Received: by 2002:ab2:6203:0:b0:1f5:f2ab:c469 with SMTP id o3csp2996911lqt; Tue, 23 Apr 2024 07:47:55 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXnRQ9XruCl/o35Lv8imoG5GLWDTXlKwOBCxzbxQCEguYY3tyB0VYXtjc9G6wr5D2RfsCk5B02etcIWgbXTu9GPZj3sV5TFUo++1Zno2w== X-Google-Smtp-Source: AGHT+IH2m4KDyMKw6jjmXu6HgCI/xSHoc2k7v3TwKZhBiuJmZTY1/KnB6SdeNfq0wde6PGQXX7NG X-Received: by 2002:a05:6808:6096:b0:3c8:2bea:f1bc with SMTP id de22-20020a056808609600b003c82beaf1bcmr8527496oib.1.1713883675491; Tue, 23 Apr 2024 07:47:55 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713883675; cv=pass; d=google.com; s=arc-20160816; b=uwxoMrRmjwYkBA5vk70X0zHsKJ5XzVFLrjRQ9tyqlnWO04Ks8FZ2yH8HAH7AYSdNWH xXwp4FGNIRhwUm4S5FFHKMkSqqn12hf+yrGTT79e/zZ0vcGTI1AxxdE1sWty0odKoeFZ 7iAp3N0ks64llIGaQDMcI+L61BzyE0oUUK5BJS0vle2vMhhJNRDPkISnNUZHdtTrSyGM FQnS0/onzWbkg1rnmJ7r4LTCykN9pqyTWqBafYRwnaqAFKoToHxMXQkfWhQzkX+PQSFw zVJwIUJ7P2/gJTe3K/MIOvBtjplPEcqc1lwN4I5dPaOZdg6IbKpqnEhNLCEeuzasc/yk Vxxw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature; bh=Vb/jtEQiqMYQ/ISAQh9mg0MTb6zQnFx3hOrCArI3w1E=; fh=+xTZqCwvMy6x/dVqUrag/FjV2CB+LL2Y6EGdxRHcaBg=; b=WHoZIQo7ydl1C+iRe+xdW2ZPH30HIKWoSIZalwzdr4/T+y1vh4bYAkXUxIHrCgGChv HRjp8w1hg5wUSfIrX+EYvu3Ga5niQ6Q6Bp3XMTAUEOH1BN+u52Iijx+iRADrk6lmY/Bp jh1xe8Bw3/kvApm8UTdFtYSUzxlaPIpuYJ8f6ZytV66Y1dEMtWCoqzuiHJJIH0ZvPHzJ MesYc2DytVpxglK2/YhOUIpVzDi7PNmN+/GjniK98MK+zvK5V92vXWpCQs+lbk1wPC3O B7Ga1UfN6+fAWpKUB0vVd9H/GKmtwT75YUoFmbpOOLp8MlEQGku16BVxBEIhxYCdoMLG TpeA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=DWbbKtvH; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-155395-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-155395-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id gm7-20020a056214268700b0069b503c131esi12948267qvb.314.2024.04.23.07.47.55 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Apr 2024 07:47:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-155395-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=DWbbKtvH; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-155395-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-155395-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id A7F6F1C22001 for ; Tue, 23 Apr 2024 14:47:04 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 09A5C13B5B4; Tue, 23 Apr 2024 14:46:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="DWbbKtvH" Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com [209.85.210.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CBC108F5E; Tue, 23 Apr 2024 14:46:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.170 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713883610; cv=none; b=dEZeWkMq2nsCZJ/nUKUbv3x65aeXG+GofpfnWtw8iOckCpcsX9D9xe3M3nYaEFIMPZhjAaEAOkfz7bD9B8ran+DV4+c8BdIn06vFAH36yOGzklmVLyH+2CFQgoqqPZTXXYv4Q/hybucWEPJ6WRYWhZegIrtsZE8hzn/ws+lW+pk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713883610; c=relaxed/simple; bh=ToGncwj89AClxloq2GR3iiMSNF1CUJnuDODivUGYRAo=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=mA7QD4hK2Hj1Ng+BY3LoPVFeWioVIPD3uMOZnuaiUtFD/uSJ2HFAiHrLN0/cMtqb55HTYtvUgeqTaVHC6yatAK7hZB59zc6RYUWseWHM+TpNd9vwrUoE9j0p2/KGyB/KD0OUrD3obY1zMvdEt800b7lDqvenBt5cI1XjClW0vRI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=DWbbKtvH; arc=none smtp.client-ip=209.85.210.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pf1-f170.google.com with SMTP id d2e1a72fcca58-6f103b541aeso2862068b3a.3; Tue, 23 Apr 2024 07:46:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713883608; x=1714488408; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=Vb/jtEQiqMYQ/ISAQh9mg0MTb6zQnFx3hOrCArI3w1E=; b=DWbbKtvHDAMwRw51MQT/rsxrsRjCAkZaOczYUrHsiLHWSnc+6qxwEdTC0m1THnAbcs 3vrCdNWRkhImjZz2HbxRg0+2ddHQNoQUCLbExcy0baU4PpTZvnZ8Q/WeSY9TeQjkFyRg xebZuErcwDN8h2O4GcIQHHUYPBgzapZJ+yTHTx5BPc7hsB5H5ZeXxv1OgwFNBuSRqdDD vYKHfE7rTz0trpu+m49fUQXPAddmOsK01hnT+UEbygM3KMG/Ini1bmApMbBdnoRX3Ucs YQnvw7frWjb2uaPFQq7jGTmOnDhuRdriHYNEnadW60flv3rJkxaNdekV9JK6Kj7kx7UU 889A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713883608; x=1714488408; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Vb/jtEQiqMYQ/ISAQh9mg0MTb6zQnFx3hOrCArI3w1E=; b=Yj22KoMIMbgR3Qt4ons/OSTtL79sRiKf30ppw4o+hxnJ3LzI37aZdhgZFJKaoPGNCz HaRoN7h/noRo3Bf3bfaJWIHAcY6GZZSTK5aSMBeHnyZ6TzfEDxRGdELqikZ01xFZQfy6 Ip2l2BBmg/gLzYHdRI9CSbyaF8AmUXE9fSjRodiSgdVjOojiOHY7OaYitABq2k86giUE mVDGoBiS+5GdRU9cH0dVW34srmS90fpo3LOQZTo1MG/lcVh8n6Cu//PMydchTmTAdVlH P2wExGYCvu7wLm57t4qLpC14dk56syTsSEgy9XmuYnNi6/nDjnv9bkMIVS2NWBnFFHUK zOUw== X-Forwarded-Encrypted: i=1; AJvYcCVRzvOIiYB6u8nwICMC6ZzZUji5PAbn+LrzPcm6x8WGnD6VwXCWLto2OIZQ85c5SSv4Y6WkZBnNA2a2vz8tUC4aq7PfKBbO9olXFmMTJ/4fCQsaebRYowM7S54AAi4GrZEqf0Cm4KMHzIMmqwqwGO29rETmmSoyQlimwz636I7LHJQ4okMpfhfQy0d9D9xQqnbv122rcC3Fq7fCIUI= X-Gm-Message-State: AOJu0YwsAvAFBdyeplJDKZfEUMnuEjpWKO7d94MQDWZXpcqQioLBROef uBdvNym3121+/kUAnQYqdid2a1rB/H6C+I1wMMeeSa3ed0yYK/Of X-Received: by 2002:a05:6a21:2792:b0:1aa:6a28:cf6e with SMTP id rn18-20020a056a21279200b001aa6a28cf6emr12043604pzb.48.1713883607972; Tue, 23 Apr 2024 07:46:47 -0700 (PDT) Received: from ?IPV6:2001:ee0:50f5:5d0:b2f6:b23d:3030:9638? ([2001:ee0:50f5:5d0:b2f6:b23d:3030:9638]) by smtp.gmail.com with ESMTPSA id l185-20020a6391c2000000b005ffd8019f01sm3689182pge.20.2024.04.23.07.46.38 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 23 Apr 2024 07:46:47 -0700 (PDT) Message-ID: Date: Tue, 23 Apr 2024 21:46:35 +0700 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH 5/5] drivers/s390/cio: ensure the copied buf is NULL terminated To: Heiko Carstens Cc: Jesse Brandeburg , Tony Nguyen , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Paul M Stillwell Jr , Rasesh Mody , Sudarsana Kalluru , GR-Linux-NIC-Dev@marvell.com, Krishna Gudipati , Anil Gurumurthy , Sudarsana Kalluru , "James E.J. Bottomley" , "Martin K. Petersen" , Fabian Frederick , Saurav Kashyap , Javed Hasan , GR-QLogic-Storage-Upstream@marvell.com, Nilesh Javali , Arun Easi , Manish Rangankar , Vineeth Vijayan , Peter Oberparleiter , Vasily Gorbik , Alexander Gordeev , Christian Borntraeger , Sven Schnelle , intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-scsi@vger.kernel.org, Saurav Kashyap , linux-s390@vger.kernel.org, Jens Axboe References: <20240422-fix-oob-read-v1-0-e02854c30174@gmail.com> <20240422-fix-oob-read-v1-5-e02854c30174@gmail.com> <20240423065052.10211-C-hca@linux.ibm.com> Content-Language: en-US From: Bui Quang Minh In-Reply-To: <20240423065052.10211-C-hca@linux.ibm.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 4/23/24 13:50, Heiko Carstens wrote: > On Mon, Apr 22, 2024 at 11:41:40PM +0700, Bui Quang Minh wrote: >> Currently, we allocate a lbuf-sized kernel buffer and copy lbuf from >> userspace to that buffer. Later, we use scanf on this buffer but we don't >> ensure that the string is terminated inside the buffer, this can lead to >> OOB read when using scanf. Fix this issue by allocating 1 more byte to at >> the end of buffer and write NULL terminator to the end of buffer after >> userspace copying. >> >> Fixes: a4f17cc72671 ("s390/cio: add CRW inject functionality") >> Signed-off-by: Bui Quang Minh >> --- >> drivers/s390/cio/cio_inject.c | 3 ++- >> 1 file changed, 2 insertions(+), 1 deletion(-) >> >> diff --git a/drivers/s390/cio/cio_inject.c b/drivers/s390/cio/cio_inject.c >> index 8613fa937237..9b69fbf49f60 100644 >> --- a/drivers/s390/cio/cio_inject.c >> +++ b/drivers/s390/cio/cio_inject.c >> @@ -95,10 +95,11 @@ static ssize_t crw_inject_write(struct file *file, const char __user *buf, >> return -EINVAL; >> } >> >> - buffer = vmemdup_user(buf, lbuf); >> + buffer = vmemdup_user(buf, lbuf + 1); >> if (IS_ERR(buffer)) >> return -ENOMEM; >> >> + buffer[lbuf] = '\0'; > > This would read one byte too much from user space, and could potentially > fault. > > Why isn't this simply memdup_user_nul() like all others, which would do the > right thing? Thanks for your review. It's my mistake, I blindly follow the pattern in rvu_debugfs static ssize_t rvu_dbg_qsize_write(struct file *filp, const char __user *buffer, size_t count, loff_t *ppos, int blktype) { cmd_buf = memdup_user(buffer, count + 1); if (IS_ERR(cmd_buf)) return -ENOMEM; cmd_buf[count] = '\0'; } I will send a patch to fix this too. For this case, as the original code uses vmemdup_user, which internally uses kvmalloc not kmalloc, so I try to keep the original behavior. And vmemdup_user does not have the counterpart vmemdup_user_nul. I can kvmalloc(lbuf + 1), then copy_to_user(lbuf) and set buffer[lbuf] = '\0' or do you think I should create vmemdup_user_nul? Thanks, Quang Minh.