Hi, my name is Wang Haoran. We found a bug in the
target_lu_gp_members_show function located in
drivers/target/target_core_configfs.c in the latest Linux kernel
(version 6.15.5).
The function uses snprintf to format a device path string into a
fixed-size buffer buf, which has size LU_GROUP_NAME_BUF (defined as
256). However, the device name of
config_item_name(&dev->dev_group.cg_item) can be up to 255 characters.
When combined with config_item_name(&hba->hba_group.cg_item), '/',
newline, and null terminator, "%s/%s\n" may exceed 256 bytes.
Since "snprintf" returns the total number of bytes that would have
been written, the return value cur_len may exceed length of buf, and a
buffer overflow would occur when executing memcpy(page+len, buf,
cur_len);
Replacing snprintf with scnprintf ensures the return value never
exceeds the specified buffer size, preventing such issues.

--- target_core_configfs.c 2025-07-06 17:04:26.000000000 +0800
+++ target_core_configfs.c 2025-07-09 18:43:05.926386901 +0800
@@ -2771,7 +2771,7 @@
  dev = lu_gp_mem->lu_gp_mem_dev;
  hba = dev->se_hba;

- cur_len = snprintf(buf, LU_GROUP_NAME_BUF, "%s/%s\n",
+ cur_len = scnprintf(buf, LU_GROUP_NAME_BUF, "%s/%s\n",
  config_item_name(&hba->hba_group.cg_item),
  config_item_name(&dev->dev_group.cg_item));
  cur_len++; /* Extra byte for NULL terminator */

Best regards,
Wang Haoran