On 22.04.2024 18:41, Bui Quang Minh wrote: > Hi everyone, > > I found that some drivers contains an out-of-bound read pattern like this > > kern_buf = memdup_user(user_buf, count); > ... > sscanf(kern_buf, ...); > > The sscanf can be replaced by some other string-related functions. This > pattern can lead to out-of-bound read of kern_buf in string-related > functions. > > This series fix the above issue by replacing memdup_user with > memdup_user_nul or allocating count + 1 buffer then writing the NULL > terminator to end of buffer after userspace copying. > > Thanks, > Quang Minh. > > Signed-off-by: Bui Quang Minh <minhquangbui99@xxxxxxxxx> > --- > Bui Quang Minh (5): > drivers/net/ethernet/intel-ice: ensure the copied buf is NULL terminated > drivers/net/brocade-bnad: ensure the copied buf is NULL terminated > drivers/scsi/bfa/bfad: ensure the copied buf is NULL terminated > drivers/scsi/qedf: ensure the copied buf is NULL terminated > drivers/s390/cio: ensure the copied buf is NULL terminated Typically you don't include path to module in title, instead: ice: ensure the copied buf is NULL terminated bna: ensure the copied buf is NULL terminated etc. > > drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 4 ++-- > drivers/net/ethernet/intel/ice/ice_debugfs.c | 8 ++++---- > drivers/s390/cio/cio_inject.c | 3 ++- > drivers/scsi/bfa/bfad_debugfs.c | 4 ++-- > drivers/scsi/qedf/qedf_debugfs.c | 2 +- > 5 files changed, 11 insertions(+), 10 deletions(-) > --- > base-commit: ed30a4a51bb196781c8058073ea720133a65596f > change-id: 20240422-fix-oob-read-19ae7f8f3711 > > Best regards, Thanks, Marcin
