From patchwork Mon Jul 24 12:02:38 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Oleksandr Natalenko X-Patchwork-Id: 706923 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7C833C0015E for ; Mon, 24 Jul 2023 12:03:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229840AbjGXMDa (ORCPT ); Mon, 24 Jul 2023 08:03:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38198 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229486AbjGXMDa (ORCPT ); Mon, 24 Jul 2023 08:03:30 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CF63512D for ; Mon, 24 Jul 2023 05:02:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1690200166; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=0cvYxFz9mjJySSTDejKAHRAi+MgA/colULiqidjHAEA=; b=H16el6YC2XqGawI14ZK3EAIlivs/N38JQX3VotUJ1xS3hE2cFtiBVFkQQS3CrX+VB0BBnO KRvtYmtkiBF7/iAar0oTveTduS5VCGqFs4yEPm6BUQesmojOOKKL7yiEccjMcjuFm+TVyQ +Giv3o0VA6XrfuBEflx5Q7AuiujLm9w= Received: from mimecast-mx02.redhat.com (66.187.233.73 [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-417-H6QFWb5UMv-cTsPAhWVuzg-1; Mon, 24 Jul 2023 08:02:42 -0400 X-MC-Unique: H6QFWb5UMv-cTsPAhWVuzg-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 20BED1C172A5; Mon, 24 Jul 2023 12:02:42 +0000 (UTC) Received: from localhost (dhcp-10-40-5-80.brq.redhat.com [10.40.5.80]) by smtp.corp.redhat.com (Postfix) with ESMTP id C5325201EE6E; Mon, 24 Jul 2023 12:02:41 +0000 (UTC) From: Oleksandr Natalenko To: linux-kernel@vger.kernel.org Cc: linux-scsi@vger.kernel.org, Saurav Kashyap , Javed Hasan , GR-QLogic-Storage-Upstream@marvell.com, "James E.J. Bottomley" , "Martin K. Petersen" , Jozef Bacik , Laurence Oberman , Rob Evers Subject: [RFC PATCH 0/3] scsi: qedf: sanitise uaccess Date: Mon, 24 Jul 2023 14:02:38 +0200 Message-ID: <20230724120241.40495-1-oleksandr@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.4 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org qedf driver, debugfs part of it specifically, touches __user pointers directly for printing out info to userspace via sprintf(), which may cause crash like this: BUG: unable to handle kernel paging request at 00007ffd1d6b43a0 IP: [] string.isra.7+0x6a/0xf0 Oops: 0003 [#1] SMP Call Trace: [] vsnprintf+0x201/0x6a0 [] sprintf+0x56/0x80 [] qedf_dbg_stop_io_on_error_cmd_read+0x6d/0x90 [qedf] [] vfs_read+0x9f/0x170 [] SyS_pread64+0x92/0xc0 Avoid this by preparing the info in a kernel buffer first, either allocated on stack for small printouts, or via vmalloc() for big ones, and then copying it to the userspace properly. I'm not sure how big the vmalloc()'ed buffer should be, and also whether vmalloc()'ing it directly in the _read() function is a good idea, hence RFC prefix. The qedf_dbg_stop_io_on_error_cmd_read()-related patch is actually tested, the rest is compile-tested only. Oleksandr Natalenko (3): scsi: qedf: do not touch __user pointer in qedf_dbg_stop_io_on_error_cmd_read() directly scsi: qedf: do not touch __user pointer in qedf_dbg_debug_cmd_read() directly scsi: qedf: do not touch __user pointer in qedf_dbg_fp_int_cmd_read() directly drivers/scsi/qedf/qedf_dbg.h | 2 ++ drivers/scsi/qedf/qedf_debugfs.c | 35 +++++++++++++++++++------------- 2 files changed, 23 insertions(+), 14 deletions(-) --- 2.41.0