Received: by 2002:a05:6358:c692:b0:131:369:b2a3 with SMTP id fe18csp1399814rwb; Fri, 28 Jul 2023 08:54:29 -0700 (PDT) X-Google-Smtp-Source: APBJJlEbO3fW5BSZHF8ND7X9KZNSbbdecbemWvjtjRFBnLbB0SHBrOICrvG+TJFwaThOkWgPPEq6 X-Received: by 2002:aa7:88d3:0:b0:67e:18c6:d2db with SMTP id k19-20020aa788d3000000b0067e18c6d2dbmr2413641pff.28.1690559668983; Fri, 28 Jul 2023 08:54:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690559668; cv=none; d=google.com; s=arc-20160816; b=OENIU01/H8/t2kUeET0lJHHmWLU5YoYS4do98xN+jjo3vBfQN4n3z5oNdHXorApFBV ghRWL+aAu58mkatCv9bNzrIm5TFBNqe2+fqt982+VLVhyW4tWyNPc6s+YP0RUbEeP9fi GnQmtqrSQiikfy9GAyECKiEy8kCq+jcIkOIII1fsgBEFVIkA2WeDsbM63bgm3Zi3Zaxd ewIBzuLHI8JgfNVhoUy/MOF4J42crgimcAyN76ylThujqP5zxt58sEa8Eq8tzUrcoJXl z8DRTa3iYVV7duTTjNqQ2Skzr2haUOsN5xQ5WYqaU6/0jlpu1ZjVNFe8PADJnQpsG3SR LeLw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :mime-version:accept-language:in-reply-to:references:message-id:date :thread-index:thread-topic:subject:cc:to:from; bh=NYmYmYv0/AqX7PqBQrZ5pkF3KBXGVKZJTgoC4r1WYFE=; fh=zpQksNFUqChokrj7HQTVX9fHxMlgAmrzVF4jJGxXcdI=; b=ejyRGpxs4de+liD+FwMayhsbRdX02Syp2+reUVg30ErtZXmlBQTkLmuAKKoTmEHE/M q34qDIFPWwYhWnLVEBOuwhOx3W4S3r6hZez5psFWqprQPAEspAQbc9vSEYxdjo9UQ3e3 OXLGWLA6+li1WVb1SBdpMifH2u8ifKl0JhDZliQmu4035X5yPwWLnr0UD48CKAe1qjWf jI1o15B8UL/hYZHhiMKAzgGZlVx4TpnPXW8BzWdOtY1e9yM/ONKdYckUpJQkuAk7YWiL uLVkL0azJPs+A2VRYaCzgDoL490FVkALaEaob/LzTXZxB4XjgjtJApQ7v7pEBPNFHFQV iuWQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t18-20020a63dd12000000b0053f3d04e66csi3230739pgg.699.2023.07.28.08.54.15; Fri, 28 Jul 2023 08:54:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236954AbjG1P0S convert rfc822-to-8bit (ORCPT + 99 others); Fri, 28 Jul 2023 11:26:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53048 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236138AbjG1P0R (ORCPT ); Fri, 28 Jul 2023 11:26:17 -0400 Received: from eu-smtp-delivery-151.mimecast.com (eu-smtp-delivery-151.mimecast.com [185.58.86.151]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 49D7A1717 for ; Fri, 28 Jul 2023 08:26:15 -0700 (PDT) Received: from AcuMS.aculab.com (156.67.243.121 [156.67.243.121]) by relay.mimecast.com with ESMTP with both STARTTLS and AUTH (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id uk-mta-217-YVmH9eBiMmG5VIsPrBuaNQ-1; Fri, 28 Jul 2023 16:26:12 +0100 X-MC-Unique: YVmH9eBiMmG5VIsPrBuaNQ-1 Received: from AcuMS.Aculab.com (10.202.163.6) by AcuMS.aculab.com (10.202.163.6) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Fri, 28 Jul 2023 16:26:11 +0100 Received: from AcuMS.Aculab.com ([::1]) by AcuMS.aculab.com ([::1]) with mapi id 15.00.1497.048; Fri, 28 Jul 2023 16:26:11 +0100 From: David Laight To: 'Oleksandr Natalenko' , "linux-kernel@vger.kernel.org" CC: "linux-scsi@vger.kernel.org" , Saurav Kashyap , Johannes Thumshirn , "GR-QLogic-Storage-Upstream@marvell.com" , "James E.J. Bottomley" , "Martin K. Petersen" , Jozef Bacik , Laurence Oberman , "Rob Evers" Subject: RE: [PATCH 2/3] scsi: qedf: do not touch __user pointer in qedf_dbg_debug_cmd_read() directly Thread-Topic: [PATCH 2/3] scsi: qedf: do not touch __user pointer in qedf_dbg_debug_cmd_read() directly Thread-Index: AQHZwSEN9Ls1iMTEjEyz1kbENNwADa/PTLUA Date: Fri, 28 Jul 2023 15:26:11 +0000 Message-ID: <2938f701ba56419e861f1bb410831862@AcuMS.aculab.com> References: <20230728065819.139694-1-oleksandr@redhat.com> <20230728065819.139694-3-oleksandr@redhat.com> In-Reply-To: <20230728065819.139694-3-oleksandr@redhat.com> Accept-Language: en-GB, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.202.205.107] MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: aculab.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8BIT X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Oleksandr Natalenko > Sent: 28 July 2023 07:58 > > The qedf_dbg_debug_cmd_read() function invokes sprintf() > directly on a __user pointer, which may crash the kernel. ^^^ will > > Avoid doing that by using a small on-stack buffer for sprintf() > and then calling simple_read_from_buffer() which does a proper > copy_to_user() call. ... > diff --git a/drivers/scsi/qedf/qedf_debugfs.c b/drivers/scsi/qedf/qedf_debugfs.c > index 4d1b99569d490..f910af0029a2c 100644 > --- a/drivers/scsi/qedf/qedf_debugfs.c > +++ b/drivers/scsi/qedf/qedf_debugfs.c > @@ -138,15 +138,14 @@ qedf_dbg_debug_cmd_read(struct file *filp, char __user *buffer, size_t count, > loff_t *ppos) > { > int cnt; > + char cbuf[35]; Why 35? I pick a multiple of 8 that if 'enough. > struct qedf_dbg_ctx *qedf_dbg = > (struct qedf_dbg_ctx *)filp->private_data; > > QEDF_INFO(qedf_dbg, QEDF_LOG_DEBUGFS, "debug mask=0x%x\n", qedf_debug); > - cnt = sprintf(buffer, "debug mask = 0x%x\n", qedf_debug); > + cnt = sprintf(cbuf, "debug mask = 0x%x\n", qedf_debug); Use scnprintf() to be sure it doesn't overflow. Much safer if someone does a quick update or copies the code. David > > - cnt = min_t(int, count, cnt - *ppos); > - *ppos += cnt; > - return cnt; > + return simple_read_from_buffer(buffer, count, ppos, cbuf, cnt); > } > > static ssize_t > -- > 2.41.0 - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)