| Message ID | 20240422-fix-oob-read-v1-0-e02854c30174@gmail.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Ensure the copied buf is NULL terminated | expand |
On 22.04.2024 18:41, Bui Quang Minh wrote: > Hi everyone, > > I found that some drivers contains an out-of-bound read pattern like this > > kern_buf = memdup_user(user_buf, count); > ... > sscanf(kern_buf, ...); > > The sscanf can be replaced by some other string-related functions. This > pattern can lead to out-of-bound read of kern_buf in string-related > functions. > > This series fix the above issue by replacing memdup_user with > memdup_user_nul or allocating count + 1 buffer then writing the NULL > terminator to end of buffer after userspace copying. > > Thanks, > Quang Minh. > > Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com> > --- > Bui Quang Minh (5): > drivers/net/ethernet/intel-ice: ensure the copied buf is NULL terminated > drivers/net/brocade-bnad: ensure the copied buf is NULL terminated > drivers/scsi/bfa/bfad: ensure the copied buf is NULL terminated > drivers/scsi/qedf: ensure the copied buf is NULL terminated > drivers/s390/cio: ensure the copied buf is NULL terminated Typically you don't include path to module in title, instead: ice: ensure the copied buf is NULL terminated bna: ensure the copied buf is NULL terminated etc. > > drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 4 ++-- > drivers/net/ethernet/intel/ice/ice_debugfs.c | 8 ++++---- > drivers/s390/cio/cio_inject.c | 3 ++- > drivers/scsi/bfa/bfad_debugfs.c | 4 ++-- > drivers/scsi/qedf/qedf_debugfs.c | 2 +- > 5 files changed, 11 insertions(+), 10 deletions(-) > --- > base-commit: ed30a4a51bb196781c8058073ea720133a65596f > change-id: 20240422-fix-oob-read-19ae7f8f3711 > > Best regards, Thanks, Marcin
On 4/23/24 13:10, Marcin Szycik wrote: > > > On 22.04.2024 18:41, Bui Quang Minh wrote: >> Hi everyone, >> >> I found that some drivers contains an out-of-bound read pattern like this >> >> kern_buf = memdup_user(user_buf, count); >> ... >> sscanf(kern_buf, ...); >> >> The sscanf can be replaced by some other string-related functions. This >> pattern can lead to out-of-bound read of kern_buf in string-related >> functions. >> >> This series fix the above issue by replacing memdup_user with >> memdup_user_nul or allocating count + 1 buffer then writing the NULL >> terminator to end of buffer after userspace copying. >> >> Thanks, >> Quang Minh. >> >> Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com> >> --- >> Bui Quang Minh (5): >> drivers/net/ethernet/intel-ice: ensure the copied buf is NULL terminated >> drivers/net/brocade-bnad: ensure the copied buf is NULL terminated >> drivers/scsi/bfa/bfad: ensure the copied buf is NULL terminated >> drivers/scsi/qedf: ensure the copied buf is NULL terminated >> drivers/s390/cio: ensure the copied buf is NULL terminated > > Typically you don't include path to module in title, instead: > ice: ensure the copied buf is NULL terminated > bna: ensure the copied buf is NULL terminated > etc. good point, if you would respin, then the character name is NUL, not NULL. > >> >> drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 4 ++-- >> drivers/net/ethernet/intel/ice/ice_debugfs.c | 8 ++++---- >> drivers/s390/cio/cio_inject.c | 3 ++- >> drivers/scsi/bfa/bfad_debugfs.c | 4 ++-- >> drivers/scsi/qedf/qedf_debugfs.c | 2 +- >> 5 files changed, 11 insertions(+), 10 deletions(-) >> --- >> base-commit: ed30a4a51bb196781c8058073ea720133a65596f >> change-id: 20240422-fix-oob-read-19ae7f8f3711 >> >> Best regards, > > Thanks, > Marcin
Hi everyone, I found that some drivers contains an out-of-bound read pattern like this kern_buf = memdup_user(user_buf, count); ... sscanf(kern_buf, ...); The sscanf can be replaced by some other string-related functions. This pattern can lead to out-of-bound read of kern_buf in string-related functions. This series fix the above issue by replacing memdup_user with memdup_user_nul or allocating count + 1 buffer then writing the NULL terminator to end of buffer after userspace copying. Thanks, Quang Minh. Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com> --- Bui Quang Minh (5): drivers/net/ethernet/intel-ice: ensure the copied buf is NULL terminated drivers/net/brocade-bnad: ensure the copied buf is NULL terminated drivers/scsi/bfa/bfad: ensure the copied buf is NULL terminated drivers/scsi/qedf: ensure the copied buf is NULL terminated drivers/s390/cio: ensure the copied buf is NULL terminated drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 4 ++-- drivers/net/ethernet/intel/ice/ice_debugfs.c | 8 ++++---- drivers/s390/cio/cio_inject.c | 3 ++- drivers/scsi/bfa/bfad_debugfs.c | 4 ++-- drivers/scsi/qedf/qedf_debugfs.c | 2 +- 5 files changed, 11 insertions(+), 10 deletions(-) --- base-commit: ed30a4a51bb196781c8058073ea720133a65596f change-id: 20240422-fix-oob-read-19ae7f8f3711 Best regards,