From patchwork Mon Nov 6 14:04:33 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 741709 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1A762C4332F for ; Mon, 6 Nov 2023 14:04:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229755AbjKFOEn (ORCPT ); Mon, 6 Nov 2023 09:04:43 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34334 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229478AbjKFOEm (ORCPT ); Mon, 6 Nov 2023 09:04:42 -0500 Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8DFB1DF for ; Mon, 6 Nov 2023 06:04:39 -0800 (PST) Received: by mail-ed1-x531.google.com with SMTP id 4fb4d7f45d1cf-53de8fc1ad8so7575376a12.0 for ; Mon, 06 Nov 2023 06:04:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1699279478; x=1699884278; darn=vger.kernel.org; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=f8fFJp+6thPSgTWdug5tZ/JbqQ1yt18b9c1a5sYRCho=; b=mWkqTceX605aszjCuQ3djv2+dKQeuE04k8OBtwKIsF8swqRezIMN6QM+UP5592YKn/ 8birCkGT0YCJeZafYBlKDUIXg5wi9knWtLVNgt/dd9HZKiON+nDMaWiTdwrs2608c8Fb NkCuYrtOhnK2W9x6GQFncvmdYf0N5E0tpf/r55R4eAVBnC2be+UXZ8TCEToCZMITEktg p655g6Idq443Lv7mQ8FD1HIin1KCzdfaWQqt7V6QeYVAaHcONaYMHluPzK0HXtpKaNSc Rpnm7cHFNyVHdUc+V2BhxTP4+TG5wjGekGvt9QgxTbu2PeGsWFthZdb+AFV56l0yzVKB FyQw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699279478; x=1699884278; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=f8fFJp+6thPSgTWdug5tZ/JbqQ1yt18b9c1a5sYRCho=; b=lctBmYRttDHXru3BIjV+i9rGlQogEqW1xeU7xyYM/IlxMkrtwdn/y1+5feHHBhNvOQ mF34TWUHcrOPYTmD3PD9xQi+QtspToiB9t8xC47otOmf4Ub4eDYmnhKdYnee1mVjesA/ 63Hq847645TG2JEftkwysWoL+VeLpE5CoQYbdwGE3x4fxibxzIxxrsXHkrfw4ClIQBAq mToU4xDc7OfqZAsWA7KOiNiG8Pd6buXivlNWEZDefbmGqnPjmwGxjamzK8CKVoehECvJ CB2npSxilQDn7Z7BJFcU/ez9/Y2YzeYM+Qbh8FRnsaJw/RdtWKDlRm6QZV9qrxyrj/dI VXAg== X-Gm-Message-State: AOJu0Yy8kGc9uU0Se5/8KAVA90g4gI7gdMaMvAnnQOYonBAO70FtQB5V FP4x4yFBJtaQnd+ORsTLd64Azg== X-Google-Smtp-Source: AGHT+IEYSN/SDYqcdexC3uheG8u1o/CHFCDzFFhLGwA4BcqeG4BAMwpoOZJ0wcjNqkPyHrR3KCVRsQ== X-Received: by 2002:a17:907:869f:b0:9c3:a193:2580 with SMTP id qa31-20020a170907869f00b009c3a1932580mr13858512ejc.12.1699279477984; Mon, 06 Nov 2023 06:04:37 -0800 (PST) Received: from localhost ([102.36.222.112]) by smtp.gmail.com with ESMTPSA id mc27-20020a170906eb5b00b009b928eb8dd3sm4144123ejb.163.2023.11.06.06.04.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 06 Nov 2023 06:04:37 -0800 (PST) Date: Mon, 6 Nov 2023 17:04:33 +0300 From: Dan Carpenter To: Wenchao Hao Cc: "James E.J. Bottomley" , "Martin K. Petersen" , Douglas Gilbert , linux-scsi@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH v2 1/2] scsi: scsi_debug: scsi: scsi_debug: fix some bugs in sdebug_error_write() Message-ID: <7733643d-e102-4581-8d29-769472011c97@moroto.mountain> MIME-Version: 1.0 Content-Disposition: inline X-Mailer: git-send-email haha only kidding Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org There are two bug in this code: 1) If count is zero, then it will lead to a NULL dereference. The kmalloc() will successfully allocate zero bytes and the test for "if (buf[0] == '-')" will read beyond the end of the zero size buffer and Oops. 2) The code does not ensure that the user's string is properly NUL terminated which could lead to a read overflow. Fixes: a9996d722b11 ("scsi: scsi_debug: Add interface to manage error injection for a single device") Signed-off-by: Dan Carpenter Reviewed-by: Wenchao Hao --- v2: At first I tried to use strndup_user() but that only accepts NUL terminated strings and the user string is normally not terminated. drivers/scsi/scsi_debug.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c index 67922e2c4c19..0dd21598f7b6 100644 --- a/drivers/scsi/scsi_debug.c +++ b/drivers/scsi/scsi_debug.c @@ -1019,7 +1019,7 @@ static ssize_t sdebug_error_write(struct file *file, const char __user *ubuf, struct sdebug_err_inject *inject; struct scsi_device *sdev = (struct scsi_device *)file->f_inode->i_private; - buf = kmalloc(count, GFP_KERNEL); + buf = kzalloc(count + 1, GFP_KERNEL); if (!buf) return -ENOMEM;