2024-04-24 14:52:26

by Bui Quang Minh

[permalink] [raw]
Subject: [PATCH v2 0/6] Ensure the copied buf is NUL terminated

Hi everyone,

I found that some drivers contains an out-of-bound read pattern like this

kern_buf = memdup_user(user_buf, count);
...
sscanf(kern_buf, ...);

The sscanf can be replaced by some other string-related functions. This
pattern can lead to out-of-bound read of kern_buf in string-related
functions.

This series fix the above issue by replacing memdup_user with
memdup_user_nul.

Thanks,
Quang Minh.

To: Jesse Brandeburg <[email protected]>
To: Tony Nguyen <[email protected]>
To: David S. Miller <[email protected]>
To: Eric Dumazet <[email protected]>
To: Jakub Kicinski <[email protected]>
To: Paolo Abeni <[email protected]>
To: Paul M Stillwell Jr <[email protected]>
To: Rasesh Mody <[email protected]>
To: Sudarsana Kalluru <[email protected]>
To: [email protected]
To: Anil Gurumurthy <[email protected]>
To: Sudarsana Kalluru <[email protected]>
To: James E.J. Bottomley <[email protected]>
To: Martin K. Petersen <[email protected]>
To: Fabian Frederick <[email protected]>
To: Saurav Kashyap <[email protected]>
To: [email protected]
To: Nilesh Javali <[email protected]>
To: Arun Easi <[email protected]>
To: Manish Rangankar <[email protected]>
To: Vineeth Vijayan <[email protected]>
To: Peter Oberparleiter <[email protected]>
To: Heiko Carstens <[email protected]>
To: Vasily Gorbik <[email protected]>
To: Alexander Gordeev <[email protected]>
To: Christian Borntraeger <[email protected]>
To: Sven Schnelle <[email protected]>
To: Dupuis, Chad <[email protected]>
To: Sunil Goutham <[email protected]>
To: Linu Cherian <[email protected]>
To: Geetha sowjanya <[email protected]>
To: Jerin Jacob <[email protected]>
To: hariprasad <[email protected]>
To: Subbaraya Sundeep <[email protected]>
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
Cc: Saurav Kashyap <[email protected]>
Cc: [email protected]
Cc: Jens Axboe <[email protected]>
Signed-off-by: Bui Quang Minh <[email protected]>

Changes in v2:
- Patch 5: use memdup_user_nul instead
- Add patch 6
- Link to v1: https://lore.kernel.org/r/[email protected]

---
Bui Quang Minh (6):
ice: ensure the copied buf is NUL terminated
bna: ensure the copied buf is NUL terminated
bfa: ensure the copied buf is NUL terminated
qedf: ensure the copied buf is NUL terminated
cio: ensure the copied buf is NUL terminated
octeontx2-af: avoid off-by-one read from userspace

drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 4 ++--
drivers/net/ethernet/intel/ice/ice_debugfs.c | 8 ++++----
drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c | 4 +---
drivers/s390/cio/cio_inject.c | 2 +-
drivers/scsi/bfa/bfad_debugfs.c | 4 ++--
drivers/scsi/qedf/qedf_debugfs.c | 2 +-
6 files changed, 11 insertions(+), 13 deletions(-)
---
base-commit: ed30a4a51bb196781c8058073ea720133a65596f
change-id: 20240422-fix-oob-read-19ae7f8f3711

Best regards,
--
Bui Quang Minh <[email protected]>



2024-04-26 02:30:47

by patchwork-bot+netdevbpf

[permalink] [raw]
Subject: Re: [PATCH v2 0/6] Ensure the copied buf is NUL terminated

Hello:

This series was applied to netdev/net.git (main)
by Jakub Kicinski <[email protected]>:

On Wed, 24 Apr 2024 21:44:17 +0700 you wrote:
> Hi everyone,
>
> I found that some drivers contains an out-of-bound read pattern like this
>
> kern_buf = memdup_user(user_buf, count);
> ...
> sscanf(kern_buf, ...);
>
> [...]

Here is the summary with links:
- [v2,1/6] ice: ensure the copied buf is NUL terminated
https://git.kernel.org/netdev/net/c/666854ea9cad
- [v2,2/6] bna: ensure the copied buf is NUL terminated
https://git.kernel.org/netdev/net/c/8c34096c7fdf
- [v2,3/6] bfa: ensure the copied buf is NUL terminated
(no matching commit)
- [v2,4/6] qedf: ensure the copied buf is NUL terminated
(no matching commit)
- [v2,5/6] cio: ensure the copied buf is NUL terminated
(no matching commit)
- [v2,6/6] octeontx2-af: avoid off-by-one read from userspace
https://git.kernel.org/netdev/net/c/f299ee709fb4

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



2024-05-11 19:01:00

by Martin K. Petersen

[permalink] [raw]
Subject: Re: [PATCH v2 0/6] Ensure the copied buf is NUL terminated

On Wed, 24 Apr 2024 21:44:17 +0700, Bui Quang Minh wrote:

> I found that some drivers contains an out-of-bound read pattern like this
>
> kern_buf = memdup_user(user_buf, count);
> ...
> sscanf(kern_buf, ...);
>
> The sscanf can be replaced by some other string-related functions. This
> pattern can lead to out-of-bound read of kern_buf in string-related
> functions.
>
> [...]

Applied to 6.10/scsi-queue, thanks!

[3/6] bfa: ensure the copied buf is NUL terminated
https://git.kernel.org/mkp/scsi/c/13d0cecb4626
[4/6] qedf: ensure the copied buf is NUL terminated
https://git.kernel.org/mkp/scsi/c/d0184a375ee7

--
Martin K. Petersen Oracle Linux Engineering