Received: by 2002:ab2:6203:0:b0:1f5:f2ab:c469 with SMTP id o3csp2404998lqt; Mon, 22 Apr 2024 09:44:38 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCX+XQnT7ipLVkOc1Xon3CSaNwodcTobGKbOu6jHk+7js69Vj1PRXuDoWBXOFj6qVWIgMAY2lznpM9hs5aEuKtKub9yVWkqVx+wZhh/lYA== X-Google-Smtp-Source: AGHT+IFMU/k8CBdiPvcLk1VI+0u6LobFdzwVEgn2nycMOnuXq6800Ec2GTBwjEZ//mHAURVAnZ7Q X-Received: by 2002:ac8:584e:0:b0:439:884b:859a with SMTP id h14-20020ac8584e000000b00439884b859amr5668063qth.21.1713804278545; Mon, 22 Apr 2024 09:44:38 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713804278; cv=pass; d=google.com; s=arc-20160816; b=NRdfcKiYiL2hXx0XrLYDwIF5E530noxT/nO34rAlcigzrVtQITRTvNcGRjkQBvdbfD kfFcX3yK/hicaDDzNUKyaO3M6vY++rPd45ExegtC84/kOmqZ11NSpi5DoQPcg1bWAQJC kdk+XgxBa/iFug5iXSFanY/eTGno3B2aknaVggY1qP4FlBc5XP6p/+qd9z5EcUdDKKZ1 KKN0iPy+tlCZgEmE0uUq1WCBIOVGFdrWY0xu4a8PT94p33fOIt3FgdIXPtloSaWADu/V Tc/cSLPBajv1uD4O/OuTxvGNmSFhaLAfsLCxTEooaijhjUtbGCjCa+uI8abg/VjwOe9V WJqg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :subject:date:from:dkim-signature; bh=3MfksbOufaT50njTeYfjnrKEJiBfYKS364Z1TYz8n/g=; fh=NqhKjdPgnz/33Ws8/Q79HZECiXBIn0g7fopO1Vda3zs=; b=Emit6SX5T5RPpFj1ixILgA75grOhp5fm/Ig9cCEplWUrdwe/Vzt19N7LzNPJQjiAbE 44nKmrha6sS5JJ7cb+HyvAJ1JD32GCP9z+uxS0tFbyVODwOuBLUi7kuN769gSgO2peCE HYuyiHbKlXj+9xGaiy0BYqezz+OLJVVWalXiUofkksFGH2wKqk1HbpvW+bMi/vdiUOrQ c/OmwK/AyenvforVRWrtwzoKftT6i1QmddHxdDDYoZj0rBBQs56ZHJpB36cpILcHPtPg OwvxnFojj3gSnp95mMLUzUEyhkXO18zg31uNIlFgAiT0D+U/BC19++imKi4if+fnjzSC yyAw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=fyc6frkA; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-153737-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-153737-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id g18-20020ac87d12000000b0042dff81e402si10543967qtb.471.2024.04.22.09.44.38 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Apr 2024 09:44:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-153737-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=fyc6frkA; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-153737-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-153737-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 3A85A1C20A76 for ; Mon, 22 Apr 2024 16:44:38 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B6893155750; Mon, 22 Apr 2024 16:42:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="fyc6frkA" Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8498B154C0F; Mon, 22 Apr 2024 16:42:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.179 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713804150; cv=none; b=JASRdSaezEc5mwbqzHOQ4yRj+cbAOewh0IO1zZoiMUi00x/8sKLqox6fcYqkvSsqpu511VvG8kyO9iv9cQuW9Qsc0OsNrjTjJDpNCqZjnyiog1pXqFZdLPRsT5/cIkYvzF0OUr0iaQJsF0ctAkqffGdk38JR3Wp8xlcmA8Mgv10= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713804150; c=relaxed/simple; bh=Hq/a7l+FanlA0Ntrju77wI3YLmKhqPs7hJ/bcC9K6K0=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=XscKLBjZ7aUbCocG+5Ao3/gTJ3JKGZpHU4xPtSy2JdSfF2L4WnMaq4XImYaBwIyVw71QQfRmI+K/uFuSBjn+NUWyxzpM7Hrp1jc8w7NVKQ/1BvOlaSKuU0fV8qUyHc6XEUr5gfzRzPdr4UthcnEZN89LOJ4DcSUGFPevMd4E2J8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=fyc6frkA; arc=none smtp.client-ip=209.85.214.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-1e40042c13eso33853335ad.2; Mon, 22 Apr 2024 09:42:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713804149; x=1714408949; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=3MfksbOufaT50njTeYfjnrKEJiBfYKS364Z1TYz8n/g=; b=fyc6frkAVFV26+kipa7mAtrB9McntEcFIbHjgl3WzG24lQIgwbaZsh2NOwtluZ4Wyz y4c67x/xldMBtJSHD6K6jbf57DXErps45S/QdaTkO0G5mWHtVgojAcQGTmf46eGflgD8 xck/tW5mK5cvECdKgnKvwwNpOSBOWBrKR3bVtgDyf8QXHjkYZ48iF/XKrXgJ8gcOyOxF rDig/UJrwH0MB9AgfCgWVnvzIuT+gfavKLLRvQJk/9eTAPVzSWyb4pVN3CuFY/p7hazG P4uk1VC5TEgpYv3P/HNw6x/iydlUiqgdt00CLxRGnjleo5bC5KJeym+j/dj/PzuxJca2 orzg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713804149; x=1714408949; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3MfksbOufaT50njTeYfjnrKEJiBfYKS364Z1TYz8n/g=; b=ViIuan3/wPtP30c70YuijCi6FfcZhypDfKlGpTQ7bklu9pJdqCwIbcYpJa1a8XIl89 JRBwU45ycyZzXJCbxwY0IIiTOfnWUNUP5wV4aRl1B3dZ8ZyrohVymFmne3SGddt8BwnB iV+LqtQdx/sebyRbuTEsA1kHa3awx9aV6jWdV3opAGNf1BPiKhTrw/jFDFcgWPr7GaDV mQoJydql5gTdpEi71bHS77AqWxaTB/Z+2pmjJMvkQkL77B4ls/eGeVTzpQPpD54iE5VJ Fs6vwNbT255WKBWrJwQ6LkQxGNwjOB9FqWgsPcNNzXvyA78c1WIp3SYXyFfYXPVyUVwH ABrw== X-Forwarded-Encrypted: i=1; AJvYcCXGh+6lAM8WAdAua+oUvgCJ81GEkEgtZvpctrRpwLU14EFMmGNgw2Ru3cLtId3DChPW2Odduwn2dhVK9F5sRDsu57IjheSJc/ze+qMA/2CG91gLUGAB4u/04tIyuhATDT7uIlttrGNxrc3MSpu50K6b7UN3RHo1Y1MKGz/cjr+GUTTtnsv5UNHUKWmuKSXsmIJYOEvj60Ecssufbd0= X-Gm-Message-State: AOJu0Yy9ZPtR5KDgsS6vBonH9s0wdP/0o8/1D//XMeDEZqtLzdM6kaWM NT43xUDz7GN09adeYY9jTvavi5VCLXm6GD1UyF/gTugrHSAqyhGo X-Received: by 2002:a17:902:d88d:b0:1e2:a40d:b742 with SMTP id b13-20020a170902d88d00b001e2a40db742mr8782691plz.56.1713804148793; Mon, 22 Apr 2024 09:42:28 -0700 (PDT) Received: from [127.0.1.1] ([2001:ee0:50f5:5d0:f32d:f608:a763:3732]) by smtp.googlemail.com with ESMTPSA id p3-20020a170902780300b001e7b8c21ebesm8461702pll.225.2024.04.22.09.42.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Apr 2024 09:42:28 -0700 (PDT) From: Bui Quang Minh Date: Mon, 22 Apr 2024 23:41:37 +0700 Subject: [PATCH 2/5] drivers/net/brocade-bnad: ensure the copied buf is NULL terminated Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <20240422-fix-oob-read-v1-2-e02854c30174@gmail.com> References: <20240422-fix-oob-read-v1-0-e02854c30174@gmail.com> In-Reply-To: <20240422-fix-oob-read-v1-0-e02854c30174@gmail.com> To: Jesse Brandeburg , Tony Nguyen , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Paul M Stillwell Jr , Rasesh Mody , Sudarsana Kalluru , GR-Linux-NIC-Dev@marvell.com, Krishna Gudipati , Anil Gurumurthy , Sudarsana Kalluru , "James E.J. Bottomley" , "Martin K. Petersen" , Fabian Frederick , Saurav Kashyap , Javed Hasan , GR-QLogic-Storage-Upstream@marvell.com, Nilesh Javali , Arun Easi , Manish Rangankar , Vineeth Vijayan , Peter Oberparleiter , Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Christian Borntraeger , Sven Schnelle Cc: intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-scsi@vger.kernel.org, Saurav Kashyap , linux-s390@vger.kernel.org, Jens Axboe , Bui Quang Minh X-Mailer: b4 0.13.0 Currently, we allocate a nbytes-sized kernel buffer and copy nbytes from userspace to that buffer. Later, we use sscanf on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using sscanf. Fix this issue by using memdup_user_nul instead of memdup_user. Fixes: 7afc5dbde091 ("bna: Add debugfs interface.") Signed-off-by: Bui Quang Minh --- drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/brocade/bna/bnad_debugfs.c b/drivers/net/ethernet/brocade/bna/bnad_debugfs.c index 7246e13dd559..97291bfbeea5 100644 --- a/drivers/net/ethernet/brocade/bna/bnad_debugfs.c +++ b/drivers/net/ethernet/brocade/bna/bnad_debugfs.c @@ -312,7 +312,7 @@ bnad_debugfs_write_regrd(struct file *file, const char __user *buf, void *kern_buf; /* Copy the user space buf */ - kern_buf = memdup_user(buf, nbytes); + kern_buf = memdup_user_nul(buf, nbytes); if (IS_ERR(kern_buf)) return PTR_ERR(kern_buf); @@ -372,7 +372,7 @@ bnad_debugfs_write_regwr(struct file *file, const char __user *buf, void *kern_buf; /* Copy the user space buf */ - kern_buf = memdup_user(buf, nbytes); + kern_buf = memdup_user_nul(buf, nbytes); if (IS_ERR(kern_buf)) return PTR_ERR(kern_buf); -- 2.34.1