Message ID | 20240422-fix-oob-read-v1-0-e02854c30174@gmail.com |
---|---|
Headers | show |
Series | Ensure the copied buf is NULL terminated | expand |
On 4/23/24 13:10, Marcin Szycik wrote: > > > On 22.04.2024 18:41, Bui Quang Minh wrote: >> Hi everyone, >> >> I found that some drivers contains an out-of-bound read pattern like this >> >> kern_buf = memdup_user(user_buf, count); >> ... >> sscanf(kern_buf, ...); >> >> The sscanf can be replaced by some other string-related functions. This >> pattern can lead to out-of-bound read of kern_buf in string-related >> functions. >> >> This series fix the above issue by replacing memdup_user with >> memdup_user_nul or allocating count + 1 buffer then writing the NULL >> terminator to end of buffer after userspace copying. >> >> Thanks, >> Quang Minh. >> >> Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com> >> --- >> Bui Quang Minh (5): >> drivers/net/ethernet/intel-ice: ensure the copied buf is NULL terminated >> drivers/net/brocade-bnad: ensure the copied buf is NULL terminated >> drivers/scsi/bfa/bfad: ensure the copied buf is NULL terminated >> drivers/scsi/qedf: ensure the copied buf is NULL terminated >> drivers/s390/cio: ensure the copied buf is NULL terminated > > Typically you don't include path to module in title, instead: > ice: ensure the copied buf is NULL terminated > bna: ensure the copied buf is NULL terminated > etc. good point, if you would respin, then the character name is NUL, not NULL. > >> >> drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 4 ++-- >> drivers/net/ethernet/intel/ice/ice_debugfs.c | 8 ++++---- >> drivers/s390/cio/cio_inject.c | 3 ++- >> drivers/scsi/bfa/bfad_debugfs.c | 4 ++-- >> drivers/scsi/qedf/qedf_debugfs.c | 2 +- >> 5 files changed, 11 insertions(+), 10 deletions(-) >> --- >> base-commit: ed30a4a51bb196781c8058073ea720133a65596f >> change-id: 20240422-fix-oob-read-19ae7f8f3711 >> >> Best regards, > > Thanks, > Marcin
Hi everyone, I found that some drivers contains an out-of-bound read pattern like this kern_buf = memdup_user(user_buf, count); ... sscanf(kern_buf, ...); The sscanf can be replaced by some other string-related functions. This pattern can lead to out-of-bound read of kern_buf in string-related functions. This series fix the above issue by replacing memdup_user with memdup_user_nul or allocating count + 1 buffer then writing the NULL terminator to end of buffer after userspace copying. Thanks, Quang Minh. Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com> --- Bui Quang Minh (5): drivers/net/ethernet/intel-ice: ensure the copied buf is NULL terminated drivers/net/brocade-bnad: ensure the copied buf is NULL terminated drivers/scsi/bfa/bfad: ensure the copied buf is NULL terminated drivers/scsi/qedf: ensure the copied buf is NULL terminated drivers/s390/cio: ensure the copied buf is NULL terminated drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 4 ++-- drivers/net/ethernet/intel/ice/ice_debugfs.c | 8 ++++---- drivers/s390/cio/cio_inject.c | 3 ++- drivers/scsi/bfa/bfad_debugfs.c | 4 ++-- drivers/scsi/qedf/qedf_debugfs.c | 2 +- 5 files changed, 11 insertions(+), 10 deletions(-) --- base-commit: ed30a4a51bb196781c8058073ea720133a65596f change-id: 20240422-fix-oob-read-19ae7f8f3711 Best regards,