From patchwork Wed Feb 5 13:11:43 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Seiderer X-Patchwork-Id: 13961044 X-Patchwork-Delegate: kuba@kernel.org Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 46C6115B122; Wed, 5 Feb 2025 13:12:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=212.227.15.15 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738761133; cv=none; b=c/wTYKMx2Qf+q0u5jft5QxyXEsfcNOg98cnTdPOZmAbfeM5uaavU1BI32mBYILJeiYSxvsrhLbX9XqAf5qEUb7b6vQ67zj55FPHFPs9T0H0CWyDsFM7XO5OkBwZjcUyfpQM+f66QcEOLD68zs5CMmu3rMZw9Rl2EzKLy/V9WVwQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738761133; c=relaxed/simple; bh=QRwX8UjSSKOhh5loLuyOOAnKngYgFCevybSUDASN4RQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=fvTFWCcmmzmQmnfRWj0I/HDblyqTvsqMD99IZ/PRCmqVCVexJ4wujWaJZ1cfxZeqzrbZzN5gl/3p63AG1TDKKd5kX2r+5Ng1N9WFmWXTXbdKzSPWmIEdUuF8J0MB5EKBZKbVnFJ4Q0MyNh6EfeIaxbFl6DQ1kNIEs1F+N3lzjGE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=gmx.net; spf=pass smtp.mailfrom=gmx.net; dkim=pass (2048-bit key) header.d=gmx.net header.i=ps.report@gmx.net header.b=DUOtE6u2; arc=none smtp.client-ip=212.227.15.15 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=gmx.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmx.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmx.net header.i=ps.report@gmx.net header.b="DUOtE6u2" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.net; s=s31663417; t=1738761123; x=1739365923; i=ps.report@gmx.net; bh=QRwX8UjSSKOhh5loLuyOOAnKngYgFCevybSUDASN4RQ=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:Message-ID:In-Reply-To: References:MIME-Version:Content-Transfer-Encoding:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=DUOtE6u21qmEr6DBDQv+klhR05btMZH/kZqfevF9VwVjsGn5jR7Dqj3fVhVsS5+R RtNBxiqEU9ZvqhSnpBEJFNUvTZ2qplJHLWIdHrM+HSpqCKOGy7RlD2aTUhiFPZjSd KihJnbtYiY8fQQRpUnn3lqxHIG0GbXkT1CBsL2ea+cJ6YoMwZKv1xMYj5iZRJsJdZ 6BaC7yaXQipxmnVmkvHR/A4TM/mmZ/eqifCh0CbyRVhpP13rTlP6fEuDjDU+ZkvUn ttBgjFHt/zhZvzhz+UZKsJAhPjMYKvMsd/q+vkbXPVBbb40s0VzzPhBa9taMVLcPe DeIvmnKvhKEvUsEBiQ== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from localhost.fritz.box ([82.135.81.162]) by mail.gmx.net (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MhD2O-1tAT323JtC-00bBwG; Wed, 05 Feb 2025 14:12:02 +0100 From: Peter Seiderer To: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Shuah Khan , Peter Seiderer Subject: [PATCH net-next v4 07/17] net: pktgen: fix access outside of user given buffer in pktgen_thread_write() Date: Wed, 5 Feb 2025 14:11:43 +0100 Message-ID: <20250205131153.476278-8-ps.report@gmx.net> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250205131153.476278-1-ps.report@gmx.net> References: <20250205131153.476278-1-ps.report@gmx.net> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Provags-ID: V03:K1:JpSFC3SX8/B8znaFp2o/iiUO/VkLN/DLJGqegSytyxONeqDDwpn eavPbTWoBz1LlCP9CXQrO20iIl5RLIyOKPg6WX2zDiw5fSzLv4ZnXetdIjM6twDLtYAXXU3 yjiLOu2Kzw0fVDGN/ekzEp1EPvXharE9QTrwRjkt8/9AablIv50IM4DfMJj6KErBVUocMw4 xYBoGKWHovneIHjSq2LVQ== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:xTifI/nrPBk=;UDz2fA7k86ngKEtw4RbxyMjtrI3 5luWsZ1TjGZxBj+VlMAgwiA/Qg6WC84Ta4N9OAbmdTQOfKhc4HVgl+j/NV/M744s1bzq9cbI1 QM7PMiNRbfpnqDaMWxRvIoPBg8H+Pdv8179+7U1LLDz0q+ynzsGFsEZGaLCkpgEpX0LzGx7cr Aq8/agPICCo8KtVYL5uPaFM8lpLUdXb+0PEK5u0IPz7ActGGZwf6epcIPJhzH2Ow55g3V5VMr cdN1XqAszN4mlYfnGliObY65yF+8qCOHhPp9Yu8zzU5E2yy8so1n0IPUBpXLT62z+qmg4Ou9Z P1wSMcKZc+BG/wLWJe9wlDFtwQBgEGxOnfUHipRNz+MQC0l35IAmbajav6wCqtJksa2/HuV4u qZ2I5ogopyxotpCkYeLaziLOY/8VeOlCRNYnLkfxCytENmln/UqxXd38m+zx7XZhs6II/CLOv ZVX7EUt9k0MeX45RAOhFb36wKowAKO6aRODBpQYQNAi10WdkIVRL4fqulRJJcyeMOghIIvYBa +Ws1l3n4ZRexOp3sjFft4zWlscMeqQ/nf/QC/extc/Lw2Mlrl4PKrL8amCQ07qmtKtO98uYSz n5B0NTs/NKyEyjgVkjB3pXM3ZSSWFlP2xWHiTTo8ggICar9Cl0EvvddFMG/gvKKYvWiB/jHf3 XdKeGgRoBimO5qwSeFiyKEfO6T4a/WI3yg4yfAzQmWdfL/cwS8cYG/7A6EIT+7fL1m+C2gp8k rAcCNzrMZwSDz0DJMQo7TZvVzNfV6WxtAj2GgMztdN0dnRz4drw69B3XALDCuZeUf5z9Gs2Ze 9Teq9Wn9c6OCYuO0DotSZIvEqnA6VFPdv7yITG0/NJZQRIQq7ED9XEnRkCqRIqHbbv+1816aF 73QtKIWs8Lk4s9m6wYSvSV2lOJUASSIOURqx9CKO6sS88ICoqjeoRHAqjOt6TFqF01UusXmSC /3EmXy2v5D1Nau4dAuNoQQ78rfCCDHg/se5WyhPqCncLbqJyLzBf2lhji6gfNvJ7rrSoRytnL 7ierGsxEAc6ovyFP4qJptqjcqO4DKHQZXESptx2ry9rUe7WJmSWKLoJG4m7nIEiPHfg1uDnQc CCRbnyyTyKco+BAfRa1fbJdm6H1zXw4yVQ6k7EdrTSNxyp1kVEf2AstR5uPcf37TQ2CrZ6VVv RQg7S7bxPQvSVEHC0m0KNYNVbvrd2dqiIfn033CUSCOtVfVUMbuTgjeI1R+lIoXTYY/lod6yQ PBEZP+w9MkFo24/4CYFiFttTPhlGJkegCP2kc6uCJF44ib9sonvrVI24DrC6OSs3s7cGyF4BG /x+ktcPz/esctENHyKY3IpPmM+l/iC2wbwA2NkMbgdHoEc= X-Patchwork-Delegate: kuba@kernel.org Honour the user given buffer size for the strn_len() calls (otherwise strn_len() will access memory outside of the user given buffer). Signed-off-by: Peter Seiderer Reviewed-by: Simon Horman --- Changes v3 -> v4 - add rev-by Simon Horman Changes v2 -> v3: - no changes Changes v1 -> v2: - no changes --- net/core/pktgen.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/net/core/pktgen.c b/net/core/pktgen.c index f6e35ba035c7..55064713223e 100644 --- a/net/core/pktgen.c +++ b/net/core/pktgen.c @@ -1900,8 +1900,8 @@ static ssize_t pktgen_thread_write(struct file *file, i = len; /* Read variable name */ - - len = strn_len(&user_buffer[i], sizeof(name) - 1); + max = min(sizeof(name) - 1, count - i); + len = strn_len(&user_buffer[i], max); if (len < 0) return len; @@ -1931,7 +1931,8 @@ static ssize_t pktgen_thread_write(struct file *file, if (!strcmp(name, "add_device")) { char f[32]; memset(f, 0, 32); - len = strn_len(&user_buffer[i], sizeof(f) - 1); + max = min(sizeof(f) - 1, count - i); + len = strn_len(&user_buffer[i], max); if (len < 0) { ret = len; goto out;