Received: by 2002:a89:48b:0:b0:1f5:f2ab:c469 with SMTP id a11csp471487lqd; Wed, 24 Apr 2024 07:52:26 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCW/6gfzXtE/vXz5gknYA+qkciveFBb+N/HWXwoyUC6GVN/b8coy833IS/kHj9/33TZccAQRAMtkamPz5JehNH+xb7s1aNIUdffAdvQSFw== X-Google-Smtp-Source: AGHT+IGUHNiNude2wdFDuXyvvAFZHkfduDGspNAWGg7MRulsjcChyNLcNlXC4x2IUzeBxGHXuR8k X-Received: by 2002:a50:bb6f:0:b0:56d:f3f3:f61f with SMTP id y102-20020a50bb6f000000b0056df3f3f61fmr2478775ede.9.1713970345831; Wed, 24 Apr 2024 07:52:25 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713970345; cv=pass; d=google.com; s=arc-20160816; b=cpOlbIR5/UcVE97jd37TCtAheZiP5QkXc8QTMrA+y62B3cEFYPzUj6ZzXhjck7LGnB kmW/CwCwF86pghIkeTA/uS3OSF2PeqQuRvGBALDfvrhSprzJWAgiBk7aVD9iEIE/Zdx5 otT6Yids1iA5lQqP5pfb8K2cAlk/u6XTY+8HsgiRYJ5cV6B9zDTrNo4qcrXw24RR+Ubq WVL3Bx/EnpjHxWj8MHQOW35aDINHGy/TbL3JBUsDSHNTH+rYbQ6uIaTNuhremafkzwMR VVNhgwrqgscyCDG2+/9VS1WXLlHWKnl7QNg7PihQYM1VZm679Hp8OMk2yriWf7IYWHlS ahdQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:from :dkim-signature; bh=9AlBe3kk5ztZRFTkgvZ6SOgy/VblETXj3psnO1nVDEQ=; fh=do28aoNfGzgxFH85h1Obpf7Dq1pYMiIv7kwEk72iZk4=; b=tcIpoY25TYfmwKRREKsFIUXvVvBvCCPrspWhlSMZwQWQZbU1GZuCcMHvQEuJTKMrnE I9RHb2DeiAP++uOfhx9lt6+JkHpO1f5SThmre+Q2zKZQ26jUINGmx0Egw3GfpU4izRyh 3DNbuczfIJqU143Tac2EqxMUWkjgUFehy3fK639Kc1a1/0DpyZhRaFUeqWKP5TeCMAyN lByXKdL+lmcuMwzsnyNsS1KciPKSx+Pk42g0Q8MiRYGSVctn4atj3GIjeRqN/CjaBxZD qVb+OaXGwKqYEL9cL1ZzoOH33ns/XGQomd0hJME53igvjlRKfDs6t4HqlVHANJoInobO tIUQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=fCycvUDI; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-157109-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-157109-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id b18-20020a05640202d200b0056e47321892si8538444edx.374.2024.04.24.07.52.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Apr 2024 07:52:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-157109-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=fCycvUDI; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-157109-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-157109-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id EF4FE1F28A67 for ; Wed, 24 Apr 2024 14:44:57 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 761F815ECED; Wed, 24 Apr 2024 14:44:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="fCycvUDI" Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com [209.85.210.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F22F5158867; Wed, 24 Apr 2024 14:44:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.182 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713969883; cv=none; b=RpSw/2xdRsnhNJxIFd/w/9Iz87nrnfsuVHlyTWDxNzLh032IVcvMtB61TEVD361kSoG1naBdAwCua97c4H6bgYO4ICS1tYQ7z8uD6lIsglmBVvtICnqtaKT9Xqg82ABFp1id4GzfeV6LafU0bNv8huwu+VEzkglTztBqhpJRDe4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713969883; c=relaxed/simple; bh=pFnSYolVK1sAbkMTB3+L70JGd/1tIizk76RsmxUjoqM=; h=From:Subject:Date:Message-Id:MIME-Version:Content-Type:To:Cc; b=fLTl5aqQQAdcTv8eAnrpGU6ewqStUln+m5vawgkcVNgH4skj0HkyvntqgQM6u+6OWMHbdkiH6e8HClsJlBArT0FUHwXnqaGjFZTdXBnHNGAv7O0+vAUk4KPp6BLAxvud+CZMkTfxePLv1wj1wXM3Nq51ssrjN4Of4tBNEYsalMo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=fCycvUDI; arc=none smtp.client-ip=209.85.210.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pf1-f182.google.com with SMTP id d2e1a72fcca58-6ee0642f718so785638b3a.0; Wed, 24 Apr 2024 07:44:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713969881; x=1714574681; darn=vger.kernel.org; h=cc:to:content-transfer-encoding:mime-version:message-id:date :subject:from:from:to:cc:subject:date:message-id:reply-to; bh=9AlBe3kk5ztZRFTkgvZ6SOgy/VblETXj3psnO1nVDEQ=; b=fCycvUDIOelkS1dIvzCtIVwLCZRWx1Y0EF1FOiCQSMmO15VYNxelHGAePzA7m9Brdl d7TtVvfeBL4iOO6qgu1acrGAYFoTV+k4vA8II+5i3jQ1EWD8UzhGbmRn9r4/c4Mq4kXZ 5gdJEEFPNUGT19YbG4frN+6n3pnfxHfDd7Ydp0EJaTcbA9wSGY5I6L8kfTk7DXXuMo5w R2tdH3zXsXSGCzoF+oriam75hPEB9nOeJnRW1HIXlv65VyWlSBUsqA/t4crP/bwOnjtt Lkop+/SXf0jCSwTy7kMx/FuW1iJb3aLa9F+jdBll5r0sUZpWYJeGHY3hgWWCd6e3GDzM 13HA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713969881; x=1714574681; h=cc:to:content-transfer-encoding:mime-version:message-id:date :subject:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=9AlBe3kk5ztZRFTkgvZ6SOgy/VblETXj3psnO1nVDEQ=; b=CVsE4b4DHRFPWk4ZSy7+w5xbDLByfWamryGOcBdsOCKdy0OXDudm5El4O8fyFlV0Kn m3j3KTAs1c/MS6wtN/SeG0htNQNU62gZN/PBYrsyzqIboCOI159neKvzSIdeuZzkuIsW QtVIEiM2b1FWnzdBdw8Z3j1cDFsEqHcRFTxJm3CUGcRCfHTWPqzhTHDCSGRpkERP/p2t EvWKsaoeyvX6UyF+PSkrFoJx3Lgxb9wKHc8DtJsbANslLGngGZ/fc/JRTbt0e7YmU0pn itI+VqRWGYjgq2As9yNjYb9HIGcj4cwrFD9gE7MR0Hd0ObMOKsrZTuiBneRZo1y7oSk2 ChjQ== X-Forwarded-Encrypted: i=1; AJvYcCW5TFuIgRYyiNLi54bsy6UBqp5NJVPe8aJjSWR6/tTCOEoh54irVxs3OkKOlsu5Ogys6nFVQyEtt2H9G1Ju+VrMikaYdKLVX+iewPkOtQnYKN0Jn9jhpQcn8zoYgMbhQ9Sswkg0uF3nesyvdDwg8rFwisToXGEMzbaNavTwWGAjFZk44y9ZQEibaT1qbUUXAU5QL3nz7LCin1UIKso= X-Gm-Message-State: AOJu0YwVavca6xjkRj9RttTQ7zMPfTlsoLxDmbJKiy9ibZfmYzRMF3z3 /XFsqpNYXUcvqgWjRHu6N22YsCDLsKwQJmQ0Jfq0AI3z+P+5O/Mi X-Received: by 2002:a05:6a20:3c8a:b0:1a9:97ab:d09a with SMTP id b10-20020a056a203c8a00b001a997abd09amr4044692pzj.16.1713969880981; Wed, 24 Apr 2024 07:44:40 -0700 (PDT) Received: from [127.0.1.1] ([2001:ee0:50f5:5d0:6ca6:7f20:5242:67cc]) by smtp.googlemail.com with ESMTPSA id a5-20020aa78e85000000b006e554afa254sm11495743pfr.38.2024.04.24.07.44.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Apr 2024 07:44:40 -0700 (PDT) From: Bui Quang Minh Subject: [PATCH v2 0/6] Ensure the copied buf is NUL terminated Date: Wed, 24 Apr 2024 21:44:17 +0700 Message-Id: <20240424-fix-oob-read-v2-0-f1f1b53a10f4@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-B4-Tracking: v=1; b=H4sIAMEaKWYC/3WMQQ6CMBBFr0Jm7ZhOqSm68h6GRS1TmESoaQ3Rk N7dyt7l+z/vbZA5CWe4NBskXiVLXCroQwN+csvIKENl0EobZbTGIG+M8Y6J3YB0dmxDF1pLBFV 5Jq7/nrv1lSfJr5g+e32l3/ontBIqZKW7k/GtImuu4+zkcfRxhr6U8gUzNIQ7qAAAAA== To: Jesse Brandeburg , Tony Nguyen , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Paul M Stillwell Jr , Rasesh Mody , Sudarsana Kalluru , GR-Linux-NIC-Dev@marvell.com, Anil Gurumurthy , Sudarsana Kalluru , "James E.J. Bottomley" , "Martin K. Petersen" , Fabian Frederick , Saurav Kashyap , GR-QLogic-Storage-Upstream@marvell.com, Nilesh Javali , Arun Easi , Manish Rangankar , Vineeth Vijayan , Peter Oberparleiter , Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Christian Borntraeger , Sven Schnelle , Sunil Goutham , Linu Cherian , Geetha sowjanya , Jerin Jacob , hariprasad , Subbaraya Sundeep Cc: intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-scsi@vger.kernel.org, Saurav Kashyap , linux-s390@vger.kernel.org, Jens Axboe , Bui Quang Minh , Przemek Kitszel X-Mailer: b4 0.13.0 Hi everyone, I found that some drivers contains an out-of-bound read pattern like this kern_buf = memdup_user(user_buf, count); ... sscanf(kern_buf, ...); The sscanf can be replaced by some other string-related functions. This pattern can lead to out-of-bound read of kern_buf in string-related functions. This series fix the above issue by replacing memdup_user with memdup_user_nul. Thanks, Quang Minh. To: Jesse Brandeburg To: Tony Nguyen To: David S. Miller To: Eric Dumazet To: Jakub Kicinski To: Paolo Abeni To: Paul M Stillwell Jr To: Rasesh Mody To: Sudarsana Kalluru To: GR-Linux-NIC-Dev@marvell.com To: Anil Gurumurthy To: Sudarsana Kalluru To: James E.J. Bottomley To: Martin K. Petersen To: Fabian Frederick To: Saurav Kashyap To: GR-QLogic-Storage-Upstream@marvell.com To: Nilesh Javali To: Arun Easi To: Manish Rangankar To: Vineeth Vijayan To: Peter Oberparleiter To: Heiko Carstens To: Vasily Gorbik To: Alexander Gordeev To: Christian Borntraeger To: Sven Schnelle To: Dupuis, Chad To: Sunil Goutham To: Linu Cherian To: Geetha sowjanya To: Jerin Jacob To: hariprasad To: Subbaraya Sundeep Cc: intel-wired-lan@lists.osuosl.org Cc: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: linux-scsi@vger.kernel.org Cc: Saurav Kashyap Cc: linux-s390@vger.kernel.org Cc: Jens Axboe Signed-off-by: Bui Quang Minh Changes in v2: - Patch 5: use memdup_user_nul instead - Add patch 6 - Link to v1: https://lore.kernel.org/r/20240422-fix-oob-read-v1-0-e02854c30174@gmail.com --- Bui Quang Minh (6): ice: ensure the copied buf is NUL terminated bna: ensure the copied buf is NUL terminated bfa: ensure the copied buf is NUL terminated qedf: ensure the copied buf is NUL terminated cio: ensure the copied buf is NUL terminated octeontx2-af: avoid off-by-one read from userspace drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 4 ++-- drivers/net/ethernet/intel/ice/ice_debugfs.c | 8 ++++---- drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c | 4 +--- drivers/s390/cio/cio_inject.c | 2 +- drivers/scsi/bfa/bfad_debugfs.c | 4 ++-- drivers/scsi/qedf/qedf_debugfs.c | 2 +- 6 files changed, 11 insertions(+), 13 deletions(-) --- base-commit: ed30a4a51bb196781c8058073ea720133a65596f change-id: 20240422-fix-oob-read-19ae7f8f3711 Best regards, -- Bui Quang Minh