drivers/scsi/libfc/fc_encode.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
The fc_ct_ms_fill() helper currently formats the OS name and version
into entry->value using "%s v%s". Since init_utsname()->sysname and
->release are unbounded strings, snprintf() may attempt to write more
than FC_FDMI_HBA_ATTR_OSNAMEVERSION_LEN bytes, triggering a
-Wformat-truncation warning with W=1.
In file included from drivers/scsi/libfc/fc_elsct.c:18:
drivers/scsi/libfc/fc_encode.h: In function ‘fc_ct_ms_fill.constprop’:
drivers/scsi/libfc/fc_encode.h:359:30: error: ‘%s’ directive output may
be truncated writing up to 64 bytes into a region of size between 62
and 126 [-Werror=format-truncation=]
359 | "%s v%s",
| ^~
360 | init_utsname()->sysname,
361 | init_utsname()->release);
| ~~~~~~~~~~~~~~~~~~~~~~~
drivers/scsi/libfc/fc_encode.h:357:17: note: ‘snprintf’ output between
3 and 131 bytes into a destination of size 128
357 | snprintf((char *)&entry->value,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
358 | FC_FDMI_HBA_ATTR_OSNAMEVERSION_LEN,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
359 | "%s v%s",
| ~~~~~~~~~
360 | init_utsname()->sysname,
| ~~~~~~~~~~~~~~~~~~~~~~~~
361 | init_utsname()->release);
| ~~~~~~~~~~~~~~~~~~~~~~~~
Fix this by using "%.62s v%.62s", which ensures both sysname and
release are truncated to fit within the 64-byte field defined by
FC_FDMI_HBA_ATTR_OSNAMEVERSION_LEN.
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
---
drivers/scsi/libfc/fc_encode.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/libfc/fc_encode.h b/drivers/scsi/libfc/fc_encode.h
index 02e31db31d68..e046091a549a 100644
--- a/drivers/scsi/libfc/fc_encode.h
+++ b/drivers/scsi/libfc/fc_encode.h
@@ -356,7 +356,7 @@ static inline int fc_ct_ms_fill(struct fc_lport *lport,
put_unaligned_be16(len, &entry->len);
snprintf((char *)&entry->value,
FC_FDMI_HBA_ATTR_OSNAMEVERSION_LEN,
- "%s v%s",
+ "%.62s v%.62s",
init_utsname()->sysname,
init_utsname()->release);
--
2.50.1
On Mon, 15 Sep 2025 11:37:57 -0700, Alok Tiwari wrote:
> The fc_ct_ms_fill() helper currently formats the OS name and version
> into entry->value using "%s v%s". Since init_utsname()->sysname and
> ->release are unbounded strings, snprintf() may attempt to write more
> than FC_FDMI_HBA_ATTR_OSNAMEVERSION_LEN bytes, triggering a
> -Wformat-truncation warning with W=1.
>
> In file included from drivers/scsi/libfc/fc_elsct.c:18:
> drivers/scsi/libfc/fc_encode.h: In function ‘fc_ct_ms_fill.constprop’:
> drivers/scsi/libfc/fc_encode.h:359:30: error: ‘%s’ directive output may
> be truncated writing up to 64 bytes into a region of size between 62
> and 126 [-Werror=format-truncation=]
> 359 | "%s v%s",
> | ^~
> 360 | init_utsname()->sysname,
> 361 | init_utsname()->release);
> | ~~~~~~~~~~~~~~~~~~~~~~~
> drivers/scsi/libfc/fc_encode.h:357:17: note: ‘snprintf’ output between
> 3 and 131 bytes into a destination of size 128
> 357 | snprintf((char *)&entry->value,
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 358 | FC_FDMI_HBA_ATTR_OSNAMEVERSION_LEN,
> | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 359 | "%s v%s",
> | ~~~~~~~~~
> 360 | init_utsname()->sysname,
> | ~~~~~~~~~~~~~~~~~~~~~~~~
> 361 | init_utsname()->release);
> | ~~~~~~~~~~~~~~~~~~~~~~~~
>
> [...]
Applied to 6.18/scsi-queue, thanks!
[1/1] scsi: libfc: Fix potential buffer overflow in fc_ct_ms_fill()
https://git.kernel.org/mkp/scsi/c/072fdd4b0be9
--
Martin K. Petersen
© 2016 - 2025 Red Hat, Inc.