From patchwork Mon Feb 3 17:01:58 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Seiderer X-Patchwork-Id: 13957876 X-Patchwork-Delegate: kuba@kernel.org Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3A2EC20CCC5; Mon, 3 Feb 2025 17:02:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=212.227.15.19 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738602172; cv=none; b=R0KCojyib1mZW1cNp1KukjwiYxI3dw8Gd2yYDOnb7Y8E27Ri8IdJ6ETF/ZTLrUGVKOFRXGL8US+Ame6JAQnFN7kO8pDgvtEHxJNwBNFLsQ9bLlc5dXGU8QXay7O5G/VOhKCYFdwXDwqXK8kIS85EYwl7g7mQvdwlD3+arMnGOlE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738602172; c=relaxed/simple; bh=fH7kVesQm/RvIe2gp8YNloYPh2xmhW4qa1XSxX0eyWU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=swsvDwmV8oObY9CintamN4AFOynEqlQYDLs89un0anfN/x5mO8RnmM/gkSGypo2SX4YCq2l0OH4OKdGlv5Ad60AsjnAtO+UEysmyOnGEmoS6nwYWBRLkylXALyV5apSvCY5KUnMOMKs+gRXORTBJQTKKea9dxZTRhfaqgqLuY0s= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=gmx.net; spf=pass smtp.mailfrom=gmx.net; dkim=pass (2048-bit key) header.d=gmx.net header.i=ps.report@gmx.net header.b=KNGxwasK; arc=none smtp.client-ip=212.227.15.19 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=gmx.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmx.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmx.net header.i=ps.report@gmx.net header.b="KNGxwasK" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.net; s=s31663417; t=1738602150; x=1739206950; i=ps.report@gmx.net; bh=fH7kVesQm/RvIe2gp8YNloYPh2xmhW4qa1XSxX0eyWU=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:Message-ID:In-Reply-To: References:MIME-Version:Content-Transfer-Encoding:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=KNGxwasKsGNXAs1srbJhJW3jBw+8LzMQKE+fd+q/nk5C0dyVCVWBweMm0Y+w0DNH aPgg/WzIuPZ/C+ZtV6FncWh5bM8uOtv4kYZm6f3g9NiiIKCTqn03q6QMsLOKDhMBP /7cwsYOAkLB0h+lp4V4rd+U7ataCtsmJ2FPr3DWzaXIDcmwzny4yFZqBtkXpD3Umj 85H+EXVyYYH0ShLjWmcKJFLf13OhkfaNkBO4W4lS1nnqh+p40eIB13XjhUvIy7eSk /5uJH0MOx7UNAIDEml5wnWkqKuiBZwDfLuFu9WMIxHqUgrm6X+juc/8WKCEIyp/dr 0iGyIsvlaBsV7A3Eqg== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from localhost.fritz.box ([82.135.81.54]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1M7sHo-1tjvWe22s6-008xVK; Mon, 03 Feb 2025 18:02:30 +0100 From: Peter Seiderer To: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Shuah Khan , Nam Cao , Thomas Gleixner , Frederic Weisbecker , Artem Chernyshev , Peter Seiderer Subject: [PATCH net-next v3 07/10] net: pktgen: fix access outside of user given buffer in pktgen_thread_write() Date: Mon, 3 Feb 2025 18:01:58 +0100 Message-ID: <20250203170201.1661703-8-ps.report@gmx.net> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250203170201.1661703-1-ps.report@gmx.net> References: <20250203170201.1661703-1-ps.report@gmx.net> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Provags-ID: V03:K1:38/oIZRTsFNbpJ/9sF5RfMdMc/V6FZRzbpAwRPEU6smRIMUWnRq jHZ0TckZH0eNGHPRM1mZE/U7oxSe/44owZSVqJacF44ZAXxa7N9aQR4yDvmce5MLF9/QZZe STsHumpoIO4rrqMivfQ+xtCEwxD6lG2UDCPyhKtVtTD66GesIx/Wr4lmidRbqVUdILpN5NX qrZRXjzUqEKoLVnZOgFIg== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:chBZIKyyCj0=;G1yDz/PWnuEy4blsr6bziIwRqZG yrWOX3hkpY/qGbrB0JSREOnuLMMNJn2MeVimSoVg5I9jIS2WLZ/cOvU8z1+lT35U39UfKkqWZ Iba6pDKjlxX5vHnLyMb8yk3C2sBBnab0dyS+qbXj5/px0Cq29lIFfsnOVDA6F+SDrFt+vGNCG hn4d0/aN7IzzleS7zZyyHIW7jBVAmt23dvbAP7ZTFdRn0lvS3CV3yH3zcBFqht2Q2UVL9wiZ8 8v3M4UFg2fRuiGXinWeIFl3wmXR37uTlXAD58qdGggzq3O0etW1LW91CVPEFR6IOK2bDefu6c 9NqRS5vCm8x7Mulf2UIfqdn89+hXy8ASu8Up5pUCN4hkDcAJV0Cki45LlYT8DYvKnw2uDKcYJ 8i92VdJw8P17O1zaVf3OuRxTrj+7+oP7L3ig+IuHWE2CjX7ze/nfjNRSNZIczpRg3JmBPR5Mm KQVeLOH02Y84FkFJaiYN6ATCoCH295xhxlkndDQx8FsiYQYbArpjJ28S3gJHxQRp4yiHvhmXS g6E+41A/JED5J9JDfVWeqfuhH5su8mnsT89Ok6pu5p4QGbC38Ze3GG2TRVvYDW5hqT2xAOgAw MKBVrUIyVhK0F5aTCGKm4FyzRmOOiCb8r1lXm6zBBsxYrMzJ8LV9RVcl2bDCMxzvqz0qlSckt Aayez4ERivIRIArDerZxggc767CD1bLFwXrAsY1CzATf03dMLHlh/r+hdARaDWAavpshYFxSO +qAyf12dQy3NWEAnu1+AycuKTIaJQIgKURZLr2/iG2KE6MGitzVkhuZeeDYWC9ShKj2sWq3KZ Q++LONEYVZ4OGh8CILqoDvY2yldjW0dnOUuPMbLeEpMU/djGQQe/cBWT85X0PJ8dMQRZ3ZgOy MAfx+uPERO4XO1MTFxvmSBPVhZnxmQ7Bk5K0Ytb/HGX+HlXcKv+jyVFHebZh3U/FeygKVNqBh 3oxB2qeKQRxg70uTuYZFMHl6J7wy4C6jX3v5b+T9dg+tirKfYfEKQ5Y67D5kUTH2MUoBvs/qC g+Re6MuD/B8K8GR+AiBqn74oXby79ObUiuSrIvxAxWuHO471rcg2nzYMFdKg0T2e8a8xhJ91t v4b6/3JtJSkKURlShGKB13Kh9KmPA38xBvGL1rtcDskU8c+D1ZA/iu+2YR2SsHWfsMCE4l/Yq GMf6yCONeipX+8xyEpWWVdPDF/e3WX5CdwifK7TXHHubqgIeJO3vJqZYYs1p/HlIAGjr+TznT jSHmC7QMjgJxHDlp52INBDeTZnn7NQZZ5oVI2FWHRBwgXvYaSa54MO8qTU4UkPZRNCi8w1itD CyNjfMnCzr/397yoYqiEWLAFuH5KHL/LPrbGOIJZ2cI1GQ= X-Patchwork-Delegate: kuba@kernel.org Honour the user given buffer size for the strn_len() calls (otherwise strn_len() will access memory outside of the user given buffer). Signed-off-by: Peter Seiderer Reviewed-by: Simon Horman --- Changes v2 -> v3: - no changes Changes v1 -> v2: - no changes --- net/core/pktgen.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/net/core/pktgen.c b/net/core/pktgen.c index f6e35ba035c7..55064713223e 100644 --- a/net/core/pktgen.c +++ b/net/core/pktgen.c @@ -1900,8 +1900,8 @@ static ssize_t pktgen_thread_write(struct file *file, i = len; /* Read variable name */ - - len = strn_len(&user_buffer[i], sizeof(name) - 1); + max = min(sizeof(name) - 1, count - i); + len = strn_len(&user_buffer[i], max); if (len < 0) return len; @@ -1931,7 +1931,8 @@ static ssize_t pktgen_thread_write(struct file *file, if (!strcmp(name, "add_device")) { char f[32]; memset(f, 0, 32); - len = strn_len(&user_buffer[i], sizeof(f) - 1); + max = min(sizeof(f) - 1, count - i); + len = strn_len(&user_buffer[i], max); if (len < 0) { ret = len; goto out;