From patchwork Wed Feb 19 08:45:27 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Seiderer X-Patchwork-Id: 13981755 Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 372BD1EDA1A; Wed, 19 Feb 2025 08:45:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=212.227.15.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739954747; cv=none; b=t9oxP3zx6vHRMbxQf/FjJXsph++L0HKSGsMzl0EO33bsqH9zuTB45vlozh3loFt/oiow2tUkou39UHrEbAConmq56OjZkGygwcPDW2fj34ZGJ+BkJWpmLzzLYND6k5zF+YBQ1NyJ6zKFsEfdSOXY/ApbRMzk900a21TjlSUoI0o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739954747; c=relaxed/simple; bh=bjidigATEzuWQD1HyEEpyCpxx5S1BE16Jsk3LXcB5iI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ZNRpOYwui99A+98/YJX773A08dFnajgDsTCQauz59DgZGfHtvX1BXJAEKBLZij1tCqsE/YgWMx6sO7LCY6CtMI/djAlfJthHYEDtiNHpmD/hnlP5o1xq15xjMtWfgoOPkxTB8YIP01qbHGPSAL1CNB5v+hG62/NJrFaue/2JvPc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=gmx.net; spf=pass smtp.mailfrom=gmx.net; dkim=pass (2048-bit key) header.d=gmx.net header.i=ps.report@gmx.net header.b=I0nBBLc0; arc=none smtp.client-ip=212.227.15.18 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=gmx.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmx.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmx.net header.i=ps.report@gmx.net header.b="I0nBBLc0" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.net; s=s31663417; t=1739954736; x=1740559536; i=ps.report@gmx.net; bh=bjidigATEzuWQD1HyEEpyCpxx5S1BE16Jsk3LXcB5iI=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:Message-ID:In-Reply-To: References:MIME-Version:Content-Transfer-Encoding:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=I0nBBLc03G2888UGX8ADBzLphpiuW8O/CPXSOt9d+hRJCOUK9CAyOjckCdLPS3Yv sFQc76pO+DKVJyOScx4CYG2o0qKCpXlOdWHqhQNgM9Elx3X1toPuzFMFg4EoR5/r5 0OMonbjQweF5cKpQQwfh3SAV9zS5GklVtnL9/zeBNujbr+30xJLgrpjRnzhjsqsq4 x/jMCFqXE27waRDtZlY6NaWbSxiyDU5FlP8KCl3DwNYAXQ2IWlXeZXh96UTjFbqcJ 0XzDzwWmunCaThp28ppwACwglttJQmBmt4ZTE8yLjd1lDCABP3LScWThyF9uJWN9Y HFZUsrT+dAR2cerr+Q== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from localhost.fritz.box ([82.135.81.84]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1M3DJv-1tlUeY3Tyf-006MAF; Wed, 19 Feb 2025 09:45:35 +0100 From: Peter Seiderer To: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Shuah Khan , Peter Seiderer , Artem Chernyshev , Frederic Weisbecker Subject: [PATCH net-next v6 7/7] net: pktgen: fix access outside of user given buffer in pktgen_thread_write() Date: Wed, 19 Feb 2025 09:45:27 +0100 Message-ID: <20250219084527.20488-8-ps.report@gmx.net> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250219084527.20488-1-ps.report@gmx.net> References: <20250219084527.20488-1-ps.report@gmx.net> Precedence: bulk X-Mailing-List: linux-kselftest@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Provags-ID: V03:K1:QYZWc2fuov1jErqZjC89tMwDODSdFswkp9QSi9mbCHwZSy/Dzip JFy07ob2QbugkRt9mXY84MvYVHA4fnyBmyOXJXOMRGM9yMtA6tiOGrCdiul/MYACJJOncqy jHHs46frM1FXsbzHsbQ6j5jWlIhBjnytLwMGGzi8h29gyKEP8LXNmEzydgTciGDDX8gq/Mo Sna7Zb+/fOlzU6OOe44lw== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:lOjTUpc05cY=;1MCESKz6EgFsA83KEwR68m2Brqd R59PVwvK/+7BQWz+6qZ+WE85NVRYTtJTni0KY3m+Du6uQybqNQNc7z+J+SxjJ8kSprseg8DLe WdR6867gdhPifVb5xaHbr1ZtuqfUKM+SjpKAJ2V+q7X+0V8AOaX8OM1/t7rGzdwE66VWE6D/S U6AMn9DT5uyvBxZC+/Oy2kVgZFs0aog23hVKWtHZhp3oiK0FsibVahtTdYWSI0COIK/xHCIW9 AriyzApnt4b7S8Bv2F9MffMXqXTNdJdGOEYAQvRTy6feAqxp1W0w/7CqP+JpbDtr1xeXp6Ilv AnArmbR8rdgvGbKA/YgFuss1aI9prlw5XRKTkZonnrOM8BGWWJeIwHzqD9dIMLFRw9akNolB0 gUhgI3GPnFyZnfVsVMSFNmXsgo6IDSPyMScaYCkKGbsWLOYe9VQfZnSKjEujq3QBOYY2jNdyM /m9pKUXElGsRDhbCZ7dfknRX9ySvZQs5rVC0SmlR93aOVBNyMz6BMNc5J+K4gLiizihabycqv mX0rVEdOUbNfnvDIIJHMHb3AMUIJx4Dnv87EeGfoT5keo8Fq6vB86t1yjkCZIkC+keLrHyR9T bO3Cvt27PwTQtrrC4h+xtgibSub3C+6CLeO3jCw+19L1n2XD2XYMKkEYpIappVQNC/jaqvhJl NC1oEjIUuKUYIQWTh+GkLGfJz/VS6UybGxXngRg3xu3wYSSsog+P74/unsJHG2xDGwRufPwZi 2bkgklJaTFxAoDIXOhPiV0NwW4Mn1kxVifj2b4o6mpN91RDtq3Yj1hp/dPq/5oudKnSV2dvMl +bqvaAvGeIYpD4RBVRHTHZwG5MZfJg1ABGbkIQQFHz5Al8tDCjYYBs9FC6AQe3yvT2lZg3rPe 9jumudFYPDLMREUl54WVrKMVJ9qBQaLbyx5Ogy7fTh80D2IPTpT8e+bBi3F+ZDH7N4DZANWnM zQJuLUlNg02vn3MrpEOwxYzH8bgT4jk03jc4by05vDO1qQwXmnbXXcN8QKWIvFN4NJUTkV9f2 gj2c75/gEkdGo51Jvs14E9/k+r9gfseKkWO9a/AT43Q8NRshzV40Pd3aYkF8anCPESwEsyXc/ arT6fjuILUpXARg+cuodN47uU868ncV0ohNvQFVwhy7OF6r288Q34JiT+PpnQBJIPRfIgfhzn O0t/iSYJUJs4t6Y/CUa7j81NFqpAP7bUwuMUj5fgI+XJVWe7fQpp6obnG5nBQ1LFXy4tiiaEB PcoRB1+cnwP4wKGcx4jbe3oyMOwiuSbhD9KCC56rNdurjWpTmivHmH0s+J7//e17YVGjjDxsK TwOsSWlS+ybbrYeiUJbKAULDn7B8XQU+W0BKW+tHhHFg83pE9shgEhTR7vcc7+o4iR6xQXAZR J+iFsbsFPvB4ykhjuAXp9H9WiEmZflMePPPksHzeaQsOT2vUPBFP7Kq1/0 Honour the user given buffer size for the strn_len() calls (otherwise strn_len() will access memory outside of the user given buffer). Signed-off-by: Peter Seiderer Reviewed-by: Simon Horman --- Changes v5 -> v6 - no changes Changes v4 -> v5 - split up patchset into part i/ii (suggested by Simon Horman) Changes v3 -> v4 - add rev-by Simon Horman Changes v2 -> v3: - no changes Changes v1 -> v2: - no changes --- net/core/pktgen.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/net/core/pktgen.c b/net/core/pktgen.c index f6e35ba035c7..55064713223e 100644 --- a/net/core/pktgen.c +++ b/net/core/pktgen.c @@ -1900,8 +1900,8 @@ static ssize_t pktgen_thread_write(struct file *file, i = len; /* Read variable name */ - - len = strn_len(&user_buffer[i], sizeof(name) - 1); + max = min(sizeof(name) - 1, count - i); + len = strn_len(&user_buffer[i], max); if (len < 0) return len; @@ -1931,7 +1931,8 @@ static ssize_t pktgen_thread_write(struct file *file, if (!strcmp(name, "add_device")) { char f[32]; memset(f, 0, 32); - len = strn_len(&user_buffer[i], sizeof(f) - 1); + max = min(sizeof(f) - 1, count - i); + len = strn_len(&user_buffer[i], max); if (len < 0) { ret = len; goto out;