Patch "wifi: iwlwifi: fix out of bound copy_from_user" has been added to the 6.6-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 20 Jan 2024 19:57:59 -0500

This is a note to let you know that I've just added the patch titled

    wifi: iwlwifi: fix out of bound copy_from_user

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     wifi-iwlwifi-fix-out-of-bound-copy_from_user.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 38eb59e978b532510c1e96d9ccbdc516cd022ce8
Author: Anjaneyulu <pagadala.yesu.anjaneyulu@xxxxxxxxx>
Date:   Tue Dec 19 21:58:55 2023 +0200

    wifi: iwlwifi: fix out of bound copy_from_user
    
    [ Upstream commit cb2dfacb197bed0241fbb4f84bd0995a47f4465e ]
    
    The driver copies the userspace buffer into an internal NUL
    byte terminated buffer. While doing so, it was reading beyond
    the end of the userspace buffer, overwriting its own NUL
    termination in the process.
    
    Fix this by only copying the correct number of bytes.
    
    Fixes: 3f244876ef73 ("wifi: iwlwifi: make debugfs entries link specific")
    Signed-off-by: Anjaneyulu <pagadala.yesu.anjaneyulu@xxxxxxxxx>
    Reviewed-by: Gregory Greenman <gregory.greenman@xxxxxxxxx>
    Reviewed-by: Benjamin Berg <benjamin.berg@xxxxxxxxx>
    Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@xxxxxxxxx>
    Link: https://msgid.link/20231219215605.e4913deb2ad4.Idcf6a7e909ff4b7801cd49c2f691f84a2f68eff9@changeid
    Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c b/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c
index cf27f106d4d5..7057421e513b 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c
@@ -1673,7 +1673,7 @@ static ssize_t _iwl_dbgfs_link_sta_##name##_write(struct file *file,	\
 	char buf[buflen] = {};						\
 	size_t buf_size = min(count, sizeof(buf) -  1);			\
 									\
-	if (copy_from_user(buf, user_buf, sizeof(buf)))			\
+	if (copy_from_user(buf, user_buf, buf_size))			\
 		return -EFAULT;						\
 									\
 	return _iwl_dbgfs_link_sta_wrap_write(iwl_dbgfs_##name##_write,	\







