From patchwork Mon Apr 22 16:41:36 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bui Quang Minh X-Patchwork-Id: 13638765 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E7C2B153BF7; Mon, 22 Apr 2024 16:42:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.180 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713804142; cv=none; b=QM/l1bt7gyyUu+AcF8G9X4QKDvQyXdec3jANiPAykV4VETiW/96PQ+CDJGXnhVgeTaSoqVausOUslBGdvvordmWug0STIt2H4PepyUjWUBUCnDhO0mvMi8+569QErjwhaRCASNL8NvKnZb0wa2cImDNzjT/HX0aRUjrTDR4xD9k= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713804142; c=relaxed/simple; bh=3bNaODrHrc9k0PUGRaeY+O8wNFHaMXtzuZ+w6Oy9dK0=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=YFpaZ2nW8JbwPmoN7wfbruI+7GwYuw5wbf2xDa0zoc98bN00+QnJE37yaSovQPHTPwss1JH9pqb5kDJUnsYo8+7NX85lHejNWT2hclPNb7PY+0YYlttoCRtpOcNsidLbO/fKEvt/D6cNAC6T6fvgQLcAG1uCWmz8ukUh99OsLPA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=fPnghK4U; arc=none smtp.client-ip=209.85.214.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="fPnghK4U" Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-1e5aa82d1f6so34485805ad.0; Mon, 22 Apr 2024 09:42:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713804140; x=1714408940; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=eL4ffxjrw/Oouw+LwAu0XgJYOaiP8blt+5qz96VZZiY=; b=fPnghK4U77U2OI930aSZwBUYBEXg6ilQnrbdNYsXnrw9zZg3sZJHakHhANDj5hoqw5 1H1Yti6Qf2iJekifTDBA22K5XGE8pUWliXEzPWeIiN4dI2XXBmQmWH3Ym0Lgf5cDPbkz FqLL7cW5rN+3dLG/rGn5wOe/Xf21HZqARECH8OnbLmeMNsihYzpCHgHxIgRvwlvooccI bfPaVzlUxrEeT33avoTbSrEJkDnPoflRxxedeCx4os6oX4n5XlvuPlnCJVNbESumUpGW 4tP6f0ncI7G+WI1gjXdLinPD/xzgevZJumuN9B/UHXKVDnKYKTwjKZsXYIoI3wFRd27u aGeQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713804140; x=1714408940; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=eL4ffxjrw/Oouw+LwAu0XgJYOaiP8blt+5qz96VZZiY=; b=KrQbYvicrFMJ8XBcXhA8oX9CzjsjUzOtQUt391GtkNqUf0X+olz+381qL1tSQQIAsJ 4SJXmMGeqso48bhzyC9cXr2qCBgvkl6yZsthdpaEo1aql+GyDD1FqCVL/haTWVgIjhzz o4u98yIY43a1b73vRdu2434DzKzvhpDlzYwZpnpOIpzrVzp16oeZICqUWTyj8ou0FEyB Tq5C1d/k2tlm5+iMwGk4w0FeDuZUJ1MTsniSre42qMHbLqS69eqP294xEZnc+ARgt+6p WrigXw8Nxgb0k62NJEoylc/ZCWqkIXB3pz4QklL2eBQclY6j12r9Bm7m8qklfMIJIHmF XFjA== X-Forwarded-Encrypted: i=1; AJvYcCW5KH5nrReTa/ytxpHCWMaDrasL26cjUH0kqc5R64EvjIdOF5eGVZV/uAPU3TrXHW/ia2khXaZdmOHDE3JJuj/B4BbZGwvZl2b9i9WPGlIf5V3cd9bUNCa/TNbfH6wmPQu0InyyWbRXgTJNV6xIodFfdD08ZMD5bx6mgGo0lr+BQmuf2rhoiExyrfpCeSChEDpAjTis7C9eAWdgxgQ= X-Gm-Message-State: AOJu0YxizeMJzFjBFJVPVvhUDYBe6iiLmpLehLhXKiQwZkrtS5dHUE1E ZI8rLvpsHAkZJ6AVMwk33wWYEbb2F9QLKUOKB5p1Kr9ZoHVPWHCOan0119bF X-Google-Smtp-Source: AGHT+IEE3zCzjNrxH/2KcNM7PIDosav5wc2WckggravkOccoGJpeEQnzKLmEsUt2/yyWlk73nUulDg== X-Received: by 2002:a17:903:1ce:b0:1e2:abc5:e28b with SMTP id e14-20020a17090301ce00b001e2abc5e28bmr216891plh.19.1713804140098; Mon, 22 Apr 2024 09:42:20 -0700 (PDT) Received: from [127.0.1.1] ([2001:ee0:50f5:5d0:f32d:f608:a763:3732]) by smtp.googlemail.com with ESMTPSA id p3-20020a170902780300b001e7b8c21ebesm8461702pll.225.2024.04.22.09.42.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Apr 2024 09:42:19 -0700 (PDT) From: Bui Quang Minh Date: Mon, 22 Apr 2024 23:41:36 +0700 Subject: [PATCH 1/5] drivers/net/ethernet/intel-ice: ensure the copied buf is NULL terminated Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240422-fix-oob-read-v1-1-e02854c30174@gmail.com> References: <20240422-fix-oob-read-v1-0-e02854c30174@gmail.com> In-Reply-To: <20240422-fix-oob-read-v1-0-e02854c30174@gmail.com> To: Jesse Brandeburg , Tony Nguyen , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Paul M Stillwell Jr , Rasesh Mody , Sudarsana Kalluru , GR-Linux-NIC-Dev@marvell.com, Krishna Gudipati , Anil Gurumurthy , Sudarsana Kalluru , "James E.J. Bottomley" , "Martin K. Petersen" , Fabian Frederick , Saurav Kashyap , Javed Hasan , GR-QLogic-Storage-Upstream@marvell.com, Nilesh Javali , Arun Easi , Manish Rangankar , Vineeth Vijayan , Peter Oberparleiter , Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Christian Borntraeger , Sven Schnelle Cc: intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-scsi@vger.kernel.org, Saurav Kashyap , linux-s390@vger.kernel.org, Jens Axboe , Bui Quang Minh X-Mailer: b4 0.13.0 X-Patchwork-Delegate: kuba@kernel.org Currently, we allocate a count-sized kernel buffer and copy count bytes from userspace to that buffer. Later, we use sscanf on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using sscanf. Fix this issue by using memdup_user_nul instead of memdup_user. Fixes: 96a9a9341cda ("ice: configure FW logging") Fixes: 73671c3162c8 ("ice: enable FW logging") Signed-off-by: Bui Quang Minh Reviewed-by: Przemek Kitszel --- drivers/net/ethernet/intel/ice/ice_debugfs.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/net/ethernet/intel/ice/ice_debugfs.c b/drivers/net/ethernet/intel/ice/ice_debugfs.c index d252d98218d0..9fc0fd95a13d 100644 --- a/drivers/net/ethernet/intel/ice/ice_debugfs.c +++ b/drivers/net/ethernet/intel/ice/ice_debugfs.c @@ -171,7 +171,7 @@ ice_debugfs_module_write(struct file *filp, const char __user *buf, if (*ppos != 0 || count > 8) return -EINVAL; - cmd_buf = memdup_user(buf, count); + cmd_buf = memdup_user_nul(buf, count); if (IS_ERR(cmd_buf)) return PTR_ERR(cmd_buf); @@ -257,7 +257,7 @@ ice_debugfs_nr_messages_write(struct file *filp, const char __user *buf, if (*ppos != 0 || count > 4) return -EINVAL; - cmd_buf = memdup_user(buf, count); + cmd_buf = memdup_user_nul(buf, count); if (IS_ERR(cmd_buf)) return PTR_ERR(cmd_buf); @@ -332,7 +332,7 @@ ice_debugfs_enable_write(struct file *filp, const char __user *buf, if (*ppos != 0 || count > 2) return -EINVAL; - cmd_buf = memdup_user(buf, count); + cmd_buf = memdup_user_nul(buf, count); if (IS_ERR(cmd_buf)) return PTR_ERR(cmd_buf); @@ -428,7 +428,7 @@ ice_debugfs_log_size_write(struct file *filp, const char __user *buf, if (*ppos != 0 || count > 5) return -EINVAL; - cmd_buf = memdup_user(buf, count); + cmd_buf = memdup_user_nul(buf, count); if (IS_ERR(cmd_buf)) return PTR_ERR(cmd_buf); From patchwork Mon Apr 22 16:41:37 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bui Quang Minh X-Patchwork-Id: 13638766 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8498B154C0F; Mon, 22 Apr 2024 16:42:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.179 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713804150; cv=none; b=JASRdSaezEc5mwbqzHOQ4yRj+cbAOewh0IO1zZoiMUi00x/8sKLqox6fcYqkvSsqpu511VvG8kyO9iv9cQuW9Qsc0OsNrjTjJDpNCqZjnyiog1pXqFZdLPRsT5/cIkYvzF0OUr0iaQJsF0ctAkqffGdk38JR3Wp8xlcmA8Mgv10= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713804150; c=relaxed/simple; bh=Hq/a7l+FanlA0Ntrju77wI3YLmKhqPs7hJ/bcC9K6K0=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=XscKLBjZ7aUbCocG+5Ao3/gTJ3JKGZpHU4xPtSy2JdSfF2L4WnMaq4XImYaBwIyVw71QQfRmI+K/uFuSBjn+NUWyxzpM7Hrp1jc8w7NVKQ/1BvOlaSKuU0fV8qUyHc6XEUr5gfzRzPdr4UthcnEZN89LOJ4DcSUGFPevMd4E2J8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=fyc6frkA; arc=none smtp.client-ip=209.85.214.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="fyc6frkA" Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-1e40042c13eso33853335ad.2; Mon, 22 Apr 2024 09:42:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713804149; x=1714408949; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=3MfksbOufaT50njTeYfjnrKEJiBfYKS364Z1TYz8n/g=; b=fyc6frkAVFV26+kipa7mAtrB9McntEcFIbHjgl3WzG24lQIgwbaZsh2NOwtluZ4Wyz y4c67x/xldMBtJSHD6K6jbf57DXErps45S/QdaTkO0G5mWHtVgojAcQGTmf46eGflgD8 xck/tW5mK5cvECdKgnKvwwNpOSBOWBrKR3bVtgDyf8QXHjkYZ48iF/XKrXgJ8gcOyOxF rDig/UJrwH0MB9AgfCgWVnvzIuT+gfavKLLRvQJk/9eTAPVzSWyb4pVN3CuFY/p7hazG P4uk1VC5TEgpYv3P/HNw6x/iydlUiqgdt00CLxRGnjleo5bC5KJeym+j/dj/PzuxJca2 orzg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713804149; x=1714408949; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3MfksbOufaT50njTeYfjnrKEJiBfYKS364Z1TYz8n/g=; b=ViIuan3/wPtP30c70YuijCi6FfcZhypDfKlGpTQ7bklu9pJdqCwIbcYpJa1a8XIl89 JRBwU45ycyZzXJCbxwY0IIiTOfnWUNUP5wV4aRl1B3dZ8ZyrohVymFmne3SGddt8BwnB iV+LqtQdx/sebyRbuTEsA1kHa3awx9aV6jWdV3opAGNf1BPiKhTrw/jFDFcgWPr7GaDV mQoJydql5gTdpEi71bHS77AqWxaTB/Z+2pmjJMvkQkL77B4ls/eGeVTzpQPpD54iE5VJ Fs6vwNbT255WKBWrJwQ6LkQxGNwjOB9FqWgsPcNNzXvyA78c1WIp3SYXyFfYXPVyUVwH ABrw== X-Forwarded-Encrypted: i=1; AJvYcCXGh+6lAM8WAdAua+oUvgCJ81GEkEgtZvpctrRpwLU14EFMmGNgw2Ru3cLtId3DChPW2Odduwn2dhVK9F5sRDsu57IjheSJc/ze+qMA/2CG91gLUGAB4u/04tIyuhATDT7uIlttrGNxrc3MSpu50K6b7UN3RHo1Y1MKGz/cjr+GUTTtnsv5UNHUKWmuKSXsmIJYOEvj60Ecssufbd0= X-Gm-Message-State: AOJu0Yy9ZPtR5KDgsS6vBonH9s0wdP/0o8/1D//XMeDEZqtLzdM6kaWM NT43xUDz7GN09adeYY9jTvavi5VCLXm6GD1UyF/gTugrHSAqyhGo X-Google-Smtp-Source: AGHT+IEZjvXoEzE/pLr5/NyZgZYKfFkXXVzG2RM6VjSf62Suz057xfGfAYyCLpKwX4NqzGd5KB79lQ== X-Received: by 2002:a17:902:d88d:b0:1e2:a40d:b742 with SMTP id b13-20020a170902d88d00b001e2a40db742mr8782691plz.56.1713804148793; Mon, 22 Apr 2024 09:42:28 -0700 (PDT) Received: from [127.0.1.1] ([2001:ee0:50f5:5d0:f32d:f608:a763:3732]) by smtp.googlemail.com with ESMTPSA id p3-20020a170902780300b001e7b8c21ebesm8461702pll.225.2024.04.22.09.42.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Apr 2024 09:42:28 -0700 (PDT) From: Bui Quang Minh Date: Mon, 22 Apr 2024 23:41:37 +0700 Subject: [PATCH 2/5] drivers/net/brocade-bnad: ensure the copied buf is NULL terminated Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240422-fix-oob-read-v1-2-e02854c30174@gmail.com> References: <20240422-fix-oob-read-v1-0-e02854c30174@gmail.com> In-Reply-To: <20240422-fix-oob-read-v1-0-e02854c30174@gmail.com> To: Jesse Brandeburg , Tony Nguyen , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Paul M Stillwell Jr , Rasesh Mody , Sudarsana Kalluru , GR-Linux-NIC-Dev@marvell.com, Krishna Gudipati , Anil Gurumurthy , Sudarsana Kalluru , "James E.J. Bottomley" , "Martin K. Petersen" , Fabian Frederick , Saurav Kashyap , Javed Hasan , GR-QLogic-Storage-Upstream@marvell.com, Nilesh Javali , Arun Easi , Manish Rangankar , Vineeth Vijayan , Peter Oberparleiter , Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Christian Borntraeger , Sven Schnelle Cc: intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-scsi@vger.kernel.org, Saurav Kashyap , linux-s390@vger.kernel.org, Jens Axboe , Bui Quang Minh X-Mailer: b4 0.13.0 X-Patchwork-Delegate: kuba@kernel.org Currently, we allocate a nbytes-sized kernel buffer and copy nbytes from userspace to that buffer. Later, we use sscanf on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using sscanf. Fix this issue by using memdup_user_nul instead of memdup_user. Fixes: 7afc5dbde091 ("bna: Add debugfs interface.") Signed-off-by: Bui Quang Minh --- drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/brocade/bna/bnad_debugfs.c b/drivers/net/ethernet/brocade/bna/bnad_debugfs.c index 7246e13dd559..97291bfbeea5 100644 --- a/drivers/net/ethernet/brocade/bna/bnad_debugfs.c +++ b/drivers/net/ethernet/brocade/bna/bnad_debugfs.c @@ -312,7 +312,7 @@ bnad_debugfs_write_regrd(struct file *file, const char __user *buf, void *kern_buf; /* Copy the user space buf */ - kern_buf = memdup_user(buf, nbytes); + kern_buf = memdup_user_nul(buf, nbytes); if (IS_ERR(kern_buf)) return PTR_ERR(kern_buf); @@ -372,7 +372,7 @@ bnad_debugfs_write_regwr(struct file *file, const char __user *buf, void *kern_buf; /* Copy the user space buf */ - kern_buf = memdup_user(buf, nbytes); + kern_buf = memdup_user_nul(buf, nbytes); if (IS_ERR(kern_buf)) return PTR_ERR(kern_buf); From patchwork Mon Apr 22 16:41:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bui Quang Minh X-Patchwork-Id: 13638767 Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3EC621552FC; Mon, 22 Apr 2024 16:42:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.175 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713804159; cv=none; b=JggUPqRgYDWSuCSCm1nJrPopRV0MTQxLxUkraqssGV6MwMp0o52PcqP+wNR7oV/1LbtYqDlwji6W8OWPAwqzkYUj0Q9xtFuuZdRxs1hI+jm2k7UmWNgBWL1rIQBFX5kxLpQphlLcUfNgUgTl08TGa9ETS3aXJnnjC1qGaylL600= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713804159; c=relaxed/simple; bh=5qTfVU19Uhv7IKSJxI/EImm9oveNfOjQF+DaIPmQs6U=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=rD5Ou9Wp5wpd2kf7IaQSvmtCWVPCIJ4m+L0RPuIPTqnPcsnp5+01FMaBWEs7vx4lD+1mzOCX0E9xa/hy2XZ+VEU/60qU4j/NI4NzxaqnBRmfRZ1OYIa+oS5H1D8obY0rxbCHlrVlB2dHOZpxxtIgzn4gXCmAz7BOAzSatlzSpQ4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=FPaby7jt; arc=none smtp.client-ip=209.85.214.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="FPaby7jt" Received: by mail-pl1-f175.google.com with SMTP id d9443c01a7336-1e411e339b8so35388575ad.3; Mon, 22 Apr 2024 09:42:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713804157; x=1714408957; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=iDVH41VbP2tcWCidq0GxDLy5uHVpzfSuy3cESbFhDE4=; b=FPaby7jt5wUMSXvThg0iPvpS+rMTOzWMXPlywr1aU91GZXulD2wpPJ33J5YvO/0QYz gLOOeQDitbqx23Jm6Tl2Y+/3Gk4LqvK3eHh4NITVYSEsFlvxLfb/bFYyDPRE90rj0ajr LRnd+ateUCyEUSIqtrHOiue6MkBP9x0h39Iota6BDrfwKcz13Gaypg2acyUpbbdl0/Hp YxPv9oZn2NzEZgydNGBUrb60l6WPdnLFU5xIMOxde53V5azCxTtdzaXKDYKKZTLM7O2B QfHdI8lSLbo7MrcRUGUsh1tOs07U4Mbwsj4M5YLbtj4VJwF3eyMjZLfetVaUJso4x/bj 0xDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713804157; x=1714408957; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=iDVH41VbP2tcWCidq0GxDLy5uHVpzfSuy3cESbFhDE4=; b=W/wPL5d0j+p+E4AbuRgsK1tX7b2zTs5QQmpScpbD8cqXM0dZ7b8fdG3eq1sUKHiE6H R60sYXSyjGy3byO/Fql44+5NsO5Ey5Cc1t1/9TK5lt9sA00FEFk+zmEv+gWkQ827oFNH XrtRP4xOo2e5TPlraRp75cRlYsWMh8aXAH0HoWNBLWDjR6eMX8v4Pbgp+Un/KNYBsJ+d kbAJOMThYvcp+vVSnwS4Oezf3MI0OdY7MODMVzrhoJ7NJ0qXd7sEu1V1U6TwYA5xv0uF LJYu/8eUazGDqTEoT5mPCN1m6Jj7eE1WjK+mhQSC0nlivGyee8QjpH7gfefs0rMvet0M RzrA== X-Forwarded-Encrypted: i=1; AJvYcCU5YTLzX5JIcSnhOi287u4w5rtcL8tc+Qy9VyJdeSJ6c/jpPpxxsrZTOHS5Pr5MzcgLH2eMU4TfTUom0gDjdDTWn5lLfrVMjCU40hbsxSg4KlghU0VLfqYpbCW8X9i00ApyOkCkhmVbXO4cJ1JySR7HArI+QiL5xQULDbuo+ub5DinZQ4g8NDQjiMBxy2fL/yD73qXHd7DkVIUCbUE= X-Gm-Message-State: AOJu0YzJJH/a4oaUVngSC5bXqi20SoqcnPDYgmtdMuY7TXgMR0Eb4zV0 nGYVZCiOVMP+xL49u9gjhhHyqOKjrnvYGkj+nI/5aDeIMwVWocuX X-Google-Smtp-Source: AGHT+IGFR0UrE8vlHS9G1xyCFL9Kk8tc6zrtPIBXdEQTIZOCIFTVAjgPZfeNjdeZQpipcvC3xcdlSQ== X-Received: by 2002:a17:903:584:b0:1e5:d083:c5b3 with SMTP id jv4-20020a170903058400b001e5d083c5b3mr11983186plb.5.1713804157395; Mon, 22 Apr 2024 09:42:37 -0700 (PDT) Received: from [127.0.1.1] ([2001:ee0:50f5:5d0:f32d:f608:a763:3732]) by smtp.googlemail.com with ESMTPSA id p3-20020a170902780300b001e7b8c21ebesm8461702pll.225.2024.04.22.09.42.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Apr 2024 09:42:37 -0700 (PDT) From: Bui Quang Minh Date: Mon, 22 Apr 2024 23:41:38 +0700 Subject: [PATCH 3/5] drivers/scsi/bfa/bfad: ensure the copied buf is NULL terminated Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240422-fix-oob-read-v1-3-e02854c30174@gmail.com> References: <20240422-fix-oob-read-v1-0-e02854c30174@gmail.com> In-Reply-To: <20240422-fix-oob-read-v1-0-e02854c30174@gmail.com> To: Jesse Brandeburg , Tony Nguyen , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Paul M Stillwell Jr , Rasesh Mody , Sudarsana Kalluru , GR-Linux-NIC-Dev@marvell.com, Krishna Gudipati , Anil Gurumurthy , Sudarsana Kalluru , "James E.J. Bottomley" , "Martin K. Petersen" , Fabian Frederick , Saurav Kashyap , Javed Hasan , GR-QLogic-Storage-Upstream@marvell.com, Nilesh Javali , Arun Easi , Manish Rangankar , Vineeth Vijayan , Peter Oberparleiter , Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Christian Borntraeger , Sven Schnelle Cc: intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-scsi@vger.kernel.org, Saurav Kashyap , linux-s390@vger.kernel.org, Jens Axboe , Bui Quang Minh X-Mailer: b4 0.13.0 Currently, we allocate a nbytes-sized kernel buffer and copy nbytes from userspace to that buffer. Later, we use sscanf on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using sscanf. Fix this issue by using memdup_user_nul instead of memdup_user. Fixes: 9f30b674759b ("bfa: replace 2 kzalloc/copy_from_user by memdup_user") Signed-off-by: Bui Quang Minh --- drivers/scsi/bfa/bfad_debugfs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/scsi/bfa/bfad_debugfs.c b/drivers/scsi/bfa/bfad_debugfs.c index 52db147d9979..f6dd077d47c9 100644 --- a/drivers/scsi/bfa/bfad_debugfs.c +++ b/drivers/scsi/bfa/bfad_debugfs.c @@ -250,7 +250,7 @@ bfad_debugfs_write_regrd(struct file *file, const char __user *buf, unsigned long flags; void *kern_buf; - kern_buf = memdup_user(buf, nbytes); + kern_buf = memdup_user_nul(buf, nbytes); if (IS_ERR(kern_buf)) return PTR_ERR(kern_buf); @@ -317,7 +317,7 @@ bfad_debugfs_write_regwr(struct file *file, const char __user *buf, unsigned long flags; void *kern_buf; - kern_buf = memdup_user(buf, nbytes); + kern_buf = memdup_user_nul(buf, nbytes); if (IS_ERR(kern_buf)) return PTR_ERR(kern_buf); From patchwork Mon Apr 22 16:41:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bui Quang Minh X-Patchwork-Id: 13638768 Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CAF94154C12; Mon, 22 Apr 2024 16:42:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.180 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713804168; cv=none; b=EnOO9pIG4mOAJGdXL6CuXB7UOqDQGtHlmL3ehrP1/XFy0IoSezeeBoRdoMxHsCCmz/4ooSqMxP+Ctjc97dZMQnAxPY1FNjFnG/xRUFD+JA7Qo70Wj7OwnNOAxvS2XO0R8sj1vUuOd0T5nf/EPjYEgNSGTk/raw2ILVz2hpwf7xc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713804168; c=relaxed/simple; bh=VaK7Dc1ZgvBEif7TgA4tb6qDQZcFjHq4J5gOM7PFKSo=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=gquz2wxoqi5XdF5+aVqWQ7xNY7HNkPNrZSPj/31h9coGt7tHCXYHrG9o9q6Jyw6f78aM1/Wk1+aIiY49AnrB1mPo+L2+GXpb+NxYekxB5zSWSeWAMJn4U732ktKkg1uMQ+OopbGF6TnDTmrUl3yRIeT41Lz0IOQdR1I5lTjJB9I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=k2uYJfFY; arc=none smtp.client-ip=209.85.214.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="k2uYJfFY" Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-1e3f17c6491so36130195ad.2; Mon, 22 Apr 2024 09:42:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713804166; x=1714408966; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=jL5u74w472gVJgaoFOuurGlZOko3LllmO61ppXmRiz4=; b=k2uYJfFYF8Vz1DG1MkBVKnbVbdgRq8QS1HHvjY8Yn4XVpVCO+hJ4YgHRHvAL2bFFwn djPLpTf63LafIHIbPlWBGQOQpgwYHW2b2OWdFNw5SLb0iID/1YHY9t7RcGfBZA59xqPm Ji7ux1y17/bJv6k2cdAbMTSV1eVhSbv0K4Y0A6XUm43F7j6+hT1A8v9vLk7CNUC2W8zh 0iyZXksg/VQx6h/Vd1pS8uDFaONBeq9jJoX6TZVlZl5k8KN5HXCNoshhKIGJYgP6D3uI WuQdC9jHhynkZrgoM1wcKhBlKnsPNDkW7eq3f+szASIghz4UklabW/I57H/5d5U6+Q8f 5fYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713804166; x=1714408966; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jL5u74w472gVJgaoFOuurGlZOko3LllmO61ppXmRiz4=; b=vTls42g8DZ+d8/RYdCkeq0UvgVDcNgH8x27qeMofxcsqCu3vgRW8A4VZo4tDry5/Jh W062H/p4feHM0i0OZt0Gj933jtBnneZ9pIsM6r6wGBdx8rmn1Yv79I0CyZm3mCSZhC6+ 2nvZNo+P0pcg2f/mhIB1t20zbE1nQ99YB0vq3WVN/E0L3/itHcLJUiZ5EK0IwLegIidc TKCmeMiKazRvAQtCt7kF6Zpc5xvAC4TkhgnhynuhIG6dJBpk18+fnE/+zL5LST3jflME ulHywgazaON0Qfb3LpHZVZf1AOvcS8Ws6xDMqDUtkx3D+bXIyHMP5FsjSXKbO4Px6H3H VPXw== X-Forwarded-Encrypted: i=1; AJvYcCVl1aXpBsctSM3M4I+aw2Ao7K2kiZWLpYfgiI8gucstS9PeDbNfoJVoBtN/raLdlZNuAvvR5ihuCtlzNffBjLXOvmEDQU9xIm3NBJ5oXdYC6zac/EIECkpXmjOvgTYiqGbvh7iikfWJQEEZkOtu53hEswrCoQ9kB58C2xHFL0JQ9RfHvzUfVuz+kGPn+NYOXV65GM+n+7kB7SWwjtU= X-Gm-Message-State: AOJu0Yy/u5/g7jp+SxZ9as2dhL3K8cAkkjt+ndmVPml4JxBQx2hxeRWW w85A+4aEp8E00Fo2BX9JgA8i4EbT71ljdjxEg3p1N3igGlgNKB0/At9jwtNI X-Google-Smtp-Source: AGHT+IGFYxmbMrycOqL+3S4jQuGH3EvQ4YJVKxorFUyzvblrMx0EhcdYzSTzQFFqrVCB/jUZ0HpnMA== X-Received: by 2002:a17:902:b187:b0:1e4:17e4:3a30 with SMTP id s7-20020a170902b18700b001e417e43a30mr9577651plr.31.1713804166091; Mon, 22 Apr 2024 09:42:46 -0700 (PDT) Received: from [127.0.1.1] ([2001:ee0:50f5:5d0:f32d:f608:a763:3732]) by smtp.googlemail.com with ESMTPSA id p3-20020a170902780300b001e7b8c21ebesm8461702pll.225.2024.04.22.09.42.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Apr 2024 09:42:45 -0700 (PDT) From: Bui Quang Minh Date: Mon, 22 Apr 2024 23:41:39 +0700 Subject: [PATCH 4/5] drivers/scsi/qedf: ensure the copied buf is NULL terminated Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240422-fix-oob-read-v1-4-e02854c30174@gmail.com> References: <20240422-fix-oob-read-v1-0-e02854c30174@gmail.com> In-Reply-To: <20240422-fix-oob-read-v1-0-e02854c30174@gmail.com> To: Jesse Brandeburg , Tony Nguyen , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Paul M Stillwell Jr , Rasesh Mody , Sudarsana Kalluru , GR-Linux-NIC-Dev@marvell.com, Krishna Gudipati , Anil Gurumurthy , Sudarsana Kalluru , "James E.J. Bottomley" , "Martin K. Petersen" , Fabian Frederick , Saurav Kashyap , Javed Hasan , GR-QLogic-Storage-Upstream@marvell.com, Nilesh Javali , Arun Easi , Manish Rangankar , Vineeth Vijayan , Peter Oberparleiter , Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Christian Borntraeger , Sven Schnelle Cc: intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-scsi@vger.kernel.org, Saurav Kashyap , linux-s390@vger.kernel.org, Jens Axboe , Bui Quang Minh X-Mailer: b4 0.13.0 Currently, we allocate a count-sized kernel buffer and copy count from userspace to that buffer. Later, we use kstrtouint on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using kstrtouint. Fix this issue by using memdup_user_nul instead of memdup_user. Fixes: 61d8658b4a43 ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.") Signed-off-by: Bui Quang Minh --- drivers/scsi/qedf/qedf_debugfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/qedf/qedf_debugfs.c b/drivers/scsi/qedf/qedf_debugfs.c index 451fd236bfd0..96174353e389 100644 --- a/drivers/scsi/qedf/qedf_debugfs.c +++ b/drivers/scsi/qedf/qedf_debugfs.c @@ -170,7 +170,7 @@ qedf_dbg_debug_cmd_write(struct file *filp, const char __user *buffer, if (!count || *ppos) return 0; - kern_buf = memdup_user(buffer, count); + kern_buf = memdup_user_nul(buffer, count); if (IS_ERR(kern_buf)) return PTR_ERR(kern_buf); From patchwork Mon Apr 22 16:41:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bui Quang Minh X-Patchwork-Id: 13638769 Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8A206155323; Mon, 22 Apr 2024 16:42:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.177 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713804176; cv=none; b=E12EzD8OIhxcb4LVn8jv+y4F74l2eyI6ED+Hrs60Iscn2dWp570GuajAo9WHA9xJi0RprzgEunVyRxWeAwxhONEOklRo57APZwn1QzMY4DZUWScGh5ZgMl2+epcdl7wY/urFD+RNs6+tSM2j13ls/WKTMgXuzuJijvRIRoMKh1I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713804176; c=relaxed/simple; bh=pvMg8v9KxE5KJEycWSs0QebhErG3dC9I65w80Mm0wM4=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=G3Qe1PKmMiu9y7Yfgd7tudryalV3W179cp5TjjMYJbNtT5k9KeTuRgu6WIQB7sDpkZu465rhobObU1NuU5pFzt6RN2piD1AmNcU5beuP9lsm1GIegqOU51IKk07/2XSlA7FuHsRFgCeUNtT5AkiLcH4JJgBZG/HdgMWcw7/AUQI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Q1+IxzqG; arc=none smtp.client-ip=209.85.214.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Q1+IxzqG" Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-1e8fce77bb2so21082885ad.0; Mon, 22 Apr 2024 09:42:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713804175; x=1714408975; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=VjDIyXeRN5F/Rz1j7hLtt0c+k3OrZr+6KVwQKgEg9NA=; b=Q1+IxzqG9dbki6AunlZew9HkGxzwoJN4POb8+uHRM13cHWirludjubZLg5QVkG6ek4 7Xv7mxLYqWrGONuagTv3vIJIeRz2yGMt7mNA9TDgZnUZeM2I6dSLnxLriGcGpgvHoSme +yUyK9QTnGj5e5D5IKZPlSZPAimRjSlF9w6Zdqzkb1D6cw4yiO0ty+xR0/wibT0B/Q5S aFBUWjQ6kZqx0MVe1gSAjeVGBDq7dDwLyWB4kSiBOBshUgDLOicFNKEvIqEuyTgIClli XF3m9nhyoNWvyt4I5jZWCstC1ojC5Cge0oGWxutU8kp7LgMrZw7I5ngGkD3p9wAHM/jB xPHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713804175; x=1714408975; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=VjDIyXeRN5F/Rz1j7hLtt0c+k3OrZr+6KVwQKgEg9NA=; b=nIYKh3bT+4s5/Sg4WjpiQMSn4v3gIPs310cOOj5TOSVmkCh2B0wf9fdJOoEQ7Sf9AY OhT9TjHnNjqyL5Ib4ndYo7waQeWVaZENBoSyACcZOo7qlAUxsQGjydoDa8/p+ZHp2XoS IOjXjjHwZWVqCleSzD/MJivUbqX8sIirGAMsjaZonEmCiq9GGTN5iCXEE+z6dcKrzPce oJkeAQ8n9H+3qliggVcHQadPa4r1rfP+8qzvcOSMEOT0FNpQUHMkDnE5D5BPP7G67fM8 raOS4hY0vPBUBRrTBT+zoGKA60xqhJTtDc4YrkiDhExl7yGN2IuRyxbF6QhY/3PPYRz6 l6Lg== X-Forwarded-Encrypted: i=1; AJvYcCX8H/cc3LEPZiuJWbH7CUdXFVOnrxomhhG2gkjCUhMe9dcjc78TCT5PqUf3CDD6xoEsn0Llk9AiAqj9v756RrxiI4lO0jRUvX6vhHASPz82wrxDc4P0K4VZ6zy/TJ56ZQM9ifVm0kHsh1pwvApJTz3ZSBYNhKVfvvOZpVTUV01usMznMrEWRzZU1eZfX6BEHhW2v/sB4Yhez8o+/TU= X-Gm-Message-State: AOJu0YwNSYhmmilUsTCqfEP+zlHgfQAUDSMojaCQlUzpEW7KO1ZXYPPw DE6eyh5eQ8uYuofoEKDxK75qhLTtFu0Kuj08Mqj4dyS0fdFk1U+R X-Google-Smtp-Source: AGHT+IEBSDCtqMN9don4XWWjqMotOgj9q/MREDNxdL5MkB6wNycQQ0VxWmkAd//5A3lFd861WFvO0g== X-Received: by 2002:a17:903:120e:b0:1e3:dfdc:6972 with SMTP id l14-20020a170903120e00b001e3dfdc6972mr13052319plh.9.1713804174824; Mon, 22 Apr 2024 09:42:54 -0700 (PDT) Received: from [127.0.1.1] ([2001:ee0:50f5:5d0:f32d:f608:a763:3732]) by smtp.googlemail.com with ESMTPSA id p3-20020a170902780300b001e7b8c21ebesm8461702pll.225.2024.04.22.09.42.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Apr 2024 09:42:54 -0700 (PDT) From: Bui Quang Minh Date: Mon, 22 Apr 2024 23:41:40 +0700 Subject: [PATCH 5/5] drivers/s390/cio: ensure the copied buf is NULL terminated Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20240422-fix-oob-read-v1-5-e02854c30174@gmail.com> References: <20240422-fix-oob-read-v1-0-e02854c30174@gmail.com> In-Reply-To: <20240422-fix-oob-read-v1-0-e02854c30174@gmail.com> To: Jesse Brandeburg , Tony Nguyen , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Paul M Stillwell Jr , Rasesh Mody , Sudarsana Kalluru , GR-Linux-NIC-Dev@marvell.com, Krishna Gudipati , Anil Gurumurthy , Sudarsana Kalluru , "James E.J. Bottomley" , "Martin K. Petersen" , Fabian Frederick , Saurav Kashyap , Javed Hasan , GR-QLogic-Storage-Upstream@marvell.com, Nilesh Javali , Arun Easi , Manish Rangankar , Vineeth Vijayan , Peter Oberparleiter , Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Christian Borntraeger , Sven Schnelle Cc: intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-scsi@vger.kernel.org, Saurav Kashyap , linux-s390@vger.kernel.org, Jens Axboe , Bui Quang Minh X-Mailer: b4 0.13.0 Currently, we allocate a lbuf-sized kernel buffer and copy lbuf from userspace to that buffer. Later, we use scanf on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using scanf. Fix this issue by allocating 1 more byte to at the end of buffer and write NULL terminator to the end of buffer after userspace copying. Fixes: a4f17cc72671 ("s390/cio: add CRW inject functionality") Signed-off-by: Bui Quang Minh --- drivers/s390/cio/cio_inject.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/s390/cio/cio_inject.c b/drivers/s390/cio/cio_inject.c index 8613fa937237..9b69fbf49f60 100644 --- a/drivers/s390/cio/cio_inject.c +++ b/drivers/s390/cio/cio_inject.c @@ -95,10 +95,11 @@ static ssize_t crw_inject_write(struct file *file, const char __user *buf, return -EINVAL; } - buffer = vmemdup_user(buf, lbuf); + buffer = vmemdup_user(buf, lbuf + 1); if (IS_ERR(buffer)) return -ENOMEM; + buffer[lbuf] = '\0'; rc = sscanf(buffer, "%x %x %x %x %x %x %x", &slct, &oflw, &chn, &rsc, &anc, &erc, &rsid);