Received: by 2002:a89:48b:0:b0:1f5:f2ab:c469 with SMTP id a11csp467777lqd; Wed, 24 Apr 2024 07:45:53 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVywhlfqS4RDK7Ovar+2yJEKsoibHdeUDYG6tlRPNti3E9Z2sSeWZ2O+7aQdqc2OF4Kj0mh/50qrGPrqDRghcBQ4CKFYKTfw4gSJXQQgw== X-Google-Smtp-Source: AGHT+IHWFGL6MMtHVufkTBdbpjHKd+dwcWj6kuo3mWMPaAshLDE2uuhqA2BsAq+6kgezucU7zIw/ X-Received: by 2002:a05:6a20:948f:b0:1a7:9dd7:6a31 with SMTP id hs15-20020a056a20948f00b001a79dd76a31mr6067464pzb.31.1713969952720; Wed, 24 Apr 2024 07:45:52 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713969952; cv=pass; d=google.com; s=arc-20160816; b=tm0gFGXqLB01crZfrHOJmclcAKD9SJaiodMk+v5gNezhTi8mX7KH0pH6xPkE5HPIMC R9SdRf/edLY5IDWXhaurYsI19ufqOVfdCoo1otWRvvPW8aWXDRY0mKLRJP8iJJxAPSCL /wdBj8bju8uaQEO5MjKpOW/4idlFGbcRNZXt7uPFHMtFRMQqCKN3XehHz2IbuzZV/l2R 9lAtw03d3GYMaaLdVf3qYfUOaMly6h24gtrNawNiRe8CyDyWMaoFfuNb6dDWvDfZBXbB WntdMsPtzqK+24MH/UjbsUE1nxkcrKiYhORehTul0hb2Ap/GASpNyY0omCHTjiuY7JGH pPmg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :subject:date:from:dkim-signature; bh=3MfksbOufaT50njTeYfjnrKEJiBfYKS364Z1TYz8n/g=; fh=A9Nw2q26LVdCcged/NOWd337/mBHtGgcjIOjE04mnqw=; b=RlnyAe5UnA9ysRJ+AiDVgCdI8lFxn6rWpWVxK4Xr2rPm/WGjDfsWOj7v6J9DriMfxj AOHM3TZUDz4XZ9pB4HIp8n8z8c4XiakY+37X9zJp+KJXiqdNzP+7+doPwPC3o6aR76PD zMhhJgSjHmg9XZ4pPCDMJLcetNd8fM+5pPa8cJOkFWmIi9rksihB1Lpx0nmdrNtybsJL bpAGTWlsbzI3sLPPyLxTMiklFO+14OywSA1fB1MBCRBkdFT5vIZ11Wh5f7tdgCCyUBhp q1dr3dVJrnhzQoSnudx2VOdCryCoBZkhE6ooMv7SeebvyPRd5xg4k0AhHtElsFePP1KY /QpA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=XyeKT629; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-157111-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-157111-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id 5-20020a630105000000b006052356fd7csi1694524pgb.79.2024.04.24.07.45.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Apr 2024 07:45:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-157111-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=XyeKT629; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-157111-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-157111-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 2F6D6286A46 for ; Wed, 24 Apr 2024 14:45:48 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 0E77415F3FF; Wed, 24 Apr 2024 14:45:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="XyeKT629" Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com [209.85.210.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C6AFB15ECCE; Wed, 24 Apr 2024 14:45:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.172 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713969902; cv=none; b=G+vwYtQw0P3pNdwBISJFTt3wDUQp/uZKIikV+6COby94bnZt5DBJNRZ1tiF52hUhQU0Tdq4GRh5HWaMrX9AlzzK9ZGEfalQAvrwofCKeezL9JB7vMTRqf/VYC/I+FVv3uhJET4pqxZvyAu6djWqY4Iw48sEmE12y7nry9Ql9zcE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713969902; c=relaxed/simple; bh=Hq/a7l+FanlA0Ntrju77wI3YLmKhqPs7hJ/bcC9K6K0=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=oeyOC2IFRRqYnZCk5+ovVeWvTVaDfbtyw2RkI8IRF1bYwLZn+4Kwu419Mh9rweigbHK42VfzK1hKXaGJHDYR5Tmrao0kha75FJYVpzXgfPsIzV+uougodSeZgrKVDHYf6DizynK8iACNEHOKfJIdKF3+pWScsuL5YqIqJNaZ31o= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=XyeKT629; arc=none smtp.client-ip=209.85.210.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pf1-f172.google.com with SMTP id d2e1a72fcca58-6ed2170d89fso737159b3a.1; Wed, 24 Apr 2024 07:45:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713969900; x=1714574700; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=3MfksbOufaT50njTeYfjnrKEJiBfYKS364Z1TYz8n/g=; b=XyeKT629afrsryzzJ2Y/mJqJD2r7IUf6Jcly3zneN2QfPIkMHT7M9sbChO9C/7PV/t yW4A6NNkRJ70CqqgA/Wz/IJJaAVRQoyvQ3UsX0lW33rTfrDr4X/4YulBg1/tR5XMRS3S IF+/sMcTklZUeyvWxtJgxWcY9Y4aW/kf+lJ54tdYt+AYvzwZZmEZqu9wooGrUDJ2ttmg VQLW+/td9zqfVnqhfoD6+G+7/F/7KtmvyNLJnla06yh4Nv/gCV5NawkRG2sHSi5EVs+z jdD1GYfIwvzgWj3477Tht/RNjRoMHhTXR2tsutlgkAoHBDDWtnRO1owqcsdGiPOuR1Lp qm1A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713969900; x=1714574700; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3MfksbOufaT50njTeYfjnrKEJiBfYKS364Z1TYz8n/g=; b=m7OVWkHAtdaZ2PcTnou9JgQEKIkVSu46JTB9gDMBHH9QFK1IDVJ91gADnpelDS3cFJ HYz6++cDrETrLO5C67Gusp7JQkCwUpScGBcjJvRXLLAddZcGNzZEW5Zyk/pLyao5aGVV onDsbgd+sloSIcO5sZz7VZfzlMksLtctHIa5mAqLFPNPJSdeo+ZCeKDMBYyy4hott3Gm IfgAUJxWnlxAwhoAqvBkHVJZJFTZVNcsjf91iAUx//d495FEmNhy83CM9gIo4E+hMPIn uZB73HciR/6qIMUKo4r1gQ/UfzICItUqmDJHU/w/qGPATu1h4dN+0h9tQwtwEO9pWQxp VwKA== X-Forwarded-Encrypted: i=1; AJvYcCUrL2820mlInjf4s9NVkptIH0ti4CtnQ4toq/udKAk6GI+mmbeNRcfx+TzNh8yE941ZxA2kdeCQB2h2XTeVIGCX3yOLmlDwJ4DNdbBpfm+DdJKJTco91399vTo/G9XfZEtZeehkZxJBJ7ha9j7ex5ryd+JlDhJkaL7WAkkZXgLHnOiINrggZKGc8PUKUmE+HqWDc8+k5DVXshFwd8A= X-Gm-Message-State: AOJu0YzTtCylHx43D9XH9IpTsp+3F5ThXw/iU4k/pFriklAXIMiU/1Rv F4SJWQniB1MlourOSbmV8TQa/jFNY0HLQI3FyY28NljsWS0dorZk X-Received: by 2002:a05:6a21:6d96:b0:1a9:509c:eba6 with SMTP id wl22-20020a056a216d9600b001a9509ceba6mr4486348pzb.25.1713969900053; Wed, 24 Apr 2024 07:45:00 -0700 (PDT) Received: from [127.0.1.1] ([2001:ee0:50f5:5d0:6ca6:7f20:5242:67cc]) by smtp.googlemail.com with ESMTPSA id a5-20020aa78e85000000b006e554afa254sm11495743pfr.38.2024.04.24.07.44.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Apr 2024 07:44:59 -0700 (PDT) From: Bui Quang Minh Date: Wed, 24 Apr 2024 21:44:19 +0700 Subject: [PATCH v2 2/6] bna: ensure the copied buf is NUL terminated Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <20240424-fix-oob-read-v2-2-f1f1b53a10f4@gmail.com> References: <20240424-fix-oob-read-v2-0-f1f1b53a10f4@gmail.com> In-Reply-To: <20240424-fix-oob-read-v2-0-f1f1b53a10f4@gmail.com> To: Jesse Brandeburg , Tony Nguyen , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Paul M Stillwell Jr , Rasesh Mody , Sudarsana Kalluru , GR-Linux-NIC-Dev@marvell.com, Anil Gurumurthy , Sudarsana Kalluru , "James E.J. Bottomley" , "Martin K. Petersen" , Fabian Frederick , Saurav Kashyap , GR-QLogic-Storage-Upstream@marvell.com, Nilesh Javali , Arun Easi , Manish Rangankar , Vineeth Vijayan , Peter Oberparleiter , Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Christian Borntraeger , Sven Schnelle , Sunil Goutham , Linu Cherian , Geetha sowjanya , Jerin Jacob , hariprasad , Subbaraya Sundeep Cc: intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-scsi@vger.kernel.org, Saurav Kashyap , linux-s390@vger.kernel.org, Jens Axboe , Bui Quang Minh X-Mailer: b4 0.13.0 Currently, we allocate a nbytes-sized kernel buffer and copy nbytes from userspace to that buffer. Later, we use sscanf on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using sscanf. Fix this issue by using memdup_user_nul instead of memdup_user. Fixes: 7afc5dbde091 ("bna: Add debugfs interface.") Signed-off-by: Bui Quang Minh --- drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/brocade/bna/bnad_debugfs.c b/drivers/net/ethernet/brocade/bna/bnad_debugfs.c index 7246e13dd559..97291bfbeea5 100644 --- a/drivers/net/ethernet/brocade/bna/bnad_debugfs.c +++ b/drivers/net/ethernet/brocade/bna/bnad_debugfs.c @@ -312,7 +312,7 @@ bnad_debugfs_write_regrd(struct file *file, const char __user *buf, void *kern_buf; /* Copy the user space buf */ - kern_buf = memdup_user(buf, nbytes); + kern_buf = memdup_user_nul(buf, nbytes); if (IS_ERR(kern_buf)) return PTR_ERR(kern_buf); @@ -372,7 +372,7 @@ bnad_debugfs_write_regwr(struct file *file, const char __user *buf, void *kern_buf; /* Copy the user space buf */ - kern_buf = memdup_user(buf, nbytes); + kern_buf = memdup_user_nul(buf, nbytes); if (IS_ERR(kern_buf)) return PTR_ERR(kern_buf); -- 2.34.1