Patch "scsi: qedf: Ensure the copied buf is NUL terminated" has been added to the 6.6-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    scsi: qedf: Ensure the copied buf is NUL terminated

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     scsi-qedf-ensure-the-copied-buf-is-nul-terminated.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 5872557c351e6f33d589ad94753bd001285b4a20
Author: Bui Quang Minh <minhquangbui99@xxxxxxxxx>
Date:   Wed Apr 24 21:44:21 2024 +0700

    scsi: qedf: Ensure the copied buf is NUL terminated
    
    [ Upstream commit d0184a375ee797eb657d74861ba0935b6e405c62 ]
    
    Currently, we allocate a count-sized kernel buffer and copy count from
    userspace to that buffer. Later, we use kstrtouint on this buffer but we
    don't ensure that the string is terminated inside the buffer, this can
    lead to OOB read when using kstrtouint. Fix this issue by using
    memdup_user_nul instead of memdup_user.
    
    Fixes: 61d8658b4a43 ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.")
    Signed-off-by: Bui Quang Minh <minhquangbui99@xxxxxxxxx>
    Link: https://lore.kernel.org/r/20240424-fix-oob-read-v2-4-f1f1b53a10f4@xxxxxxxxx
    Signed-off-by: Martin K. Petersen <martin.petersen@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/scsi/qedf/qedf_debugfs.c b/drivers/scsi/qedf/qedf_debugfs.c
index 451fd236bfd05..96174353e3898 100644
--- a/drivers/scsi/qedf/qedf_debugfs.c
+++ b/drivers/scsi/qedf/qedf_debugfs.c
@@ -170,7 +170,7 @@ qedf_dbg_debug_cmd_write(struct file *filp, const char __user *buffer,
 	if (!count || *ppos)
 		return 0;
 
-	kern_buf = memdup_user(buffer, count);
+	kern_buf = memdup_user_nul(buffer, count);
 	if (IS_ERR(kern_buf))
 		return PTR_ERR(kern_buf);
 




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux