| Message ID | 20240422-fix-oob-read-v1-1-e02854c30174@gmail.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Ensure the copied buf is NULL terminated | expand |
On 4/22/24 18:41, Bui Quang Minh wrote: > Currently, we allocate a count-sized kernel buffer and copy count bytes > from userspace to that buffer. Later, we use sscanf on this buffer but we > don't ensure that the string is terminated inside the buffer, this can lead > to OOB read when using sscanf. Fix this issue by using memdup_user_nul > instead of memdup_user. > > Fixes: 96a9a9341cda ("ice: configure FW logging") > Fixes: 73671c3162c8 ("ice: enable FW logging") > Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com> > --- > drivers/net/ethernet/intel/ice/ice_debugfs.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/drivers/net/ethernet/intel/ice/ice_debugfs.c b/drivers/net/ethernet/intel/ice/ice_debugfs.c > index d252d98218d0..9fc0fd95a13d 100644 > --- a/drivers/net/ethernet/intel/ice/ice_debugfs.c > +++ b/drivers/net/ethernet/intel/ice/ice_debugfs.c > @@ -171,7 +171,7 @@ ice_debugfs_module_write(struct file *filp, const char __user *buf, > if (*ppos != 0 || count > 8) > return -EINVAL; > > - cmd_buf = memdup_user(buf, count); > + cmd_buf = memdup_user_nul(buf, count); > if (IS_ERR(cmd_buf)) > return PTR_ERR(cmd_buf); > > @@ -257,7 +257,7 @@ ice_debugfs_nr_messages_write(struct file *filp, const char __user *buf, > if (*ppos != 0 || count > 4) > return -EINVAL; > > - cmd_buf = memdup_user(buf, count); > + cmd_buf = memdup_user_nul(buf, count); > if (IS_ERR(cmd_buf)) > return PTR_ERR(cmd_buf); > > @@ -332,7 +332,7 @@ ice_debugfs_enable_write(struct file *filp, const char __user *buf, > if (*ppos != 0 || count > 2) > return -EINVAL; > > - cmd_buf = memdup_user(buf, count); > + cmd_buf = memdup_user_nul(buf, count); > if (IS_ERR(cmd_buf)) > return PTR_ERR(cmd_buf); > > @@ -428,7 +428,7 @@ ice_debugfs_log_size_write(struct file *filp, const char __user *buf, > if (*ppos != 0 || count > 5) > return -EINVAL; > > - cmd_buf = memdup_user(buf, count); > + cmd_buf = memdup_user_nul(buf, count); > if (IS_ERR(cmd_buf)) > return PTR_ERR(cmd_buf); > > Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
diff --git a/drivers/net/ethernet/intel/ice/ice_debugfs.c b/drivers/net/ethernet/intel/ice/ice_debugfs.c index d252d98218d0..9fc0fd95a13d 100644 --- a/drivers/net/ethernet/intel/ice/ice_debugfs.c +++ b/drivers/net/ethernet/intel/ice/ice_debugfs.c @@ -171,7 +171,7 @@ ice_debugfs_module_write(struct file *filp, const char __user *buf, if (*ppos != 0 || count > 8) return -EINVAL; - cmd_buf = memdup_user(buf, count); + cmd_buf = memdup_user_nul(buf, count); if (IS_ERR(cmd_buf)) return PTR_ERR(cmd_buf); @@ -257,7 +257,7 @@ ice_debugfs_nr_messages_write(struct file *filp, const char __user *buf, if (*ppos != 0 || count > 4) return -EINVAL; - cmd_buf = memdup_user(buf, count); + cmd_buf = memdup_user_nul(buf, count); if (IS_ERR(cmd_buf)) return PTR_ERR(cmd_buf); @@ -332,7 +332,7 @@ ice_debugfs_enable_write(struct file *filp, const char __user *buf, if (*ppos != 0 || count > 2) return -EINVAL; - cmd_buf = memdup_user(buf, count); + cmd_buf = memdup_user_nul(buf, count); if (IS_ERR(cmd_buf)) return PTR_ERR(cmd_buf); @@ -428,7 +428,7 @@ ice_debugfs_log_size_write(struct file *filp, const char __user *buf, if (*ppos != 0 || count > 5) return -EINVAL; - cmd_buf = memdup_user(buf, count); + cmd_buf = memdup_user_nul(buf, count); if (IS_ERR(cmd_buf)) return PTR_ERR(cmd_buf);
Currently, we allocate a count-sized kernel buffer and copy count bytes from userspace to that buffer. Later, we use sscanf on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using sscanf. Fix this issue by using memdup_user_nul instead of memdup_user. Fixes: 96a9a9341cda ("ice: configure FW logging") Fixes: 73671c3162c8 ("ice: enable FW logging") Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com> --- drivers/net/ethernet/intel/ice/ice_debugfs.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)