZMvvz3n6qO 6kcJdCqumaN+6wpPmw2IW4XemnrzM3ME2+F97ggT2nFsAGlXPF7Y1cg/78t1og== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WwsMc3cmlzjHm for ; Sat, 31 Aug 2024 10:54:04 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 47VAs4AJ061773 for ; Sat, 31 Aug 2024 10:54:04 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 47VAs4Ln061766 for bugs@FreeBSD.org; Sat, 31 Aug 2024 10:54:04 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 281159] [PATCH] mfiutil: Fix potential buffer overflow and truncation issues Date: Sat, 31 Aug 2024 10:54:04 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 15.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: msl0000023508@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D281159 Bug ID: 281159 Summary: [PATCH] mfiutil: Fix potential buffer overflow and truncation issues Product: Base System Version: 15.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: msl0000023508@gmail.com Created attachment 253206 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D253206&action= =3Dedit proposed fix The fix in mfi_volume.c is particularly important; since it uses sprintf(3)= , if 'state' is too big, an overflow instead of string truncation, will occur. This change fixes the following warnings emitted by gcc(1): mfi_drive.c: In function 'mfi_pdstate': mfi_drive.c:155:40: warning: '%04x' directive writing between 4 and 8 bytes into a region of size 7 [-Wformat-overflow=3D] In function 'mfi_pdstate', inlined from 'mfi_pdstate' at /usr/src/usr.sbin/mfiutil/mfi_drive.c:131= :1: /usr/src/usr.sbin/mfiutil/mfi_drive.c:155:30: note: directive argument in t= he range [3, 4294967295] mfi_drive.c:155:17: note: 'sprintf' output between 14 and 18 bytes into a destination of size 16 mfi_drive.c: In function 'mfi_pd_inq_string': mfi_drive.c:375:57: warning: ' ' directive output may be truncated writing 1 byte into a region of size between 0 and 62 [-Wformat-truncation=3D] mfi_drive.c:375:9: note: 'snprintf' output 14 or more bytes (assuming 110) = into a destination of size 64 mfi_drive.c:358:65: warning: ' serial=3D' directive output may be truncated writing 8 bytes into a region of size between 0 and 62 [-Wformat-truncation= =3D] mfi_drive.c:358:17: note: 'snprintf' output between 17 and 98 bytes into a destination of size 64 mfi_evt.c: In function 'pdrive_location': mfi_evt.c:350:64: warning: 'snprintf' output may be truncated before the la= st format character [-Wformat-truncation=3D] mfi_evt.c:350:17: note: 'snprintf' output between 10 and 17 bytes into a destination of size 16 mfi_volume.c: In function 'mfi_ldstate': mfi_volume.c:60:40: warning: '%02x' directive writing between 2 and 8 bytes into a region of size 7 [-Wformat-overflow=3D] mfi_volume.c:60:30: note: directive argument in the range [4, 4294967295] mfi_volume.c:60:17: note: 'sprintf' output between 12 and 18 bytes into a destination of size 16 --=20 You are receiving this mail because: You are the assignee for the bug.=