[PATCH v2 0/6] Ensure the copied buf is NUL terminated

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi everyone,

I found that some drivers contains an out-of-bound read pattern like this

	kern_buf = memdup_user(user_buf, count);
	...
	sscanf(kern_buf, ...);

The sscanf can be replaced by some other string-related functions. This
pattern can lead to out-of-bound read of kern_buf in string-related
functions.

This series fix the above issue by replacing memdup_user with
memdup_user_nul.

Thanks,
Quang Minh.

To: Jesse Brandeburg <jesse.brandeburg@xxxxxxxxx>
To: Tony Nguyen <anthony.l.nguyen@xxxxxxxxx>
To: David S. Miller <davem@xxxxxxxxxxxxx>
To: Eric Dumazet <edumazet@xxxxxxxxxx>
To: Jakub Kicinski <kuba@xxxxxxxxxx>
To: Paolo Abeni <pabeni@xxxxxxxxxx>
To: Paul M Stillwell Jr <paul.m.stillwell.jr@xxxxxxxxx>
To: Rasesh Mody <rmody@xxxxxxxxxxx>
To: Sudarsana Kalluru <skalluru@xxxxxxxxxxx>
To: GR-Linux-NIC-Dev@xxxxxxxxxxx
To: Anil Gurumurthy <anil.gurumurthy@xxxxxxxxxx>
To: Sudarsana Kalluru <sudarsana.kalluru@xxxxxxxxxx>
To: James E.J. Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx>
To: Martin K. Petersen <martin.petersen@xxxxxxxxxx>
To: Fabian Frederick <fabf@xxxxxxxxx>
To: Saurav Kashyap <skashyap@xxxxxxxxxxx>
To: GR-QLogic-Storage-Upstream@xxxxxxxxxxx
To: Nilesh Javali <nilesh.javali@xxxxxxxxxx>
To: Arun Easi <arun.easi@xxxxxxxxxx>
To: Manish Rangankar <manish.rangankar@xxxxxxxxxx>
To: Vineeth Vijayan <vneethv@xxxxxxxxxxxxx>
To: Peter Oberparleiter <oberpar@xxxxxxxxxxxxx>
To: Heiko Carstens <hca@xxxxxxxxxxxxx>
To: Vasily Gorbik <gor@xxxxxxxxxxxxx>
To: Alexander Gordeev <agordeev@xxxxxxxxxxxxx>
To: Christian Borntraeger <borntraeger@xxxxxxxxxxxxx>
To: Sven Schnelle <svens@xxxxxxxxxxxxx>
To: Dupuis, Chad <chad.dupuis@xxxxxxxxxx>
To: Sunil Goutham <sgoutham@xxxxxxxxxxx>
To: Linu Cherian <lcherian@xxxxxxxxxxx>
To: Geetha sowjanya <gakula@xxxxxxxxxxx>
To: Jerin Jacob <jerinj@xxxxxxxxxxx>
To: hariprasad <hkelam@xxxxxxxxxxx>
To: Subbaraya Sundeep <sbhatta@xxxxxxxxxxx>
Cc: intel-wired-lan@xxxxxxxxxxxxxxxx
Cc: netdev@xxxxxxxxxxxxxxx
Cc: linux-kernel@xxxxxxxxxxxxxxx
Cc: linux-scsi@xxxxxxxxxxxxxxx
Cc: Saurav Kashyap <saurav.kashyap@xxxxxxxxxx>
Cc: linux-s390@xxxxxxxxxxxxxxx
Cc: Jens Axboe <axboe@xxxxxxxxx>
Signed-off-by: Bui Quang Minh <minhquangbui99@xxxxxxxxx>

Changes in v2:
- Patch 5: use memdup_user_nul instead
- Add patch 6
- Link to v1: https://lore.kernel.org/r/20240422-fix-oob-read-v1-0-e02854c30174@xxxxxxxxx

---
Bui Quang Minh (6):
      ice: ensure the copied buf is NUL terminated
      bna: ensure the copied buf is NUL terminated
      bfa: ensure the copied buf is NUL terminated
      qedf: ensure the copied buf is NUL terminated
      cio: ensure the copied buf is NUL terminated
      octeontx2-af: avoid off-by-one read from userspace

 drivers/net/ethernet/brocade/bna/bnad_debugfs.c         | 4 ++--
 drivers/net/ethernet/intel/ice/ice_debugfs.c            | 8 ++++----
 drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c | 4 +---
 drivers/s390/cio/cio_inject.c                           | 2 +-
 drivers/scsi/bfa/bfad_debugfs.c                         | 4 ++--
 drivers/scsi/qedf/qedf_debugfs.c                        | 2 +-
 6 files changed, 11 insertions(+), 13 deletions(-)
---
base-commit: ed30a4a51bb196781c8058073ea720133a65596f
change-id: 20240422-fix-oob-read-19ae7f8f3711

Best regards,
-- 
Bui Quang Minh <minhquangbui99@xxxxxxxxx>





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [SCSI Target Devel]     [Linux SCSI Target Infrastructure]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Linux IIO]     [Samba]     [Device Mapper]

  Powered by Linux