On Tue, Jul 25, 2023 at 10:45:45AM +0800, Lin Ma wrote: > The function iscsi_if_set_param and iscsi_if_set_host_param converts > nlattr payload to type char* and then call C string handling functions > like sscanf and kstrdup. > > char *data = (char*)ev + sizeof(*ev); > ... > sscanf(data, "%d", &value); > > However, since the nlattr is provided by the user-space program and > the nlmsg skb is allocated with GFP_KERNEL instead of GFP_ZERO flag > (see netlink_alloc_large_skb in netlink_sendmsg), the dirty data > remained in the heap can cause OOB read for those string handling > functions. Reviewed-by: Chris Leech <cleech@xxxxxxxxxx>
