On 4/23/24 13:10, Marcin Szycik wrote:
On 22.04.2024 18:41, Bui Quang Minh wrote:
Hi everyone,
I found that some drivers contains an out-of-bound read pattern like this
kern_buf = memdup_user(user_buf, count);
...
sscanf(kern_buf, ...);
The sscanf can be replaced by some other string-related functions. This
pattern can lead to out-of-bound read of kern_buf in string-related
functions.
This series fix the above issue by replacing memdup_user with
memdup_user_nul or allocating count + 1 buffer then writing the NULL
terminator to end of buffer after userspace copying.
Thanks,
Quang Minh.
Signed-off-by: Bui Quang Minh <minhquangbui99@xxxxxxxxx>
---
Bui Quang Minh (5):
drivers/net/ethernet/intel-ice: ensure the copied buf is NULL terminated
drivers/net/brocade-bnad: ensure the copied buf is NULL terminated
drivers/scsi/bfa/bfad: ensure the copied buf is NULL terminated
drivers/scsi/qedf: ensure the copied buf is NULL terminated
drivers/s390/cio: ensure the copied buf is NULL terminated
Typically you don't include path to module in title, instead:
ice: ensure the copied buf is NULL terminated
bna: ensure the copied buf is NULL terminated
etc.
good point,
if you would respin, then the character name is NUL, not NULL.
drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 4 ++--
drivers/net/ethernet/intel/ice/ice_debugfs.c | 8 ++++----
drivers/s390/cio/cio_inject.c | 3 ++-
drivers/scsi/bfa/bfad_debugfs.c | 4 ++--
drivers/scsi/qedf/qedf_debugfs.c | 2 +-
5 files changed, 11 insertions(+), 10 deletions(-)
---
base-commit: ed30a4a51bb196781c8058073ea720133a65596f
change-id: 20240422-fix-oob-read-19ae7f8f3711
Best regards,
Thanks,
Marcin