From nobody Sat May 18 10:48:40 2024 Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8C9B815ECCE; Wed, 24 Apr 2024 14:44:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.178 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713969892; cv=none; b=Dj9cLToW1rr78YovFKHu05TXFVB3NDSPlQUCywALCiydzE6Nl2XjUOJM3G0EQQ4Mj+4ov1UJA2OM3ttUqemFUJi0Uw/d/Rc9r26gCxor7ce/uES6ZlUm2a5ymZE1DLYqZKjYSy8y5szgPIdOMg5fiD6XBCUXngIojlutz0VQlFA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713969892; c=relaxed/simple; bh=i9yBjXKi50Q2frU9aGfX8QLUJWrV8BgeZoBMUnJSQFw=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=TsLw17PpoLQV9RHL7EmBd7qd3dyS0Tois7DFX9s4mXp0wjfX1R5JuO6NHRZAN8kprGqPDtqyFWKurbFCUiknEhjGcA5/CaXShF4WKt/S3A1dSgLnjfBOqo2QMk9FxwOvczmWPnTWulvKWzqEa47gEYEBl2GXsLc2ZKbQCYXjUdg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=AHj7KEer; arc=none smtp.client-ip=209.85.210.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="AHj7KEer" Received: by mail-pf1-f178.google.com with SMTP id d2e1a72fcca58-6ed20fb620fso5886151b3a.2; Wed, 24 Apr 2024 07:44:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713969891; x=1714574691; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=3qdUgcHPztLd0lwxO193DGh85zNO3Tk4LAWPrMFFJ1g=; b=AHj7KEersSon9L6ytA3vVcUM2hhl4sdvxa/guuwbcH4cNlxiudf+Kvwd8dhBuyybxh xzdEYeeDO9c9Mfv2hphVa8leLtpa0v9GXdXR78wruX4FZ4QIDCACJudebGcyzvT+4J4f rvGMPv9ffsa78wofp9sqlk02gdFeTIWKDGbOVyqC77jShQjBG2hdpTW7Fi0X5MbfQUQz M0C/4YjzjujRTuooMtTANrelmGE+HHLtMt54oUkEqNCj434NCSkZWY9LfOD5jHTtdC9m FPp6dzz7/OErkXgn8zDLEIXlRs0g9mgr29Wt9oK/heI+L50ovx8N226HATVknaKiK826 KAmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713969891; x=1714574691; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3qdUgcHPztLd0lwxO193DGh85zNO3Tk4LAWPrMFFJ1g=; b=NgL+j3NdTUrZdq21jYYCgs1PN3EFKE5hHMf4UO5/R7L/ZXsR5M+2Ysv205qvdAoH9W 6fV0V3qQxRmnD2Q9QrhpUBPq/wZQIYQTuCDwuUB0BmHetGxd43ftcCR77de4GQmI58IZ +If2YGM4YbR1hOEzc9kUJlk7xLIRff+rgoPBFP20nISOaCCGlKo8ZMFbazOXAjVxmAvj 7TQDl2F2aOcZpYJYpMaZ7tOqULHAd7RMPZAS91rDKV1zOc77wobWzpFuhfI3DBul8khm b9BKOX4tN/5h9QJOYQsE5zTJYTPHEEF/rjvvbTS0jgzKIJS/Q1Zpsa72GB1l/UNgQKmD 8t6Q== X-Forwarded-Encrypted: i=1; AJvYcCV51FhoSKzekkiGoiGuuNrFkv2SF4QdGci+bVAcM4ZdoFbqQbaShCRC4oEMEmB1MjzyY8b4qV7M61vhWxoAftSGyqeiP54RRICuFybVLcxkWqJUYuWq8G98chSBVmp8cPpz/+aK6ntbkpbblS8iRflvXcyAoiNsBTSRbgHdqe7Ououzzbzdb1xeX5lhJsWmtgXTD1MM15zLBf+Ayu8= X-Gm-Message-State: AOJu0YwHEzgHryVvMvUmFEQho1z5vPL6PC7xVEmMFBA/rC7g9sfIqaQr ABhNDgAw56mQ4YR7/ApmDKzrIPBv2cMIuM2+gbV7TBXDQv6MEsgmBsmXqnAa X-Google-Smtp-Source: AGHT+IFJ/y+DruBf2Lm1UhtzVWoEV8AN6SFg6+AIBmZtn4lSLmIs4uj6gpgqse0hCeEeacgja8d0pw== X-Received: by 2002:a62:ab0f:0:b0:6ed:416d:e9a with SMTP id p15-20020a62ab0f000000b006ed416d0e9amr2762304pff.7.1713969890708; Wed, 24 Apr 2024 07:44:50 -0700 (PDT) Received: from [127.0.1.1] ([2001:ee0:50f5:5d0:6ca6:7f20:5242:67cc]) by smtp.googlemail.com with ESMTPSA id a5-20020aa78e85000000b006e554afa254sm11495743pfr.38.2024.04.24.07.44.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Apr 2024 07:44:50 -0700 (PDT) From: Bui Quang Minh Date: Wed, 24 Apr 2024 21:44:18 +0700 Subject: [PATCH v2 1/6] ice: ensure the copied buf is NUL terminated Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20240424-fix-oob-read-v2-1-f1f1b53a10f4@gmail.com> References: <20240424-fix-oob-read-v2-0-f1f1b53a10f4@gmail.com> In-Reply-To: <20240424-fix-oob-read-v2-0-f1f1b53a10f4@gmail.com> To: Jesse Brandeburg , Tony Nguyen , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Paul M Stillwell Jr , Rasesh Mody , Sudarsana Kalluru , GR-Linux-NIC-Dev@marvell.com, Anil Gurumurthy , Sudarsana Kalluru , "James E.J. Bottomley" , "Martin K. Petersen" , Fabian Frederick , Saurav Kashyap , GR-QLogic-Storage-Upstream@marvell.com, Nilesh Javali , Arun Easi , Manish Rangankar , Vineeth Vijayan , Peter Oberparleiter , Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Christian Borntraeger , Sven Schnelle , Sunil Goutham , Linu Cherian , Geetha sowjanya , Jerin Jacob , hariprasad , Subbaraya Sundeep Cc: intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-scsi@vger.kernel.org, Saurav Kashyap , linux-s390@vger.kernel.org, Jens Axboe , Bui Quang Minh , Przemek Kitszel X-Mailer: b4 0.13.0 Currently, we allocate a count-sized kernel buffer and copy count bytes from userspace to that buffer. Later, we use sscanf on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using sscanf. Fix this issue by using memdup_user_nul instead of memdup_user. Fixes: 96a9a9341cda ("ice: configure FW logging") Fixes: 73671c3162c8 ("ice: enable FW logging") Reviewed-by: Przemek Kitszel Signed-off-by: Bui Quang Minh --- drivers/net/ethernet/intel/ice/ice_debugfs.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/net/ethernet/intel/ice/ice_debugfs.c b/drivers/net/eth= ernet/intel/ice/ice_debugfs.c index d252d98218d0..9fc0fd95a13d 100644 --- a/drivers/net/ethernet/intel/ice/ice_debugfs.c +++ b/drivers/net/ethernet/intel/ice/ice_debugfs.c @@ -171,7 +171,7 @@ ice_debugfs_module_write(struct file *filp, const char = __user *buf, if (*ppos !=3D 0 || count > 8) return -EINVAL; =20 - cmd_buf =3D memdup_user(buf, count); + cmd_buf =3D memdup_user_nul(buf, count); if (IS_ERR(cmd_buf)) return PTR_ERR(cmd_buf); =20 @@ -257,7 +257,7 @@ ice_debugfs_nr_messages_write(struct file *filp, const = char __user *buf, if (*ppos !=3D 0 || count > 4) return -EINVAL; =20 - cmd_buf =3D memdup_user(buf, count); + cmd_buf =3D memdup_user_nul(buf, count); if (IS_ERR(cmd_buf)) return PTR_ERR(cmd_buf); =20 @@ -332,7 +332,7 @@ ice_debugfs_enable_write(struct file *filp, const char = __user *buf, if (*ppos !=3D 0 || count > 2) return -EINVAL; =20 - cmd_buf =3D memdup_user(buf, count); + cmd_buf =3D memdup_user_nul(buf, count); if (IS_ERR(cmd_buf)) return PTR_ERR(cmd_buf); =20 @@ -428,7 +428,7 @@ ice_debugfs_log_size_write(struct file *filp, const cha= r __user *buf, if (*ppos !=3D 0 || count > 5) return -EINVAL; =20 - cmd_buf =3D memdup_user(buf, count); + cmd_buf =3D memdup_user_nul(buf, count); if (IS_ERR(cmd_buf)) return PTR_ERR(cmd_buf); =20 --=20 2.34.1 From nobody Sat May 18 10:48:40 2024 Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com [209.85.210.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C6AFB15ECCE; Wed, 24 Apr 2024 14:45:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713969902; cv=none; b=G+vwYtQw0P3pNdwBISJFTt3wDUQp/uZKIikV+6COby94bnZt5DBJNRZ1tiF52hUhQU0Tdq4GRh5HWaMrX9AlzzK9ZGEfalQAvrwofCKeezL9JB7vMTRqf/VYC/I+FVv3uhJET4pqxZvyAu6djWqY4Iw48sEmE12y7nry9Ql9zcE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713969902; c=relaxed/simple; bh=Hq/a7l+FanlA0Ntrju77wI3YLmKhqPs7hJ/bcC9K6K0=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=oeyOC2IFRRqYnZCk5+ovVeWvTVaDfbtyw2RkI8IRF1bYwLZn+4Kwu419Mh9rweigbHK42VfzK1hKXaGJHDYR5Tmrao0kha75FJYVpzXgfPsIzV+uougodSeZgrKVDHYf6DizynK8iACNEHOKfJIdKF3+pWScsuL5YqIqJNaZ31o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=XyeKT629; arc=none smtp.client-ip=209.85.210.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="XyeKT629" Received: by mail-pf1-f172.google.com with SMTP id d2e1a72fcca58-6ed2170d89fso737159b3a.1; Wed, 24 Apr 2024 07:45:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713969900; x=1714574700; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=3MfksbOufaT50njTeYfjnrKEJiBfYKS364Z1TYz8n/g=; b=XyeKT629afrsryzzJ2Y/mJqJD2r7IUf6Jcly3zneN2QfPIkMHT7M9sbChO9C/7PV/t yW4A6NNkRJ70CqqgA/Wz/IJJaAVRQoyvQ3UsX0lW33rTfrDr4X/4YulBg1/tR5XMRS3S IF+/sMcTklZUeyvWxtJgxWcY9Y4aW/kf+lJ54tdYt+AYvzwZZmEZqu9wooGrUDJ2ttmg VQLW+/td9zqfVnqhfoD6+G+7/F/7KtmvyNLJnla06yh4Nv/gCV5NawkRG2sHSi5EVs+z jdD1GYfIwvzgWj3477Tht/RNjRoMHhTXR2tsutlgkAoHBDDWtnRO1owqcsdGiPOuR1Lp qm1A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713969900; x=1714574700; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3MfksbOufaT50njTeYfjnrKEJiBfYKS364Z1TYz8n/g=; b=m7OVWkHAtdaZ2PcTnou9JgQEKIkVSu46JTB9gDMBHH9QFK1IDVJ91gADnpelDS3cFJ HYz6++cDrETrLO5C67Gusp7JQkCwUpScGBcjJvRXLLAddZcGNzZEW5Zyk/pLyao5aGVV onDsbgd+sloSIcO5sZz7VZfzlMksLtctHIa5mAqLFPNPJSdeo+ZCeKDMBYyy4hott3Gm IfgAUJxWnlxAwhoAqvBkHVJZJFTZVNcsjf91iAUx//d495FEmNhy83CM9gIo4E+hMPIn uZB73HciR/6qIMUKo4r1gQ/UfzICItUqmDJHU/w/qGPATu1h4dN+0h9tQwtwEO9pWQxp VwKA== X-Forwarded-Encrypted: i=1; AJvYcCUrL2820mlInjf4s9NVkptIH0ti4CtnQ4toq/udKAk6GI+mmbeNRcfx+TzNh8yE941ZxA2kdeCQB2h2XTeVIGCX3yOLmlDwJ4DNdbBpfm+DdJKJTco91399vTo/G9XfZEtZeehkZxJBJ7ha9j7ex5ryd+JlDhJkaL7WAkkZXgLHnOiINrggZKGc8PUKUmE+HqWDc8+k5DVXshFwd8A= X-Gm-Message-State: AOJu0YzTtCylHx43D9XH9IpTsp+3F5ThXw/iU4k/pFriklAXIMiU/1Rv F4SJWQniB1MlourOSbmV8TQa/jFNY0HLQI3FyY28NljsWS0dorZk X-Google-Smtp-Source: AGHT+IE0vvv8401MvcZvFuTAKSMkOxij157Cp6pNYN59rTcTx6IrZpNRkSO5z4E6xJDmFbIVwPhxCA== X-Received: by 2002:a05:6a21:6d96:b0:1a9:509c:eba6 with SMTP id wl22-20020a056a216d9600b001a9509ceba6mr4486348pzb.25.1713969900053; Wed, 24 Apr 2024 07:45:00 -0700 (PDT) Received: from [127.0.1.1] ([2001:ee0:50f5:5d0:6ca6:7f20:5242:67cc]) by smtp.googlemail.com with ESMTPSA id a5-20020aa78e85000000b006e554afa254sm11495743pfr.38.2024.04.24.07.44.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Apr 2024 07:44:59 -0700 (PDT) From: Bui Quang Minh Date: Wed, 24 Apr 2024 21:44:19 +0700 Subject: [PATCH v2 2/6] bna: ensure the copied buf is NUL terminated Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20240424-fix-oob-read-v2-2-f1f1b53a10f4@gmail.com> References: <20240424-fix-oob-read-v2-0-f1f1b53a10f4@gmail.com> In-Reply-To: <20240424-fix-oob-read-v2-0-f1f1b53a10f4@gmail.com> To: Jesse Brandeburg , Tony Nguyen , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Paul M Stillwell Jr , Rasesh Mody , Sudarsana Kalluru , GR-Linux-NIC-Dev@marvell.com, Anil Gurumurthy , Sudarsana Kalluru , "James E.J. Bottomley" , "Martin K. Petersen" , Fabian Frederick , Saurav Kashyap , GR-QLogic-Storage-Upstream@marvell.com, Nilesh Javali , Arun Easi , Manish Rangankar , Vineeth Vijayan , Peter Oberparleiter , Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Christian Borntraeger , Sven Schnelle , Sunil Goutham , Linu Cherian , Geetha sowjanya , Jerin Jacob , hariprasad , Subbaraya Sundeep Cc: intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-scsi@vger.kernel.org, Saurav Kashyap , linux-s390@vger.kernel.org, Jens Axboe , Bui Quang Minh X-Mailer: b4 0.13.0 Currently, we allocate a nbytes-sized kernel buffer and copy nbytes from userspace to that buffer. Later, we use sscanf on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using sscanf. Fix this issue by using memdup_user_nul instead of memdup_user. Fixes: 7afc5dbde091 ("bna: Add debugfs interface.") Signed-off-by: Bui Quang Minh --- drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/brocade/bna/bnad_debugfs.c b/drivers/net/= ethernet/brocade/bna/bnad_debugfs.c index 7246e13dd559..97291bfbeea5 100644 --- a/drivers/net/ethernet/brocade/bna/bnad_debugfs.c +++ b/drivers/net/ethernet/brocade/bna/bnad_debugfs.c @@ -312,7 +312,7 @@ bnad_debugfs_write_regrd(struct file *file, const char = __user *buf, void *kern_buf; =20 /* Copy the user space buf */ - kern_buf =3D memdup_user(buf, nbytes); + kern_buf =3D memdup_user_nul(buf, nbytes); if (IS_ERR(kern_buf)) return PTR_ERR(kern_buf); =20 @@ -372,7 +372,7 @@ bnad_debugfs_write_regwr(struct file *file, const char = __user *buf, void *kern_buf; =20 /* Copy the user space buf */ - kern_buf =3D memdup_user(buf, nbytes); + kern_buf =3D memdup_user_nul(buf, nbytes); if (IS_ERR(kern_buf)) return PTR_ERR(kern_buf); =20 --=20 2.34.1 From nobody Sat May 18 10:48:40 2024 Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com [209.85.210.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 31E1915EFA0; Wed, 24 Apr 2024 14:45:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713969911; cv=none; b=MMKSuf/8j/xhUqwCDi3qlNHrnQ7mi7Yh/USKQ5FU1pa1Ga4CpJRvL0wwU32hZhAmBHByItZdedwJaRoMOAF2CCU7ekGjwjgqS9ezKXl8UWwchhtFpZG8JR7XMotjlCwQNyXtyAYrAbCKBQd2RIsjXZYlx0CHY8/WXlHW/o2bao4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713969911; c=relaxed/simple; bh=5qTfVU19Uhv7IKSJxI/EImm9oveNfOjQF+DaIPmQs6U=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=dLkBu8T5EwsxM0pVgDRKbqaPS1tWYpEuEjZJnFFLajXwxRn0tHl41PNyOjVacZ6WxQONDCSj6qIZU3p+bHDgkiy22AbPLi1oShMPTgWkaqft+1BIQtElkEZDVvWVTmfeqzE+80ptampDeed/WqT9MLb0nRHYX0T90j1YBUu6gsU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ZeQkZzPf; arc=none smtp.client-ip=209.85.210.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ZeQkZzPf" Received: by mail-pf1-f171.google.com with SMTP id d2e1a72fcca58-6f30f69a958so2568355b3a.1; Wed, 24 Apr 2024 07:45:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713969909; x=1714574709; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=iDVH41VbP2tcWCidq0GxDLy5uHVpzfSuy3cESbFhDE4=; b=ZeQkZzPf1PsyFPY+9BPyc91yYyix7ODkEgq/Kw8ZX7Bg2hktumFSbLso6fToCG8f1l dOF+OtIbMGVwcoi0bNPcLoqKUd3adRDCX90llTj4wiW9VpOHwiBDPdX+lIE3kiRuWS0t 5V7qSjB4yXnAQiBoiRWcwd1Cg0G4Z9QhbG3HnKURyueIUjw/b3e+6VUpbUVatNH2QBzM EwWF+e/zzC6BatQ2t2EU7hy7EgY8Duy6LGhWVuUbyBy1WPC1bKGA7yPDiWn2O74j9bSU DLpnqQhMi9EpDKsCAPJckVFQICUsnib9xJgtrNEsaJ3yKxS8CmAklM5FfMO0VInd9fpL 9vGg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713969909; x=1714574709; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=iDVH41VbP2tcWCidq0GxDLy5uHVpzfSuy3cESbFhDE4=; b=o731gKMXK5qhpZffLlFvPlVvC5hrEOKNjXssVVq2nJD+qJ0EqeBsFMRuoVqMq7fWnY NbF239Ll7RH5Q+tQh32HOHaIDJepGRykR4V0V5CqMDKkCrJJ0uoACdefnSJ9dkimZPYi 4t4zOQ4dxFSXjTtP766FmP0JiitfGdB/wt+RDI7eH3AtU2/IQuzTLZ3tTEvSDn60WxcW wKNTLM3cY1/X0GPb/lJ7jGLkXuxDTpt5xilV+LAXgiPFNR2y+5wLrK1NDTTxasv4NgiN qzi9RIrLP+bLrkw9Db0cQCxnlUkX07H2eM5PCPVPBOuZ3nzaiZ3kPOvOipOa1Sxd1lF6 KnKw== X-Forwarded-Encrypted: i=1; AJvYcCXXq07c7cnlHaaNmRNquKRh8G0SYTWC7ifoIrQhLiEL88ST/NxdHRESJ4gyVfzVlkqXo9i3nTvCi3EC/S0OyB2yFrnSZbp5Zf04aHa7WiSm2OOMtz4Pt75xG39YW2dOi23JqtKpKSMr4+vkhXfbcD3B5K3kxqZ6KBnCWTpPu+pU/m32jMENAauVmBoK0JWeX6cqOn1AHeLrse3Vk8w= X-Gm-Message-State: AOJu0YwQpwh6ZQpx83oDZEoYSS/GvkVBc/ADF+9WcBWRnQSax455t2UR EMYWcAFwffyZYLFGtHDtZOhGgbF74MW32SgqooSJUBOSfenQ8ETI X-Google-Smtp-Source: AGHT+IH7hDlGcLTpV6B9afh5y3sKseUhS0nuv4tpE75qoG+uPsjDp5Z57e8vcBnEwXBPXU5/z8LMfQ== X-Received: by 2002:a05:6a00:2405:b0:6f3:c10a:7bf3 with SMTP id z5-20020a056a00240500b006f3c10a7bf3mr503754pfh.0.1713969909373; Wed, 24 Apr 2024 07:45:09 -0700 (PDT) Received: from [127.0.1.1] ([2001:ee0:50f5:5d0:6ca6:7f20:5242:67cc]) by smtp.googlemail.com with ESMTPSA id a5-20020aa78e85000000b006e554afa254sm11495743pfr.38.2024.04.24.07.45.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Apr 2024 07:45:09 -0700 (PDT) From: Bui Quang Minh Date: Wed, 24 Apr 2024 21:44:20 +0700 Subject: [PATCH v2 3/6] bfa: ensure the copied buf is NUL terminated Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20240424-fix-oob-read-v2-3-f1f1b53a10f4@gmail.com> References: <20240424-fix-oob-read-v2-0-f1f1b53a10f4@gmail.com> In-Reply-To: <20240424-fix-oob-read-v2-0-f1f1b53a10f4@gmail.com> To: Jesse Brandeburg , Tony Nguyen , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Paul M Stillwell Jr , Rasesh Mody , Sudarsana Kalluru , GR-Linux-NIC-Dev@marvell.com, Anil Gurumurthy , Sudarsana Kalluru , "James E.J. Bottomley" , "Martin K. Petersen" , Fabian Frederick , Saurav Kashyap , GR-QLogic-Storage-Upstream@marvell.com, Nilesh Javali , Arun Easi , Manish Rangankar , Vineeth Vijayan , Peter Oberparleiter , Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Christian Borntraeger , Sven Schnelle , Sunil Goutham , Linu Cherian , Geetha sowjanya , Jerin Jacob , hariprasad , Subbaraya Sundeep Cc: intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-scsi@vger.kernel.org, Saurav Kashyap , linux-s390@vger.kernel.org, Jens Axboe , Bui Quang Minh X-Mailer: b4 0.13.0 Currently, we allocate a nbytes-sized kernel buffer and copy nbytes from userspace to that buffer. Later, we use sscanf on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using sscanf. Fix this issue by using memdup_user_nul instead of memdup_user. Fixes: 9f30b674759b ("bfa: replace 2 kzalloc/copy_from_user by memdup_user") Signed-off-by: Bui Quang Minh --- drivers/scsi/bfa/bfad_debugfs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/scsi/bfa/bfad_debugfs.c b/drivers/scsi/bfa/bfad_debugf= s.c index 52db147d9979..f6dd077d47c9 100644 --- a/drivers/scsi/bfa/bfad_debugfs.c +++ b/drivers/scsi/bfa/bfad_debugfs.c @@ -250,7 +250,7 @@ bfad_debugfs_write_regrd(struct file *file, const char = __user *buf, unsigned long flags; void *kern_buf; =20 - kern_buf =3D memdup_user(buf, nbytes); + kern_buf =3D memdup_user_nul(buf, nbytes); if (IS_ERR(kern_buf)) return PTR_ERR(kern_buf); =20 @@ -317,7 +317,7 @@ bfad_debugfs_write_regwr(struct file *file, const char = __user *buf, unsigned long flags; void *kern_buf; =20 - kern_buf =3D memdup_user(buf, nbytes); + kern_buf =3D memdup_user_nul(buf, nbytes); if (IS_ERR(kern_buf)) return PTR_ERR(kern_buf); =20 --=20 2.34.1 From nobody Sat May 18 10:48:40 2024 Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5C9C615E80A; Wed, 24 Apr 2024 14:45:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.178 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713969920; cv=none; b=T3oiNRL6AuUJKmOAmtg3RiF0Un+7KmdbbdxMQZaLOiMhpydWUHbuCqPUtV9tLxr5cPiA1+rM3MQmL0KhsxIq6AeuzCF/AoP/xO4p2GHgWKzcYDL8R4DNKY33QA7QrKyvg/HReE2iUtd9DlXCE8syneP/XqHc77zr5J3R9uRfOSU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713969920; c=relaxed/simple; bh=VaK7Dc1ZgvBEif7TgA4tb6qDQZcFjHq4J5gOM7PFKSo=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=DZO+TX8DJO37EqEyAEAuK2EXHPa5ZmMEnxmtItrHqFz+ikG2abKKXk3VWGaYqAyEf90gpvv7Kr5ULZOojbvvCgQmjk1PFUt9blk34DqvUSn2zVRBiunknwcgXSHi4yylfL9HycpHNm4M1vm/bQtq42P8N/0bPwfJlZIwjWYtr6A= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=kbCUUbHv; arc=none smtp.client-ip=209.85.210.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="kbCUUbHv" Received: by mail-pf1-f178.google.com with SMTP id d2e1a72fcca58-6ee13f19e7eso6343387b3a.1; Wed, 24 Apr 2024 07:45:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713969919; x=1714574719; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=jL5u74w472gVJgaoFOuurGlZOko3LllmO61ppXmRiz4=; b=kbCUUbHvb6kqlJysGrCiMp4wEBrqwI5jJgoXCK/Ct9PIfx9TiqIRsuYbehs6/tlsyx D14XPa7YFKSQnzMT1fgLsE6GBiE965oTg043e8p0h1BjtblSM/1/vD/D+Xs+iKMw/mAs CZlgXlUV/qsQOPBBIP/7blZZz88Frdy+3/IouDH0xTebmJr5msmPiuPTAO0XvoZDhw+8 p/CvMhlrkR/F00P/ghKlhmhl/ffF6HK0+3EnOQHBEYADTrfCzaDF4Y+uMy2jnJQKb+Ry 8bfLt2MAeNz2lOvJKQR3GxAO5C2z6MtLxhQ0OtpuzKjZcG30Ly+EsePLTxCH+WyDm5ZJ YF+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713969919; x=1714574719; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jL5u74w472gVJgaoFOuurGlZOko3LllmO61ppXmRiz4=; b=kAXqEoWC2UCrhdOK7a1QuQpzmnsjZhI+j0j8sC4SQTmmJDmelP6x8E5hIdPrNY4EDn QVcmaSiDU4oPhQq7mcK/GFQwf8YtHheuEJdV8PgCkrM6fWvFt4djGnDPTh4LlgvOBtv6 lTvbMBIofJaFic0WOiXOK72B2QxIgUMi0D7IdX8j0Dzak9qyYHc04Wizw39abEWLZ5r2 J4g1c0mwCGlUZM9f2O8N+c5qrEF5/qkuoUWlifi5bM/okv6miQxWxErxc3G54MYb/+DR UHGAUxNglcPgguQstLK/PsPLq3FY2YOP0s2eZXdtWvpMqHhPwVtw2uU1qVsr99uqmy+y Nx5g== X-Forwarded-Encrypted: i=1; AJvYcCV2imJRMEtuG/vjajD6AXaWveg+xAT8a0ScYq31JY8CNT5T7Aq1HOTfWwfJp+Qf33G73QWsMhOj/bhKBev/UqCPqRz0TFhaAB55hKylv+swjsk4kKYe505d0IMoxB6lD4/RuRv2v/JPUbULsDAJwRwLvvWDujSHJ0EyvFQXaGgxOorKvmzB04BSXNPPM/HHsdRanvwIEDdOngUYVek= X-Gm-Message-State: AOJu0YxlKE0aaUduyJpN76i/z3PI0M++Nw1Gh906oP8+MUmfgQ6yTTuu 6UH37xAUP+BdloLgXQ9AEK/kCz9+dX4PK+K/YOaVNOReBkfyEj8C X-Google-Smtp-Source: AGHT+IE49U7h6wBv9tAHHYnz5iq0qU+ilw050QEUjqScU0CG/D47UjZh+SWsBkObp/54Z41ZULTZ/Q== X-Received: by 2002:a05:6a20:5606:b0:1a7:5184:8d14 with SMTP id ir6-20020a056a20560600b001a751848d14mr2731695pzc.46.1713969918691; Wed, 24 Apr 2024 07:45:18 -0700 (PDT) Received: from [127.0.1.1] ([2001:ee0:50f5:5d0:6ca6:7f20:5242:67cc]) by smtp.googlemail.com with ESMTPSA id a5-20020aa78e85000000b006e554afa254sm11495743pfr.38.2024.04.24.07.45.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Apr 2024 07:45:18 -0700 (PDT) From: Bui Quang Minh Date: Wed, 24 Apr 2024 21:44:21 +0700 Subject: [PATCH v2 4/6] qedf: ensure the copied buf is NUL terminated Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20240424-fix-oob-read-v2-4-f1f1b53a10f4@gmail.com> References: <20240424-fix-oob-read-v2-0-f1f1b53a10f4@gmail.com> In-Reply-To: <20240424-fix-oob-read-v2-0-f1f1b53a10f4@gmail.com> To: Jesse Brandeburg , Tony Nguyen , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Paul M Stillwell Jr , Rasesh Mody , Sudarsana Kalluru , GR-Linux-NIC-Dev@marvell.com, Anil Gurumurthy , Sudarsana Kalluru , "James E.J. Bottomley" , "Martin K. Petersen" , Fabian Frederick , Saurav Kashyap , GR-QLogic-Storage-Upstream@marvell.com, Nilesh Javali , Arun Easi , Manish Rangankar , Vineeth Vijayan , Peter Oberparleiter , Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Christian Borntraeger , Sven Schnelle , Sunil Goutham , Linu Cherian , Geetha sowjanya , Jerin Jacob , hariprasad , Subbaraya Sundeep Cc: intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-scsi@vger.kernel.org, Saurav Kashyap , linux-s390@vger.kernel.org, Jens Axboe , Bui Quang Minh X-Mailer: b4 0.13.0 Currently, we allocate a count-sized kernel buffer and copy count from userspace to that buffer. Later, we use kstrtouint on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using kstrtouint. Fix this issue by using memdup_user_nul instead of memdup_user. Fixes: 61d8658b4a43 ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver f= ramework.") Signed-off-by: Bui Quang Minh --- drivers/scsi/qedf/qedf_debugfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/qedf/qedf_debugfs.c b/drivers/scsi/qedf/qedf_debu= gfs.c index 451fd236bfd0..96174353e389 100644 --- a/drivers/scsi/qedf/qedf_debugfs.c +++ b/drivers/scsi/qedf/qedf_debugfs.c @@ -170,7 +170,7 @@ qedf_dbg_debug_cmd_write(struct file *filp, const char = __user *buffer, if (!count || *ppos) return 0; =20 - kern_buf =3D memdup_user(buffer, count); + kern_buf =3D memdup_user_nul(buffer, count); if (IS_ERR(kern_buf)) return PTR_ERR(kern_buf); =20 --=20 2.34.1 From nobody Sat May 18 10:48:40 2024 Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com [209.85.210.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B41BE15E80A; Wed, 24 Apr 2024 14:45:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713969930; cv=none; b=EPnozXfJmT0p4UGQf4k+zYiCqRW74SwyxRcGyloM5W4GpD0Cl60CRvR/dhpIMrPKG8pstiS57knqfr7jraYXdaQsOZmVPo9gg2h1thgXcQIop+amHmpQsiDJMKsi0AIZaLxN0he5ObTbTxhJhhVtES1qLmsEQzxx25/eOhJ1M6M= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713969930; c=relaxed/simple; bh=aix1wltbnvI+LGeK2npCFHtEWRnHLDoEpx/+kltaLE8=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=gp1zYtQSgUOC9ANgVU8bPfckeo7r7tPJy3g9ysl0iEChEHY64i8FDzm4MUZF8ncq9fCxCDdRdmNdNavxqRn+0z0lnGYr3gWgxR2TIPdhrrIfcGtdJSvFbfNCgPDUcRz+XJVh+V60wHDBblQ0dgijcgG1jRfJUjnniQGvnvS/v5Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=J6+X62iu; arc=none smtp.client-ip=209.85.210.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="J6+X62iu" Received: by mail-pf1-f172.google.com with SMTP id d2e1a72fcca58-6ed691fb83eso5549718b3a.1; Wed, 24 Apr 2024 07:45:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713969928; x=1714574728; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=fvl1jMUGuwOdmWEm+br3UjKr3cLcAoB/+uMyF5RTu+Y=; b=J6+X62iuCjpd/aLdssNw0/BBvIHoi94ORO/1evY4ZBFAWmvhbSYXKXZsw117wGA082 sZt6l5VQsTBDrNfSRhZSUAjyNz3Jo8qwYfKaC4l9b8P/CKulObxja+bnou9fGc/xq6sO H6Yw7Lb8gUZnn/Q6ywRmOh3a35Cu++ZWXQTWRuwrs8WAbUjmjfq5h/DMqwn+3x7AyCQJ LH+dP+5kRH0ZczyIdtMpXycOj0YcgJyE7+6vXNvGE1uofhCRHSOY5/mHopJdT4yKSjEq JuzynVBMUpumnDBUOhZ1HNDARTdq7g5tBLB9a1R/h2i3hOyUss0Z7WJqvHietAylZPhx zFsA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713969928; x=1714574728; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=fvl1jMUGuwOdmWEm+br3UjKr3cLcAoB/+uMyF5RTu+Y=; b=buGjRdSy9AnK+Zb6btaKoM3W0moWQFXZpOu1+eljk5hlXYm5TuUCW5TxRpOYfjyLI5 t0Q9gzKV5grOTFW1l/Eh/UsShG4Jmj0Egopr2xews0v9HdDULIGZcRMAR7a0e7WK0MTT ObLPFwMFhe5b7s8YVurgEX8H3KkFiDYYz6GwOcXZx/s8tpb4EGiJ0ua3mG0phhH2rdrH 4DX393JWXaxbcurgXjuaNdvlCxR4Zvf02T5x19Q3/mxNxmwLsz2oBIOkg55Na7y5w3/E z38SJWNGgRHZl+R0rQsNAR+qECJAkrH0JTOEGajKvi9yA3zqhP37KdPaktQPtNZjjXvz LuyQ== X-Forwarded-Encrypted: i=1; AJvYcCWxFwpCis311p1x3zD59XJPVhBkXRqDXWln1qdxm0joqrcJ+AG9xTDR43NtPhACFAmrKj5HPebWUbKP5Mzjox3oKqaeatxorwcM523RoXD3YYRRF0VmABuI6IouiEItq4mSETp6Ossf9E/USCzyspdE10BZZsMzoAtQ1jjhi4Gu+QJJ86ALzY+m7JaA5k2KhaxaJvoJpqOs+No7Mpw= X-Gm-Message-State: AOJu0Yw5vJ8i2lXyFd+gUSi+vTkZH6cqIi1hJz+Gnnc5MayiIo460dGR lgwLw/Xio1g2XbQ6VyqLFKfGV3SydOdOcy8VumQEp+bjdbGtOydS X-Google-Smtp-Source: AGHT+IHIplfZzFXa/iQYXqPqGxrFFD3ZiSSQJzv1wptjoAyF4wVcTuCyNZAS4Gj6injBtEh1O1LdTw== X-Received: by 2002:a05:6a00:2e18:b0:6ed:d68d:948a with SMTP id fc24-20020a056a002e1800b006edd68d948amr3330617pfb.23.1713969928004; Wed, 24 Apr 2024 07:45:28 -0700 (PDT) Received: from [127.0.1.1] ([2001:ee0:50f5:5d0:6ca6:7f20:5242:67cc]) by smtp.googlemail.com with ESMTPSA id a5-20020aa78e85000000b006e554afa254sm11495743pfr.38.2024.04.24.07.45.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Apr 2024 07:45:27 -0700 (PDT) From: Bui Quang Minh Date: Wed, 24 Apr 2024 21:44:22 +0700 Subject: [PATCH v2 5/6] cio: ensure the copied buf is NUL terminated Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20240424-fix-oob-read-v2-5-f1f1b53a10f4@gmail.com> References: <20240424-fix-oob-read-v2-0-f1f1b53a10f4@gmail.com> In-Reply-To: <20240424-fix-oob-read-v2-0-f1f1b53a10f4@gmail.com> To: Jesse Brandeburg , Tony Nguyen , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Paul M Stillwell Jr , Rasesh Mody , Sudarsana Kalluru , GR-Linux-NIC-Dev@marvell.com, Anil Gurumurthy , Sudarsana Kalluru , "James E.J. Bottomley" , "Martin K. Petersen" , Fabian Frederick , Saurav Kashyap , GR-QLogic-Storage-Upstream@marvell.com, Nilesh Javali , Arun Easi , Manish Rangankar , Vineeth Vijayan , Peter Oberparleiter , Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Christian Borntraeger , Sven Schnelle , Sunil Goutham , Linu Cherian , Geetha sowjanya , Jerin Jacob , hariprasad , Subbaraya Sundeep Cc: intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-scsi@vger.kernel.org, Saurav Kashyap , linux-s390@vger.kernel.org, Jens Axboe , Bui Quang Minh X-Mailer: b4 0.13.0 Currently, we allocate a lbuf-sized kernel buffer and copy lbuf from userspace to that buffer. Later, we use scanf on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using scanf. Fix this issue by using memdup_user_nul instead. Fixes: a4f17cc72671 ("s390/cio: add CRW inject functionality") Signed-off-by: Bui Quang Minh Reviewed-by: Heiko Carstens --- drivers/s390/cio/cio_inject.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/s390/cio/cio_inject.c b/drivers/s390/cio/cio_inject.c index 8613fa937237..a2e771ebae8e 100644 --- a/drivers/s390/cio/cio_inject.c +++ b/drivers/s390/cio/cio_inject.c @@ -95,7 +95,7 @@ static ssize_t crw_inject_write(struct file *file, const = char __user *buf, return -EINVAL; } =20 - buffer =3D vmemdup_user(buf, lbuf); + buffer =3D memdup_user_nul(buf, lbuf); if (IS_ERR(buffer)) return -ENOMEM; =20 --=20 2.34.1 From nobody Sat May 18 10:48:40 2024 Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6589D15ECDE; Wed, 24 Apr 2024 14:45:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.178 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713969939; cv=none; b=Xwg5mKboxBbEmZZtp7hce8PznA0bVLQUnCwugz4iY9eXk8PwYXRtEjO223fZf9PDXAzgikNwiYSQup6CMct5tUUtIcdjCWPBbbk6SZ+kBPVLi1/bEhbT2bDz6lT8y+A+1hlCNvsuw+SdPDyttQJj4xaTRf9hdJ8TCREUTGh1HbM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713969939; c=relaxed/simple; bh=qHuzbsJMf3S460RwiwXSHw6yE5orNpAw50ZGRvWXY2M=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=c5ziRagr7LZdYhmjph35UHtoBCYZv03F6pKopdDXYIpfco48yU7f6WUSx7Z/LpImaF+2Bk2Fbh5LGQi5AaN3kYoMOiCOyO8XrQQUydsSeoQU9WzgUkL9zUamxAliW9NVbgfK1WC0C1+gdIyYnJLS1lKNZYq2dtRql00yj/+jvfo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=POu6RgCC; arc=none smtp.client-ip=209.85.210.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="POu6RgCC" Received: by mail-pf1-f178.google.com with SMTP id d2e1a72fcca58-6edc61d0ff6so6878672b3a.2; Wed, 24 Apr 2024 07:45:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713969938; x=1714574738; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=gidUAIU6zNq3nqwNVk0FnSKhJXDhb87LidO9RgqJHX8=; b=POu6RgCCZN0PQFgxPio3t/cpQftii/Hb2Asw/gqV+slegFPuwtaLwMD01jnm8Sd+ia Vg2WBlRvmlMPttyTB/UMgIZ9Wm+HmNB/5cgPY2u+IKdvaERQ5tpZ0xkk1v3FXUPnKX3E ATsk08R07Y+ZHmS9qyFncPPBjXGotf4VBfkl/OqHBMLgUCRQM7gFB+sfdBvzsIpyDsXb yZeuHUvZRm+7vWiOkI0EdB23rJqdc2wM04A5QVTRo0m51xwl5CrwbmSD3GDp8JK0Y0do FUnhaf93sqeuHFDsB6N6c63wgD+JE1Osav+ZBDl9hTi+sCw17CFtrdHvJZc9dAU82gYV enQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713969938; x=1714574738; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=gidUAIU6zNq3nqwNVk0FnSKhJXDhb87LidO9RgqJHX8=; b=mnGfHWh7az5smVJO3+7wy6SvsBr0GlHPjty+Xj8swObwp8PMDfJqyRD+x0jxNpJego LwYxm+B77/MNImngVRSB2+hVMnk5OEFZKr7ZTSxlF+L+kKBTjRQCBigHepbdybGvS+qX KO7Gy9nDAKF+RO8KcWlPTuA//w5h6y0uEXxNT66jp2zHzvo30qAJeiOW7nNhQSOoluie g/1S7kHihTzLJJc9ygLF7MJ/syhAkkrcsigE50BFTkKQ7gdSwy/deb5EYm1Hp2sAaNNT wC93KXde+v+5AgYsA2BBYiWZMkcDdnjVaYB/e/M1I9m0WsfB6UwZLiuZ50VZeJX7/g0P 6e4A== X-Forwarded-Encrypted: i=1; AJvYcCUQ6E7hrPR16FlVlvhmUfUResmo4RfANUVBCIKQ5JtqtI8MwTlH7VqdkjvqbrRWXSm921XgwnKnYlybK2+BeKrIlrjW9TOA5oMMBbRz92jGZnkPoUxAyn07zTJ8LjrklbOduhuqs8yqKUXlhE158PNCFlL4HUraKy8S6YRwYcdHsFQhj7KBI16FJQBaDpWRpHQ8loYTd2EGy8Z/gog= X-Gm-Message-State: AOJu0Yw2g4uWQ0D1mmjqJu2nNwAudSwvzPEYBbtZBuyNKXTDiHtfIvk5 yor1xmDfo4037924Y1ypHriXOkPwpRHyw4g9dHjx953ZOfBf4tgB X-Google-Smtp-Source: AGHT+IGeNjB3NpMCWzCQbPhAaZQV6llgvyRG5b7gCOW/NIIlVaFwAk61/hP/yLztj3BEfPsY05pjOw== X-Received: by 2002:a05:6a20:3d87:b0:1a7:892b:5f89 with SMTP id s7-20020a056a203d8700b001a7892b5f89mr3307558pzi.11.1713969937682; Wed, 24 Apr 2024 07:45:37 -0700 (PDT) Received: from [127.0.1.1] ([2001:ee0:50f5:5d0:6ca6:7f20:5242:67cc]) by smtp.googlemail.com with ESMTPSA id a5-20020aa78e85000000b006e554afa254sm11495743pfr.38.2024.04.24.07.45.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Apr 2024 07:45:37 -0700 (PDT) From: Bui Quang Minh Date: Wed, 24 Apr 2024 21:44:23 +0700 Subject: [PATCH v2 6/6] octeontx2-af: avoid off-by-one read from userspace Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20240424-fix-oob-read-v2-6-f1f1b53a10f4@gmail.com> References: <20240424-fix-oob-read-v2-0-f1f1b53a10f4@gmail.com> In-Reply-To: <20240424-fix-oob-read-v2-0-f1f1b53a10f4@gmail.com> To: Jesse Brandeburg , Tony Nguyen , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Paul M Stillwell Jr , Rasesh Mody , Sudarsana Kalluru , GR-Linux-NIC-Dev@marvell.com, Anil Gurumurthy , Sudarsana Kalluru , "James E.J. Bottomley" , "Martin K. Petersen" , Fabian Frederick , Saurav Kashyap , GR-QLogic-Storage-Upstream@marvell.com, Nilesh Javali , Arun Easi , Manish Rangankar , Vineeth Vijayan , Peter Oberparleiter , Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Christian Borntraeger , Sven Schnelle , Sunil Goutham , Linu Cherian , Geetha sowjanya , Jerin Jacob , hariprasad , Subbaraya Sundeep Cc: intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-scsi@vger.kernel.org, Saurav Kashyap , linux-s390@vger.kernel.org, Jens Axboe , Bui Quang Minh X-Mailer: b4 0.13.0 We try to access count + 1 byte from userspace with memdup_user(buffer, count + 1). However, the userspace only provides buffer of count bytes and only these count bytes are verified to be okay to access. To ensure the copied buffer is NUL terminated, we use memdup_user_nul instead. Fixes: 3a2eb515d136 ("octeontx2-af: Fix an off by one in rvu_dbg_qsize_writ= e()") Signed-off-by: Bui Quang Minh --- drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c b/driv= ers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c index 2500f5ba4f5a..881d704644fb 100644 --- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c +++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c @@ -999,12 +999,10 @@ static ssize_t rvu_dbg_qsize_write(struct file *filp, u16 pcifunc; int ret, lf; =20 - cmd_buf =3D memdup_user(buffer, count + 1); + cmd_buf =3D memdup_user_nul(buffer, count); if (IS_ERR(cmd_buf)) return -ENOMEM; =20 - cmd_buf[count] =3D '\0'; - cmd_buf_tmp =3D strchr(cmd_buf, '\n'); if (cmd_buf_tmp) { *cmd_buf_tmp =3D '\0'; --=20 2.34.1