[next] RDMA/bnxt_re: Fix buffer overflow in debugfs code

Message ID	a6b081ab-55fe-4d0c-8f69-c5e5a59e9141@stanley.mountain (mailing list archive)
State	Accepted
Headers	show Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com [209.85.221.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 847B81DD529 for <linux-rdma@vger.kernel.org>; Fri, 7 Feb 2025 09:16:24 +0000 (UTC) Date: Fri, 7 Feb 2025 12:16:19 +0300 From: Dan Carpenter <dan.carpenter@linaro.org> To: Selvin Xavier <selvin.xavier@broadcom.com> Cc: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>, Jason Gunthorpe <jgg@ziepe.ca>, Leon Romanovsky <leon@kernel.org>, linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH next] RDMA/bnxt_re: Fix buffer overflow in debugfs code Message-ID: <a6b081ab-55fe-4d0c-8f69-c5e5a59e9141@stanley.mountain> Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline
Series	[next] RDMA/bnxt_re: Fix buffer overflow in debugfs code \| expand [next] RDMA/bnxt_re: Fix buffer overflow in debugfs code

Message ID

a6b081ab-55fe-4d0c-8f69-c5e5a59e9141@stanley.mountain (mailing list archive)

State

Accepted

Headers

Date: Fri, 7 Feb 2025 12:16:19 +0300
From: Dan Carpenter <dan.carpenter@linaro.org>
To: Selvin Xavier <selvin.xavier@broadcom.com>
Cc: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>,
	Jason Gunthorpe <jgg@ziepe.ca>, Leon Romanovsky <leon@kernel.org>,
	linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org,
	kernel-janitors@vger.kernel.org
Subject: [PATCH next] RDMA/bnxt_re: Fix buffer overflow in debugfs code
Message-ID: <a6b081ab-55fe-4d0c-8f69-c5e5a59e9141@stanley.mountain>
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Series

[next] RDMA/bnxt_re: Fix buffer overflow in debugfs code | expand

Commit Message

Dan Carpenter Feb. 7, 2025, 9:16 a.m. UTC

Add some bounds checking to prevent memory corruption in
bnxt_re_cc_config_set().  This is debugfs code so the bug can only be
triggered by root.

Fixes: 656dff55da19 ("RDMA/bnxt_re: Congestion control settings using debugfs hook")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
 drivers/infiniband/hw/bnxt_re/debugfs.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Selvin Xavier Feb. 8, 2025, 1:19 p.m. UTC | #1

On Fri, Feb 7, 2025 at 2:46 PM Dan Carpenter <dan.carpenter@linaro.org> wrote:
>
> Add some bounds checking to prevent memory corruption in
> bnxt_re_cc_config_set().  This is debugfs code so the bug can only be
> triggered by root.
>
> Fixes: 656dff55da19 ("RDMA/bnxt_re: Congestion control settings using debugfs hook")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Acked-by: Selvin Xavier <selvin.xavier@broadcom.com>

Thanks,
Selvin
> ---
>  drivers/infiniband/hw/bnxt_re/debugfs.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/drivers/infiniband/hw/bnxt_re/debugfs.c b/drivers/infiniband/hw/bnxt_re/debugfs.c
> index f4dd2fb51867..d7354e7753fe 100644
> --- a/drivers/infiniband/hw/bnxt_re/debugfs.c
> +++ b/drivers/infiniband/hw/bnxt_re/debugfs.c
> @@ -285,6 +285,9 @@ static ssize_t bnxt_re_cc_config_set(struct file *filp, const char __user *buffe
>         u32 val;
>         int rc;
>
> +       if (count >= sizeof(buf))
> +               return -EINVAL;
> +
>         if (copy_from_user(buf, buffer, count))
>                 return -EFAULT;
>
> --
> 2.47.2
>

Leon Romanovsky Feb. 9, 2025, 9:58 a.m. UTC | #2

On Fri, 07 Feb 2025 12:16:19 +0300, Dan Carpenter wrote:
> Add some bounds checking to prevent memory corruption in
> bnxt_re_cc_config_set().  This is debugfs code so the bug can only be
> triggered by root.
> 
> 

Applied, thanks!

[1/1] RDMA/bnxt_re: Fix buffer overflow in debugfs code
      https://git.kernel.org/rdma/rdma/c/dbc641ecf1cbd4

Best regards,

diff --git a/drivers/infiniband/hw/bnxt_re/debugfs.c b/drivers/infiniband/hw/bnxt_re/debugfs.c
index f4dd2fb51867..d7354e7753fe 100644
--- a/drivers/infiniband/hw/bnxt_re/debugfs.c
+++ b/drivers/infiniband/hw/bnxt_re/debugfs.c
@@ -285,6 +285,9 @@  static ssize_t bnxt_re_cc_config_set(struct file *filp, const char __user *buffe
 	u32 val;
 	int rc;
 
+	if (count >= sizeof(buf))
+		return -EINVAL;
+
 	if (copy_from_user(buf, buffer, count))
 		return -EFAULT;

[next] RDMA/bnxt_re: Fix buffer overflow in debugfs code

Commit Message

Comments

Patch