Hi everyone, I found that some drivers contains an out-of-bound read pattern like this kern_buf = memdup_user(user_buf, count); ... sscanf(kern_buf, ...); The sscanf can be replaced by some other string-related functions. This pattern can lead to out-of-bound read of kern_buf in string-related functions. This series fix the above issue by replacing memdup_user with memdup_user_nul. Thanks, Quang Minh. To: Jesse Brandeburg <jesse.brandeburg@xxxxxxxxx> To: Tony Nguyen <anthony.l.nguyen@xxxxxxxxx> To: David S. Miller <davem@xxxxxxxxxxxxx> To: Eric Dumazet <edumazet@xxxxxxxxxx> To: Jakub Kicinski <kuba@xxxxxxxxxx> To: Paolo Abeni <pabeni@xxxxxxxxxx> To: Paul M Stillwell Jr <paul.m.stillwell.jr@xxxxxxxxx> To: Rasesh Mody <rmody@xxxxxxxxxxx> To: Sudarsana Kalluru <skalluru@xxxxxxxxxxx> To: GR-Linux-NIC-Dev@xxxxxxxxxxx To: Anil Gurumurthy <anil.gurumurthy@xxxxxxxxxx> To: Sudarsana Kalluru <sudarsana.kalluru@xxxxxxxxxx> To: James E.J. Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> To: Martin K. Petersen <martin.petersen@xxxxxxxxxx> To: Fabian Frederick <fabf@xxxxxxxxx> To: Saurav Kashyap <skashyap@xxxxxxxxxxx> To: GR-QLogic-Storage-Upstream@xxxxxxxxxxx To: Nilesh Javali <nilesh.javali@xxxxxxxxxx> To: Arun Easi <arun.easi@xxxxxxxxxx> To: Manish Rangankar <manish.rangankar@xxxxxxxxxx> To: Vineeth Vijayan <vneethv@xxxxxxxxxxxxx> To: Peter Oberparleiter <oberpar@xxxxxxxxxxxxx> To: Heiko Carstens <hca@xxxxxxxxxxxxx> To: Vasily Gorbik <gor@xxxxxxxxxxxxx> To: Alexander Gordeev <agordeev@xxxxxxxxxxxxx> To: Christian Borntraeger <borntraeger@xxxxxxxxxxxxx> To: Sven Schnelle <svens@xxxxxxxxxxxxx> To: Dupuis, Chad <chad.dupuis@xxxxxxxxxx> To: Sunil Goutham <sgoutham@xxxxxxxxxxx> To: Linu Cherian <lcherian@xxxxxxxxxxx> To: Geetha sowjanya <gakula@xxxxxxxxxxx> To: Jerin Jacob <jerinj@xxxxxxxxxxx> To: hariprasad <hkelam@xxxxxxxxxxx> To: Subbaraya Sundeep <sbhatta@xxxxxxxxxxx> Cc: intel-wired-lan@xxxxxxxxxxxxxxxx Cc: netdev@xxxxxxxxxxxxxxx Cc: linux-kernel@xxxxxxxxxxxxxxx Cc: linux-scsi@xxxxxxxxxxxxxxx Cc: Saurav Kashyap <saurav.kashyap@xxxxxxxxxx> Cc: linux-s390@xxxxxxxxxxxxxxx Cc: Jens Axboe <axboe@xxxxxxxxx> Signed-off-by: Bui Quang Minh <minhquangbui99@xxxxxxxxx> Changes in v2: - Patch 5: use memdup_user_nul instead - Add patch 6 - Link to v1: https://lore.kernel.org/r/20240422-fix-oob-read-v1-0-e02854c30174@xxxxxxxxx --- Bui Quang Minh (6): ice: ensure the copied buf is NUL terminated bna: ensure the copied buf is NUL terminated bfa: ensure the copied buf is NUL terminated qedf: ensure the copied buf is NUL terminated cio: ensure the copied buf is NUL terminated octeontx2-af: avoid off-by-one read from userspace drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 4 ++-- drivers/net/ethernet/intel/ice/ice_debugfs.c | 8 ++++---- drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c | 4 +--- drivers/s390/cio/cio_inject.c | 2 +- drivers/scsi/bfa/bfad_debugfs.c | 4 ++-- drivers/scsi/qedf/qedf_debugfs.c | 2 +- 6 files changed, 11 insertions(+), 13 deletions(-) --- base-commit: ed30a4a51bb196781c8058073ea720133a65596f change-id: 20240422-fix-oob-read-19ae7f8f3711 Best regards, -- Bui Quang Minh <minhquangbui99@xxxxxxxxx>
