Hello community, here is the log from the commit of package s390-tools for openSUSE:Leap:15.2 checked in at 2020-03-15 07:11:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/s390-tools (Old) and /work/SRC/openSUSE:Leap:15.2/.s390-tools.new.3160 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "s390-tools" Sun Mar 15 07:11:04 2020 rev:70 rq:784260 version:2.11.0 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/s390-tools/s390-tools.changes 2020-02-25 12:16:56.124401663 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.s390-tools.new.3160/s390-tools.changes 2020-03-15 07:11:16.916960508 +0100 @@ -1,0 +2,22 @@ +Tue Mar 10 18:25:51 UTC 2020 - Mark Post <[email protected]> + +- Added the following patches for bsc#1165978. + zpcictl --reset only issues a SCLP reset and leaves the PCI function + in an error state. + Initiate an OS level recovery by calling /sys/bus/devices/<dev>/recover + after the SCLP reset. + * s390-tools-sles15sp2-01-zpcictl-Initiate-recover-after-reset.patch + * s390-tools-sles15sp2-02-zpcictl-Rename-misleading-sysfs_write_data.patch + * s390-tools-sles15sp2-03-zpcitctl-Exit-on-error-in-sysfs_report_error.patch + +------------------------------------------------------------------- +Tue Mar 3 22:11:44 UTC 2020 - Mark Post <[email protected]> + +- The zipl boot loader may crash during boot. The solution is to + implement vsnprintf and make use of it. (bsc#1165317) + * s390-tools-sles15sp2-01-zipl-libc-Introduce-vsnprintf.patch + * s390-tools-sles15sp2-02-zipl-libc-Fix-potential-buffer-overflow-in-printf.patch + * s390-tools-sles15sp2-03-zipl-libc-Replace-sprintf-with-snprintf.patch + * s390-tools-sles15sp2-04-zipl-libc-Indicate-truncated-lines-in-printf-with.patch + +------------------------------------------------------------------- New: ---- s390-tools-sles15sp2-01-zipl-libc-Introduce-vsnprintf.patch s390-tools-sles15sp2-01-zpcictl-Initiate-recover-after-reset.patch s390-tools-sles15sp2-02-zipl-libc-Fix-potential-buffer-overflow-in-printf.patch s390-tools-sles15sp2-02-zpcictl-Rename-misleading-sysfs_write_data.patch s390-tools-sles15sp2-03-zipl-libc-Replace-sprintf-with-snprintf.patch s390-tools-sles15sp2-03-zpcitctl-Exit-on-error-in-sysfs_report_error.patch s390-tools-sles15sp2-04-zipl-libc-Indicate-truncated-lines-in-printf-with.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ s390-tools.spec ++++++ --- /var/tmp/diff_new_pack.v0r3sO/_old 2020-03-15 07:11:18.396961394 +0100 +++ /var/tmp/diff_new_pack.v0r3sO/_new 2020-03-15 07:11:18.400961396 +0100 @@ -1,7 +1,7 @@ # # spec file for package s390-tools # -# Copyright (c) 2009-2020 SUSE LLC, Nuernberg, Germany. +# Copyright (c) 2001-2020 SUSE LLC, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -128,6 +128,13 @@ Patch39: s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-XTS-keys.patch Patch40: s390-tools-sles15sp2-zkey-Fix-display-of-XTS-attribute-for-validate-comma.patch Patch41: s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-CCA-AESCIPHER.patch +Patch42: s390-tools-sles15sp2-01-zipl-libc-Introduce-vsnprintf.patch +Patch43: s390-tools-sles15sp2-02-zipl-libc-Fix-potential-buffer-overflow-in-printf.patch +Patch44: s390-tools-sles15sp2-03-zipl-libc-Replace-sprintf-with-snprintf.patch +Patch45: s390-tools-sles15sp2-04-zipl-libc-Indicate-truncated-lines-in-printf-with.patch +Patch46: s390-tools-sles15sp2-01-zpcictl-Initiate-recover-after-reset.patch +Patch47: s390-tools-sles15sp2-02-zpcictl-Rename-misleading-sysfs_write_data.patch +Patch48: s390-tools-sles15sp2-03-zpcitctl-Exit-on-error-in-sysfs_report_error.patch # SUSE patches Patch900: s390-tools-sles12-zipl_boot_msg.patch ++++++ s390-tools-sles15sp2-01-zipl-libc-Introduce-vsnprintf.patch ++++++ Subject: [PATCH] [BZ 184060] zipl/libc: Introduce vsnprintf From: Philipp Rudo <[email protected]> Description: zipl/libc: Fix potential buffer overflow in printf Symptom: Crash of the zipl boot loader during boot. Problem: The zipl boot loaders have their own minimalistic libc implementation. In it printf and sprintf use vsprintf for string formatting. Per definition vsprintf assumes that the buffer it writes to is large enough to contain the formatted string and performs no size checks. This is problematic for the boot loaders because the buffer they use are often allocated on the stack. Thus even small changes to the string format can potentially cause buffer overflows on the stack. Solution: Implement vsnprintf and make use of it. Reproduction: Use printf to print a string with >81 characters (exact number depends on the stack layout/compiler used). Upstream-ID: 6fe9e6c55c69c14971dca55551009f5060418aae Problem-ID: 184060 Upstream-Description: zipl/libc: Introduce vsnprintf The zipl boot loaders have their own minimalistic libc implementation. In it printf and sprintf use vsprintf for string formatting. Per definition vsprintf assumes that the buffer it writes to is large enough to contain the formatted string and performs no size checks. This is problematic for the boot loaders because the buffer they use are often allocated on the stack. Thus even small changes to the string format can potentially cause buffer overflows on the stack with the well known consequences. Protect against such errors by implementing vsnprintf. Later patches will make use of it. This implementation of vsnprintf only supports a small subset of format options defined in the C standard. In particular it allows the specifiers: * %s (strings) * %o (unsigned int octal) * %u (unsigned int decimal) * %x (unsigned int hexadecimal) Integer specifiers (o, u, and x) always use the long form, i.e. assume the argument to be of type 'unsigned long int'. The length modified 'l' can be given but is ignored. Furthermore, it is possible to provide the optional field width (aligned to the right only) and precision as decimal integer (i.e. not via '*') as well as the flag for zero padding integers (i.e. '0'). The implementation was heavily inspired by the implementation in lib/vsprintf.c from the Linux kernel tree. Signed-off-by: Philipp Rudo <[email protected]> Reviewed-by: Stefan Haberland <[email protected]> Signed-off-by: Jan Hoeppner <[email protected]> Signed-off-by: Philipp Rudo <[email protected]> --- zipl/boot/libc.c | 248 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 248 insertions(+) --- a/zipl/boot/libc.c +++ b/zipl/boot/libc.c @@ -218,6 +218,254 @@ unsigned long ebcstrtoul(char *nptr, cha return val; } +static int skip_atoi(const char **c) +{ + int i = 0; + + do { + i = i*10 + *((*c)++) - '0'; + } while (isdigit(**c)); + + return i; +} + +enum format_type { + FORMAT_TYPE_NONE, + FORMAT_TYPE_STR, + FORMAT_TYPE_ULONG, +}; + +struct printf_spec { + unsigned int type:8; /* format_type enum */ + signed int field_width:24; /* width of output field */ + unsigned int zeropad:1; /* pad numbers with zero */ + unsigned int base:8; /* number base, 8, 10 or 16 only */ + signed int precision:16; /* # of digits/chars */ +}; + +#define FIELD_WIDTH_MAX ((1 << 23) - 1) + +static int format_decode(const char *fmt, struct printf_spec *spec) +{ + const char *start = fmt; + + spec->type = FORMAT_TYPE_NONE; + while (*fmt) { + if (*fmt == '%') + break; + fmt++; + } + + /* return current non-format string */ + if (fmt != start || !*fmt) + return fmt - start; + + /* first char is '%', skip it */ + fmt++; + if (*fmt == '0') { + spec->zeropad = 1; + fmt++; + } + + spec->field_width = -1; + if (isdigit(*fmt)) + spec->field_width = skip_atoi(&fmt); + + spec->precision = -1; + if (*fmt == '.') { + fmt++; + if (isdigit(*fmt)) + spec->precision = skip_atoi(&fmt); + } + + /* always use long form, i.e. ignore long qualifier */ + if (*fmt == 'l') + fmt++; + + switch (*fmt) { + case 's': + spec->type = FORMAT_TYPE_STR; + break; + + case 'o': + spec->base = 8; + spec->type = FORMAT_TYPE_ULONG; + break; + + case 'u': + spec->base = 10; + spec->type = FORMAT_TYPE_ULONG; + break; + + case 'x': + spec->base = 16; + spec->type = FORMAT_TYPE_ULONG; + break; + + default: + libc_stop(EINTERNAL); + } + + return ++fmt - start; +} + +static char *string(char *buf, char *end, const char *s, + struct printf_spec *spec) +{ + int limit = spec->precision; + int len = 0; + int spaces; + + /* Copy string to buffer */ + while (limit--) { + char c = *s++; + if (!c) + break; + if (buf < end) + *buf = c; + buf++; + len++; + } + + /* right align if necessary */ + if (len < spec->field_width && buf < end) { + spaces = spec->field_width - len; + if (spaces >= end - buf) + spaces = end - buf; + memmove(buf + spaces, buf, len); + memset(buf, ' ', spaces); + buf += spaces; + } + + return buf; +} + +static char *number(char *buf, char *end, unsigned long val, + struct printf_spec *spec) +{ + /* temporary buffer to prepare the string. + * Worst case: base = 8 -> 3 bits per char -> 2.67 chars per byte */ + char tmp[3 * sizeof(val)]; + static const char vec[] = {'0', '1', '2', '3', '4', '5', '6', '7', + '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'}; + int field_width = spec->field_width; + int precision = spec->precision; + int len; + + /* prepare string in reverse order */ + len = 0; + while (val) { + tmp[len++] = vec[val % spec->base]; + val /= spec->base; + } + + if (len > precision) + precision = len; + + field_width -= precision; + while (field_width-- > 0) { + char c = spec->zeropad ? '0' : ' '; + if (buf < end) + *buf = c; + buf++; + } + + /* needed if no field width but a precision is given */ + while (len < precision--) { + if (buf < end) + *buf = '0'; + buf++; + } + + while (len-- > 0) { + if (buf < end) + *buf = tmp[len]; + buf++; + } + + return buf; +} + +/* + * vsnprintf - Format string and place in a buffer + * + * This funcion only supports a subset of format options defined in the + * C standard, i.e. + * specifiers: + * * %s (strings) + * * %o (unsigned int octal) + * * %u (unsigned int decimal) + * * %x (unsigned int hexadecimal) + * + * length modifier: + * * 'l' (ignored, see below) + * + * flag: + * * '0' (zero padding for integers) + * + * precision and field width as integers, i.e. _not_ by asterix '*'. + * + * The integer specifiers (o, u and, x) always use the long form, i.e. + * assume the argument to be of type 'unsigned long int'. + * + * Returns the number of characters the function would have generated for + * the given input (excluding the trailing '\0'. If the return value is + * greater than or equal @size the resulting string is trunctuated. + */ +static int vsnprintf(char *buf, unsigned long size, const char *fmt, + va_list args) +{ + struct printf_spec spec = {0}; + char *str, *end; + + str = buf; + end = buf + size; + + /* use negative (large positive) buffer sizes as indication for + * unknown/unlimited buffer sizes. */ + if (end < buf) { + end = ((void *)-1); + size = end - buf; + } + + while (*fmt) { + const char *old_fmt = fmt; + int read = format_decode(fmt, &spec); + int copy; + + fmt += read; + + switch (spec.type) { + case FORMAT_TYPE_NONE: + copy = read; + if (str < end) { + if (copy > end - str) + copy = end - str; + memcpy(str, old_fmt, copy); + } + str += read; + break; + + case FORMAT_TYPE_STR: + str = string(str, end, va_arg(args, char *), &spec); + break; + + case FORMAT_TYPE_ULONG: + str = number(str, end, va_arg(args, unsigned long), + &spec); + break; + } + } + + if (size) { + if (str < end) + *str = '\0'; + else + end[-1] = '\0'; + } + return str - buf; +} + /* * Convert string to number with given base */ ++++++ s390-tools-sles15sp2-01-zpcictl-Initiate-recover-after-reset.patch ++++++ Subject: [PATCH] [BZ 184174] zpcictl: Initiate recover after reset From: Jan Hoeppner <[email protected]> Description: zpcictl: Initiate recover after reset Symptom: If a PCI function is reset using zpcictl --reset, the function is in an error state. Problem: zpcictl --reset only issues a SCLP reset and leaves the PCI function in an error state. Solution: Initiate an OS level recovery by calling /sys/bus/devices/<dev>/recover after the SCLP reset. Reproduction: Call zpcictl --reset <dev> Under z/VM check the state of the function with 'vmcp q pcif' Upstream-ID: bc0d40c5803d4c5426b17b6d59aa0f1e46a2aacc Problem-ID: 184174 Upstream-Description: zpcictl: Initiate recover after reset After a zpcitctl --reset the PCI function is currently left in an error state. This seems unexpected, so follow the SCLP reset with an OS level recovery using /sys/bus/devices/<dev>/recover. Signed-off-by: Niklas Schnelle <[email protected]> Reviewed-by: Jan Hoeppner <[email protected]> Signed-off-by: Jan Hoeppner <[email protected]> Signed-off-by: Jan Hoeppner <[email protected]> --- zpcictl/zpcictl.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) --- a/zpcictl/zpcictl.c +++ b/zpcictl/zpcictl.c @@ -163,6 +163,26 @@ static unsigned int sysfs_read_value(str return val; } +static void sysfs_write_value(struct zpci_device *pdev, const char *attr, + unsigned int val) +{ + char *path; + FILE *fp; + + path = util_path_sysfs("bus/pci/devices/%s/%s", pdev->slot, attr); + fp = fopen(path, "w"); + if (!fp) + fopen_err(path); + if (fprintf(fp, "%x", val) < 0) { + fclose(fp); + warnx("Could not write to file %s: %s", path, strerror(errno)); + free(path); + exit(EXIT_FAILURE); + } + fclose(fp); + free(path); +} + static void sysfs_write_data(struct zpci_report_error *report, char *slot) { size_t r_size; @@ -297,6 +317,7 @@ static void sclp_issue_action(struct zpc static void sclp_reset_device(struct zpci_device *pdev) { sclp_issue_action(pdev, SCLP_ERRNOTIFY_AQ_RESET); + sysfs_write_value(pdev, "recover", 1); } /* ++++++ s390-tools-sles15sp2-02-zipl-libc-Fix-potential-buffer-overflow-in-printf.patch ++++++ Subject: [PATCH] [BZ 184060] zipl/libc: Fix potential buffer overflow in printf From: Philipp Rudo <[email protected]> Description: zipl/libc: Fix potential buffer overflow in printf Symptom: Crash of the zipl boot loader during boot. Problem: The zipl boot loaders have their own minimalistic libc implementation. In it printf and sprintf use vsprintf for string formatting. Per definition vsprintf assumes that the buffer it writes to is large enough to contain the formatted string and performs no size checks. This is problematic for the boot loaders because the buffer they use are often allocated on the stack. Thus even small changes to the string format can potentially cause buffer overflows on the stack. Solution: Implement vsnprintf and make use of it. Reproduction: Use printf to print a string with >81 characters (exact number depends on the stack layout/compiler used). Upstream-ID: 8874b908254c47c8a6fd7a1aca2c7371c11035c4 Problem-ID: 184060 Upstream-Description: zipl/libc: Fix potential buffer overflow in printf Per definition vsprint assumes that the provided buffer it writes to is large enough to contain the formatted string. As printf uses a fixed sized buffer (81 bytes) and has no size checks the use of vsprintf can easily cause buffer overflows. Protect against these buffer overflows by using vsnprintf instead. While at it fix a typo in the comment. Reported-by: Marc Hartmayer <[email protected]> Signed-off-by: Philipp Rudo <[email protected]> Reviewed-by: Marc Hartmayer <[email protected]> Reviewed-by: Stefan Haberland <[email protected]> Signed-off-by: Jan Hoeppner <[email protected]> Signed-off-by: Philipp Rudo <[email protected]> --- zipl/boot/libc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/zipl/boot/libc.c +++ b/zipl/boot/libc.c @@ -530,7 +530,7 @@ void sprintf(char *str, const char *fmt, } /* - * Print formated string + * Print formatted string to console */ void printf(const char *fmt, ...) { @@ -538,7 +538,7 @@ void printf(const char *fmt, ...) va_list va; va_start(va, fmt); - vsprintf(buf, fmt, va); + vsnprintf(buf, sizeof(buf), fmt, va); sclp_print(buf); va_end(va); } ++++++ s390-tools-sles15sp2-02-zpcictl-Rename-misleading-sysfs_write_data.patch ++++++ Subject: [PATCH] [BZ 184174] zpcictl: Rename misleading sysfs_write_data From: Jan Hoeppner <[email protected]> Description: zpcictl: Initiate recover after reset Symptom: If a PCI function is reset using zpcictl --reset, the function is in an error state. Problem: zpcictl --reset only issues a SCLP reset and leaves the PCI function in an error state. Solution: Initiate an OS level recovery by calling /sys/bus/devices/<dev>/recover after the SCLP reset. Reproduction: Call zpcictl --reset <dev> Under z/VM check the state of the function with 'vmcp q pcif' Upstream-ID: d77234ddb68719819c7e8380c71dbebc555539ab Problem-ID: 184174 Upstream-Description: zpcictl: Rename misleading sysfs_write_data To sysfs_report_error as it only writes to the report_error attribute. Signed-off-by: Niklas Schnelle <[email protected]> Reviewed-by: Jan Hoeppner <[email protected]> Signed-off-by: Jan Hoeppner <[email protected]> Signed-off-by: Jan Hoeppner <[email protected]> --- zpcictl/zpcictl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/zpcictl/zpcictl.c +++ b/zpcictl/zpcictl.c @@ -183,7 +183,7 @@ static void sysfs_write_value(struct zpc free(path); } -static void sysfs_write_data(struct zpci_report_error *report, char *slot) +static void sysfs_report_error(struct zpci_report_error *report, char *slot) { size_t r_size; char *path; @@ -308,7 +308,7 @@ static void sclp_issue_action(struct zpc sizeof(report.data.log_data)); free(sdata); } - sysfs_write_data(&report, pdev->slot); + sysfs_report_error(&report, pdev->slot); } /* ++++++ s390-tools-sles15sp2-03-zipl-libc-Replace-sprintf-with-snprintf.patch ++++++ Subject: [PATCH] [BZ 184060] zipl/libc: Replace sprintf with snprintf From: Philipp Rudo <[email protected]> Description: zipl/libc: Fix potential buffer overflow in printf Symptom: Crash of the zipl boot loader during boot. Problem: The zipl boot loaders have their own minimalistic libc implementation. In it printf and sprintf use vsprintf for string formatting. Per definition vsprintf assumes that the buffer it writes to is large enough to contain the formatted string and performs no size checks. This is problematic for the boot loaders because the buffer they use are often allocated on the stack. Thus even small changes to the string format can potentially cause buffer overflows on the stack. Solution: Implement vsnprintf and make use of it. Reproduction: Use printf to print a string with >81 characters (exact number depends on the stack layout/compiler used). Upstream-ID: f7430027b41d5ad6220e962a179c2a5213330a44 Problem-ID: 184060 Upstream-Description: zipl/libc: Replace sprintf with snprintf The use of sprintf can easily result in buffer overflows as it assumes that the buffer it writes to is large enough to contain the formatted string. Thus replace sprintf by snprintf and update its users. This removes the last user of vsprintf. Thus also remove vsprintf and its dependencies. Signed-off-by: Philipp Rudo <[email protected]> Reviewed-by: Marc Hartmayer <[email protected]> Reviewed-by: Stefan Haberland <[email protected]> Signed-off-by: Jan Hoeppner <[email protected]> Signed-off-by: Philipp Rudo <[email protected]> --- zipl/boot/libc.c | 132 +------------------------------------------------- zipl/boot/libc.h | 3 - zipl/boot/menu.c | 2 zipl/boot/tape2dump.c | 2 4 files changed, 6 insertions(+), 133 deletions(-) --- a/zipl/boot/libc.c +++ b/zipl/boot/libc.c @@ -126,81 +126,6 @@ int strncmp(const char *s1, const char * } /* - * Convert number to string - * - * Parameters: - * - * - buf: Output buffer - * - base: Base used for formatting (e.g. 10 or 16) - * - val: Number to format - * - zero: If > 0, fill with leading zeros, otherwise use blanks - * - count: Minimum number of characters used for output string - */ -static int num_to_str(char *buf, int base, unsigned long val, int zero, - unsigned long count) -{ - static const char conv_vec[] = {'0', '1', '2', '3', '4', '5', '6', '7', - '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'}; - unsigned long num = 0, val_work = val, in_number = 1; - int i; - - /* Count number of characters needed for number */ - do { - num++; - val_work /= base; - } while (val_work); - /* Real character number overwrites count */ - if (count < num) - count = num; - /* Format number */ - for (i = count - 1; i >= 0; i--) { - if (in_number) { - buf[i] = conv_vec[val % base]; - val /= base; - in_number = val ? 1 : 0; - } else { - buf[i] = zero ? '0' : ' '; - } - } - buf[count] = 0; - return count; -} - -/* - * Convert string to string with indentation - */ -static int str_to_str(char *buf, const char *str, unsigned long count) -{ - unsigned long size; - - size = strlen(str); - if (count < size) - count = size; - else - memset(buf, ' ', count - size); - strcpy(buf + (count - size), str); - return count; -} - -/* - * Convert string to number with given base - */ -unsigned long strtoul(const char *nptr, char **endptr, int base) -{ - unsigned long val = 0; - - while (isdigit(*nptr)) { - if (val != 0) - val *= base; - val += *nptr - '0'; - nptr++; - } - if (endptr) - *endptr = (char *) nptr; - return val; -} - -/* * Convert ebcdic string to number with given base */ unsigned long ebcstrtoul(char *nptr, char **endptr, int base) @@ -467,65 +392,14 @@ static int vsnprintf(char *buf, unsigned } /* - * Convert string to number with given base - */ -static int sprintf_fmt(char type, char *buf, unsigned long val, int zero, - int count) -{ - switch (type) { - case 's': - return str_to_str(buf, (const char *) val, count); - case 'x': - return num_to_str(buf, 16, val, zero, count); - case 'u': - return num_to_str(buf, 10, val, zero, count); - default: - libc_stop(EINTERNAL); - } - return 0; -} - -/* - * Print formated string (va version) - */ -static void vsprintf(char *str, const char *fmt, va_list va) -{ - unsigned long val, zero, count; - char *fmt_next; - - do { - if (*fmt == '%') { - fmt++; - if (*fmt == '0') { - zero = 1; - fmt++; - } else { - zero = 0; - } - /* No number found by strtoul: count=0 fmt_next=fmt */ - count = strtoul(fmt, &fmt_next, 10); - fmt = fmt_next; - if (*fmt == 'l') - fmt++; - val = va_arg(va, unsigned long); - str += sprintf_fmt(*fmt, str, val, zero, count); - fmt++; - } else { - *str++ = *fmt++; - } - } while (*fmt); - *str = 0; -} - -/* - * Write formated string to string + * Write formatted string to buffer */ -void sprintf(char *str, const char *fmt, ...) +void snprintf(char *buf, unsigned long size, const char *fmt, ...) { va_list va; va_start(va, fmt); - vsprintf(str, fmt, va); + vsnprintf(buf, size, fmt, va); va_end(va); } --- a/zipl/boot/libc.h +++ b/zipl/boot/libc.h @@ -47,13 +47,12 @@ typedef unsigned short uint16_t; typedef unsigned char uint8_t; void printf(const char *, ...); -void sprintf(char *, const char *, ...); +void snprintf(char *buf, unsigned long size, const char *fmt, ...); void *memcpy(void *, const void *, unsigned long); void *memmove(void *, const void *, unsigned long); void *memset(void *, int c, unsigned long); char *strcat(char *, const char *); int strncmp(const char *, const char *, unsigned long); -unsigned long strtoul(const char *, char **, int); unsigned long ebcstrtoul(char *, char **, int); int strlen(const char *); char *strcpy(char *, const char *); --- a/zipl/boot/menu.c +++ b/zipl/boot/menu.c @@ -189,7 +189,7 @@ boot: (void *)&__stage2_params + TEXT_OFFSET)); /* append 'BOOT_IMAGE=<num>' to parmline */ - sprintf(endstring, " BOOT_IMAGE=%u", value); + snprintf(endstring, sizeof(endstring), " BOOT_IMAGE=%u", value); if ((strlen(cmd_line_extra) + strlen(endstring)) < COMMAND_LINE_SIZE) strcat(cmd_line_extra, endstring); --- a/zipl/boot/tape2dump.c +++ b/zipl/boot/tape2dump.c @@ -186,7 +186,7 @@ static void progress_print_disp(unsigned if (addr % (1024 * 1024 * 16) != 0) return; - sprintf(msg, "%08u", addr >> 20); + snprintf(msg, sizeof(msg), "%08u", addr >> 20); ccw_load_display(msg); } ++++++ s390-tools-sles15sp2-03-zpcitctl-Exit-on-error-in-sysfs_report_error.patch ++++++ Subject: [PATCH] [BZ 184174] zpcitctl: Exit on error in sysfs_report_error From: Jan Hoeppner <[email protected]> Description: zpcictl: Initiate recover after reset Symptom: If a PCI function is reset using zpcictl --reset, the function is in an error state. Problem: zpcictl --reset only issues a SCLP reset and leaves the PCI function in an error state. Solution: Initiate an OS level recovery by calling /sys/bus/devices/<dev>/recover after the SCLP reset. Reproduction: Call zpcictl --reset <dev> Under z/VM check the state of the function with 'vmcp q pcif' Upstream-ID: 304c3d8086bc2a9230c5404f9c9fec72de08d229 Problem-ID: 184174 Upstream-Description: zpcitctl: Exit on error in sysfs_report_error This also makes sure that we don't try to write to the /sys/bus/pci/device/<dev>/recover attribute if reset failed. Signed-off-by: Niklas Schnelle <[email protected]> Reviewed-by: Jan Hoeppner <[email protected]> Signed-off-by: Jan Hoeppner <[email protected]> Signed-off-by: Jan Hoeppner <[email protected]> --- zpcictl/zpcictl.c | 55 +++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 38 insertions(+), 17 deletions(-) --- a/zpcictl/zpcictl.c +++ b/zpcictl/zpcictl.c @@ -97,6 +97,35 @@ static void fopen_err(char *path) exit(EXIT_FAILURE); } +static void fclose_err(char *path) +{ + if (errno == EIO || errno == EOPNOTSUPP) + warnx("Unsupported operation: %s: %s", path, strerror(errno)); + else + warnx("Could not close file: %s: %s", path, strerror(errno)); + free(path); + exit(EXIT_FAILURE); + +} + +static void fread_err(FILE *fp, char *path) +{ + warnx("Could not read file: %s: %s", path, strerror(errno)); + if (fclose(fp)) + fclose_err(path); + free(path); + exit(EXIT_FAILURE); +} + +static void fwrite_err(FILE *fp, char *path) +{ + warnx("Could not write to file: %s: %s", path, strerror(errno)); + if (fclose(fp)) + fclose_err(path); + free(path); + exit(EXIT_FAILURE); +} + #define READ_CHUNK_SIZE 512 static char *collect_smart_data(struct zpci_device *pdev) @@ -152,12 +181,10 @@ static unsigned int sysfs_read_value(str if (!fp) fopen_err(path); if (fscanf(fp, "%x", &val) != 1) { - fclose(fp); - warnx("Could not read file %s: %s", path, strerror(errno)); - free(path); - exit(EXIT_FAILURE); + fread_err(fp, path); } - fclose(fp); + if (fclose(fp)) + fclose_err(path); free(path); return val; @@ -174,12 +201,10 @@ static void sysfs_write_value(struct zpc if (!fp) fopen_err(path); if (fprintf(fp, "%x", val) < 0) { - fclose(fp); - warnx("Could not write to file %s: %s", path, strerror(errno)); - free(path); - exit(EXIT_FAILURE); + fwrite_err(fp, path); } - fclose(fp); + if (fclose(fp)) + fclose_err(path); free(path); } @@ -196,13 +221,9 @@ static void sysfs_report_error(struct zp if (!fp) fopen_err(path); if (fwrite(report, 1, r_size, fp) != r_size) - warnx("Could not write to file: %s: %s", path, strerror(errno)); - if (fclose(fp)) { - if (errno == EIO || errno == EOPNOTSUPP) - warnx("Unsupported operation: %s: %s", path, strerror(errno)); - else - warnx("Could not close file: %s: %s", path, strerror(errno)); - } + fwrite_err(fp, path); + if (fclose(fp)) + fclose_err(path); free(path); } ++++++ s390-tools-sles15sp2-04-zipl-libc-Indicate-truncated-lines-in-printf-with.patch ++++++ Subject: [PATCH] [BZ 184060] zipl/libc: Indicate truncated lines in printf with '...' From: Philipp Rudo <[email protected]> Description: zipl/libc: Fix potential buffer overflow in printf Symptom: Crash of the zipl boot loader during boot. Problem: The zipl boot loaders have their own minimalistic libc implementation. In it printf and sprintf use vsprintf for string formatting. Per definition vsprintf assumes that the buffer it writes to is large enough to contain the formatted string and performs no size checks. This is problematic for the boot loaders because the buffer they use are often allocated on the stack. Thus even small changes to the string format can potentially cause buffer overflows on the stack. Solution: Implement vsnprintf and make use of it. Reproduction: Use printf to print a string with >81 characters (exact number depends on the stack layout/compiler used). Upstream-ID: 36fed0e6c6590631c4ce1707c8fe3c3397bcce4d Problem-ID: 184060 Upstream-Description: zipl/libc: Indicate truncated lines in printf with '...' Append '...' to lines exceeding the maximum line length instead of silently truncating them. Suggested-by: Marc Hartmayer <[email protected]> Signed-off-by: Philipp Rudo <[email protected]> Reviewed-by: Marc Hartmayer <[email protected]> Reviewed-by: Stefan Haberland <[email protected]> Signed-off-by: Jan Hoeppner <[email protected]> Signed-off-by: Philipp Rudo <[email protected]> --- zipl/boot/libc.c | 10 ++++++++-- zipl/boot/libc.h | 1 + zipl/boot/menu.h | 1 - 3 files changed, 9 insertions(+), 3 deletions(-) --- a/zipl/boot/libc.c +++ b/zipl/boot/libc.c @@ -408,11 +408,17 @@ void snprintf(char *buf, unsigned long s */ void printf(const char *fmt, ...) { - char buf[81]; + char buf[LINE_LENGTH + 1]; + int len; va_list va; va_start(va, fmt); - vsnprintf(buf, sizeof(buf), fmt, va); + len = vsnprintf(buf, sizeof(buf), fmt, va); + if (len > LINE_LENGTH) { + buf[LINE_LENGTH - 1] = '.'; + buf[LINE_LENGTH - 2] = '.'; + buf[LINE_LENGTH - 3] = '.'; + } sclp_print(buf); va_end(va); } --- a/zipl/boot/libc.h +++ b/zipl/boot/libc.h @@ -40,6 +40,7 @@ #define ENOTTY 25 /* Not a typewriter */ #define MIB (1024ULL * 1024) +#define LINE_LENGTH 80 /* max line length printed by printf */ typedef unsigned long long uint64_t; typedef unsigned int uint32_t; --- a/zipl/boot/menu.h +++ b/zipl/boot/menu.h @@ -20,7 +20,6 @@ /* max command line length */ #define COMMAND_LINE_SIZE 896 #define BOOT_MENU_ENTRIES 63 -#define LINE_LENGTH 80 #define PARAM_SIZE 8 #define TEXT_OFFSET 4
