diff mbox series

[1/3] scsi: qedf: do not touch __user pointer in qedf_dbg_stop_io_on_error_cmd_read() directly

Message ID 20230728065819.139694-2-oleksandr@redhat.com (mailing list archive)
State Superseded
Headers show
Series scsi: qedf: sanitise uaccess | expand

Commit Message

Oleksandr Natalenko July 28, 2023, 6:58 a.m. UTC
The qedf_dbg_stop_io_on_error_cmd_read() function invokes sprintf()
directly on a __user pointer, which may crash the kernel.

Avoid doing that by using a small on-stack buffer for sprintf()
and then calling simple_read_from_buffer() which does a proper
copy_to_user() call.

Fixes: 61d8658b4a ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.")
Link: https://lore.kernel.org/lkml/20230724120241.40495-1-oleksandr@redhat.com/
Link: https://lore.kernel.org/linux-scsi/20230726101236.11922-1-skashyap@marvell.com/
Cc: Saurav Kashyap <skashyap@marvell.com>
Cc: Rob Evers <revers@redhat.com>
Cc: Johannes Thumshirn <Johannes.Thumshirn@wdc.com>
Cc: Jozef Bacik <jobacik@redhat.com>
Cc: Laurence Oberman <loberman@redhat.com>
Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
Cc: GR-QLogic-Storage-Upstream@marvell.com
Cc: linux-scsi@vger.kernel.org
Tested-by: Laurence Oberman <loberman@redhat.com>
Signed-off-by: Oleksandr Natalenko <oleksandr@redhat.com>
---
 drivers/scsi/qedf/qedf_debugfs.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

Comments

David Laight July 28, 2023, 3:23 p.m. UTC | #1
From: Oleksandr Natalenko
> Sent: 28 July 2023 07:58
> 
> The qedf_dbg_stop_io_on_error_cmd_read() function invokes sprintf()
> directly on a __user pointer, which may crash the kernel.
> 
> Avoid doing that by using a small on-stack buffer for sprintf()
> and then calling simple_read_from_buffer() which does a proper
> copy_to_user() call.
> 
> Fixes: 61d8658b4a ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.")
...
> diff --git a/drivers/scsi/qedf/qedf_debugfs.c b/drivers/scsi/qedf/qedf_debugfs.c
> index a3ed681c8ce3f..4d1b99569d490 100644
> --- a/drivers/scsi/qedf/qedf_debugfs.c
> +++ b/drivers/scsi/qedf/qedf_debugfs.c
> @@ -185,18 +185,17 @@ qedf_dbg_stop_io_on_error_cmd_read(struct file *filp, char __user *buffer,
>  				   size_t count, loff_t *ppos)
>  {
>  	int cnt;
> +	char cbuf[7];
>  	struct qedf_dbg_ctx *qedf_dbg =
>  				(struct qedf_dbg_ctx *)filp->private_data;
>  	struct qedf_ctx *qedf = container_of(qedf_dbg,
>  	    struct qedf_ctx, dbg_ctx);
> 
>  	QEDF_INFO(qedf_dbg, QEDF_LOG_DEBUGFS, "entered\n");
> -	cnt = sprintf(buffer, "%s\n",
> +	cnt = sprintf(cbuf, "%s\n",
>  	    qedf->stop_io_on_error ? "true" : "false");

You've made cbuf[] exactly just big enough.
If anyone breathes on this code it could overflow.
You really should use scnprintf() for safety.

> 
> -	cnt = min_t(int, count, cnt - *ppos);
> -	*ppos += cnt;
> -	return cnt;
> +	return simple_read_from_buffer(buffer, count, ppos, cbuf, cnt);

Or just:
	if (gedf->stop_on_error)
		return simple_read_from_buffer(buffer, count, ppos, "true\n", 5);
	return simple_read_from_buffer(buffer, count, ppos, "false\n", 6);

	David

	
>  }
> 
>  static ssize_t
> --
> 2.41.0

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
Oleksandr Natalenko July 31, 2023, 8:01 a.m. UTC | #2
Hello.

On pátek 28. července 2023 17:23:25 CEST David Laight wrote:
> From: Oleksandr Natalenko
> > Sent: 28 July 2023 07:58
> > 
> > The qedf_dbg_stop_io_on_error_cmd_read() function invokes sprintf()
> > directly on a __user pointer, which may crash the kernel.
> > 
> > Avoid doing that by using a small on-stack buffer for sprintf()
> > and then calling simple_read_from_buffer() which does a proper
> > copy_to_user() call.
> > 
> > Fixes: 61d8658b4a ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.")
> ...
> > diff --git a/drivers/scsi/qedf/qedf_debugfs.c b/drivers/scsi/qedf/qedf_debugfs.c
> > index a3ed681c8ce3f..4d1b99569d490 100644
> > --- a/drivers/scsi/qedf/qedf_debugfs.c
> > +++ b/drivers/scsi/qedf/qedf_debugfs.c
> > @@ -185,18 +185,17 @@ qedf_dbg_stop_io_on_error_cmd_read(struct file *filp, char __user *buffer,
> >  				   size_t count, loff_t *ppos)
> >  {
> >  	int cnt;
> > +	char cbuf[7];
> >  	struct qedf_dbg_ctx *qedf_dbg =
> >  				(struct qedf_dbg_ctx *)filp->private_data;
> >  	struct qedf_ctx *qedf = container_of(qedf_dbg,
> >  	    struct qedf_ctx, dbg_ctx);
> > 
> >  	QEDF_INFO(qedf_dbg, QEDF_LOG_DEBUGFS, "entered\n");
> > -	cnt = sprintf(buffer, "%s\n",
> > +	cnt = sprintf(cbuf, "%s\n",
> >  	    qedf->stop_io_on_error ? "true" : "false");
> 
> You've made cbuf[] exactly just big enough.
> If anyone breathes on this code it could overflow.
> You really should use scnprintf() for safety.

OK, I'll do scnprintf(cbuf, sizeof(cbuf), ...) in the next version of the submission.

Thanks.

> > 
> > -	cnt = min_t(int, count, cnt - *ppos);
> > -	*ppos += cnt;
> > -	return cnt;
> > +	return simple_read_from_buffer(buffer, count, ppos, cbuf, cnt);
> 
> Or just:
> 	if (gedf->stop_on_error)
> 		return simple_read_from_buffer(buffer, count, ppos, "true\n", 5);
> 	return simple_read_from_buffer(buffer, count, ppos, "false\n", 6);
> 
> 	David
> 
> 	
> >  }
> > 
> >  static ssize_t
> > --
> > 2.41.0
> 
> -
> Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
> Registration No: 1397386 (Wales)
> 
>
diff mbox series

Patch

diff --git a/drivers/scsi/qedf/qedf_debugfs.c b/drivers/scsi/qedf/qedf_debugfs.c
index a3ed681c8ce3f..4d1b99569d490 100644
--- a/drivers/scsi/qedf/qedf_debugfs.c
+++ b/drivers/scsi/qedf/qedf_debugfs.c
@@ -185,18 +185,17 @@  qedf_dbg_stop_io_on_error_cmd_read(struct file *filp, char __user *buffer,
 				   size_t count, loff_t *ppos)
 {
 	int cnt;
+	char cbuf[7];
 	struct qedf_dbg_ctx *qedf_dbg =
 				(struct qedf_dbg_ctx *)filp->private_data;
 	struct qedf_ctx *qedf = container_of(qedf_dbg,
 	    struct qedf_ctx, dbg_ctx);
 
 	QEDF_INFO(qedf_dbg, QEDF_LOG_DEBUGFS, "entered\n");
-	cnt = sprintf(buffer, "%s\n",
+	cnt = sprintf(cbuf, "%s\n",
 	    qedf->stop_io_on_error ? "true" : "false");
 
-	cnt = min_t(int, count, cnt - *ppos);
-	*ppos += cnt;
-	return cnt;
+	return simple_read_from_buffer(buffer, count, ppos, cbuf, cnt);
 }
 
 static ssize_t