Received: by 2002:ab2:6203:0:b0:1f5:f2ab:c469 with SMTP id o3csp2996349lqt; Tue, 23 Apr 2024 07:46:59 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWzvaiY/QllXRSqH0ewib3CahqGnvnOG5+6mV2CiP0Ja4Q5smqLEJosoB/JCo/PqtD2bbfyd7yEf1d/UZsxMoUcaAIF1Fjyj2XCSavs2Q== X-Google-Smtp-Source: AGHT+IHEidbcxBxojlsFGb9iOJOG9IbyuTc7d0FCsqrt6s0+s+fsdswWL2GpGk2lxuMd7y4OsQVg X-Received: by 2002:a17:906:bb17:b0:a55:55b9:57d1 with SMTP id jz23-20020a170906bb1700b00a5555b957d1mr8251652ejb.66.1713883619353; Tue, 23 Apr 2024 07:46:59 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713883619; cv=pass; d=google.com; s=arc-20160816; b=J3qHy3E505kXoj5ioc4s8mKdwu/toTCQ01lcBVriJacIphgF/88YOTVfgIS9w/4597 RKrPtKYbP/SZECwDFRblCBFkujupzO0HZ/HrF9R8Od/qUlNSPFf/H3QcySWobbZosJmD oq5Scj2EIWN2THFDhTFHUw0WkdDM+meVLKEBse6N+p09hOIqJ6Ft0cLnn5dqKaXGDV/X bI8AIahTMtut4t4p55F+V9G/MEUrQ1vS3cJtpc28RzhiG3hrisIVS9SmYJW9++njvu38 Tfcll9yZ9L43+1QoU4s65FZXwzzQYC8So0LFhlqZ1wYiaL/JnjNRQd4/Nc/i9R0Vu/VJ nPlg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature; bh=WHTG+VdnfK0puMZFDtAOqaAimF4doqr8t5xusIlGuaY=; fh=EjqsznOiJs5HuCUFmErNDEd8TtDntFJBLmzaZfBjyKg=; b=F25JB9szx/eo6/JT8UVXTXrcgOM2iDRpA6obZRXkQG9vMfHUcaAYKBA2OVOqQLzkTn DFA50vUrgz7ssMJwf9sKR3EgZpKdM+z9dKMrX2rWndE8+gncVWtnqkKTyTgW+mfAHPuY t5zRZEsLN3YxKrDCl5MVefPTdGgeFcQEM1USZtdMb5kSMsk9vTg3Df6qNtiwMvFHtMsy FLaGHDlTZzejx9UPUMAQfTLYyKiEKUSbggAcAnO//9QzEqYrMApusCTB/LkwCatOUtdv kpSofM7kdBQlgSYIwmwrrqpG2+Jj526g3x+GZ9481DcdSGPNBF4EtheHv243agEksDuO rN+w==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=ERnBvNby; arc=pass (i=1 dkim=pass dkdomain=intel.com dmarc=pass fromdomain=linux.intel.com); spf=pass (google.com: domain of linux-kernel+bounces-154955-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-154955-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id p12-20020a170906a00c00b00a56cb2718d0si1910116ejy.260.2024.04.23.07.46.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Apr 2024 07:46:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-154955-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=ERnBvNby; arc=pass (i=1 dkim=pass dkdomain=intel.com dmarc=pass fromdomain=linux.intel.com); spf=pass (google.com: domain of linux-kernel+bounces-154955-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-154955-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id E33121F22B5A for ; Tue, 23 Apr 2024 11:11:24 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 68E878288F; Tue, 23 Apr 2024 11:10:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="ERnBvNby" Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 20EDF80028; Tue, 23 Apr 2024 11:10:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.10 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713870646; cv=none; b=McIFTCSSLlautCAxL3r8ISgCDKGc0PtRggL2S+KbrCwPhsDhWwLCBbosgekjZIIvy53Cts8GbLC0eRZ+g9W2cW3iUqoKCov7id1Eg8rx9UPnBMbwoZFMycvmfpWT55qBwsv5EvBIyxSuGjvxvM5te/7GlzVSyAJiffqZgNU4+98= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713870646; c=relaxed/simple; bh=FhMYwpD0Jy+0t5UX4wrDuIaENfV+qwJP/+xWhZFZCdQ=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=GHkX7VD6nLSh6upVA9fIJm9w2KmOdWzm9TWX+uBPXXpxGUDUmefcuoqmVEyjgqCW2K94IDiuVvYT+wyKl7LXiF3vssX8M54uUlDsi7aLOrxTg8hhBpXwQ+zhnUyR4tskoNOC50PDjo4jJs1A5YICrpNEAV9CY/jUZVYBhBidrD8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=none smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=ERnBvNby; arc=none smtp.client-ip=198.175.65.10 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=linux.intel.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1713870645; x=1745406645; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=FhMYwpD0Jy+0t5UX4wrDuIaENfV+qwJP/+xWhZFZCdQ=; b=ERnBvNbyFK6VwTLE/1IyNhrnjvj0TxFuN2XL4Gq4yAOJ7yN7lSkTHEOX CDlc2aCKPJPboY8CRQ9p25ZrTi0xPKZuDho4/fJGNiDcoXAExx5WCcUT7 k1Ot3Y0us4F2uybfjrr42Qo85nTF/Jmcg9zLevTfktr3qGwmdSW6fDX4u oTSHr0zY+q3Of+/1/hBTnL1uVqM88Npsrax+/yF5sxl/b18eE4LkXFwEC 8rX2uGqbODoQIr+zy0zp+Xw2b4xHI78iHrjfyCgGijDyqdO1VYQBh/OOC Igdk54FoXmzzQn2j3gpp4kz7UQAw2sFDxEGa/Tc3pVTe6HmSSwbPnLjKU A==; X-CSE-ConnectionGUID: yTIwQevkT9CXDZpZ5SC9lQ== X-CSE-MsgGUID: 8EmlvmEuT8+Ut7spIoLwrQ== X-IronPort-AV: E=McAfee;i="6600,9927,11052"; a="26905757" X-IronPort-AV: E=Sophos;i="6.07,222,1708416000"; d="scan'208";a="26905757" Received: from fmviesa009.fm.intel.com ([10.60.135.149]) by orvoesa102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 23 Apr 2024 04:10:45 -0700 X-CSE-ConnectionGUID: GHANmPF1QaSu/tzRusNdUw== X-CSE-MsgGUID: zm+oKK03QECvY3VX9hfdGA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,222,1708416000"; d="scan'208";a="24342606" Received: from mszycik-mobl1.ger.corp.intel.com (HELO [10.246.35.198]) ([10.246.35.198]) by fmviesa009-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 23 Apr 2024 04:10:37 -0700 Message-ID: Date: Tue, 23 Apr 2024 13:10:16 +0200 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [Intel-wired-lan] [PATCH 0/5] Ensure the copied buf is NULL terminated To: Bui Quang Minh , Jesse Brandeburg , Tony Nguyen , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Paul M Stillwell Jr , Rasesh Mody , Sudarsana Kalluru , GR-Linux-NIC-Dev@marvell.com, Krishna Gudipati , Anil Gurumurthy , Sudarsana Kalluru , "James E.J. Bottomley" , "Martin K. Petersen" , Fabian Frederick , Saurav Kashyap , Javed Hasan , GR-QLogic-Storage-Upstream@marvell.com, Nilesh Javali , Arun Easi , Manish Rangankar , Vineeth Vijayan , Peter Oberparleiter , Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Christian Borntraeger , Sven Schnelle Cc: Jens Axboe , linux-s390@vger.kernel.org, linux-scsi@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, intel-wired-lan@lists.osuosl.org, Saurav Kashyap References: <20240422-fix-oob-read-v1-0-e02854c30174@gmail.com> Content-Language: en-US From: Marcin Szycik In-Reply-To: <20240422-fix-oob-read-v1-0-e02854c30174@gmail.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 22.04.2024 18:41, Bui Quang Minh wrote: > Hi everyone, > > I found that some drivers contains an out-of-bound read pattern like this > > kern_buf = memdup_user(user_buf, count); > ... > sscanf(kern_buf, ...); > > The sscanf can be replaced by some other string-related functions. This > pattern can lead to out-of-bound read of kern_buf in string-related > functions. > > This series fix the above issue by replacing memdup_user with > memdup_user_nul or allocating count + 1 buffer then writing the NULL > terminator to end of buffer after userspace copying. > > Thanks, > Quang Minh. > > Signed-off-by: Bui Quang Minh > --- > Bui Quang Minh (5): > drivers/net/ethernet/intel-ice: ensure the copied buf is NULL terminated > drivers/net/brocade-bnad: ensure the copied buf is NULL terminated > drivers/scsi/bfa/bfad: ensure the copied buf is NULL terminated > drivers/scsi/qedf: ensure the copied buf is NULL terminated > drivers/s390/cio: ensure the copied buf is NULL terminated Typically you don't include path to module in title, instead: ice: ensure the copied buf is NULL terminated bna: ensure the copied buf is NULL terminated etc. > > drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 4 ++-- > drivers/net/ethernet/intel/ice/ice_debugfs.c | 8 ++++---- > drivers/s390/cio/cio_inject.c | 3 ++- > drivers/scsi/bfa/bfad_debugfs.c | 4 ++-- > drivers/scsi/qedf/qedf_debugfs.c | 2 +- > 5 files changed, 11 insertions(+), 10 deletions(-) > --- > base-commit: ed30a4a51bb196781c8058073ea720133a65596f > change-id: 20240422-fix-oob-read-19ae7f8f3711 > > Best regards, Thanks, Marcin