From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 20EDF80028; Tue, 23 Apr 2024 11:10:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.10 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713870646; cv=none; b=McIFTCSSLlautCAxL3r8ISgCDKGc0PtRggL2S+KbrCwPhsDhWwLCBbosgekjZIIvy53Cts8GbLC0eRZ+g9W2cW3iUqoKCov7id1Eg8rx9UPnBMbwoZFMycvmfpWT55qBwsv5EvBIyxSuGjvxvM5te/7GlzVSyAJiffqZgNU4+98= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713870646; c=relaxed/simple; bh=FhMYwpD0Jy+0t5UX4wrDuIaENfV+qwJP/+xWhZFZCdQ=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=GHkX7VD6nLSh6upVA9fIJm9w2KmOdWzm9TWX+uBPXXpxGUDUmefcuoqmVEyjgqCW2K94IDiuVvYT+wyKl7LXiF3vssX8M54uUlDsi7aLOrxTg8hhBpXwQ+zhnUyR4tskoNOC50PDjo4jJs1A5YICrpNEAV9CY/jUZVYBhBidrD8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=none smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=ERnBvNby; arc=none smtp.client-ip=198.175.65.10 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="ERnBvNby" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1713870645; x=1745406645; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=FhMYwpD0Jy+0t5UX4wrDuIaENfV+qwJP/+xWhZFZCdQ=; b=ERnBvNbyFK6VwTLE/1IyNhrnjvj0TxFuN2XL4Gq4yAOJ7yN7lSkTHEOX CDlc2aCKPJPboY8CRQ9p25ZrTi0xPKZuDho4/fJGNiDcoXAExx5WCcUT7 k1Ot3Y0us4F2uybfjrr42Qo85nTF/Jmcg9zLevTfktr3qGwmdSW6fDX4u oTSHr0zY+q3Of+/1/hBTnL1uVqM88Npsrax+/yF5sxl/b18eE4LkXFwEC 8rX2uGqbODoQIr+zy0zp+Xw2b4xHI78iHrjfyCgGijDyqdO1VYQBh/OOC Igdk54FoXmzzQn2j3gpp4kz7UQAw2sFDxEGa/Tc3pVTe6HmSSwbPnLjKU A==; X-CSE-ConnectionGUID: yTIwQevkT9CXDZpZ5SC9lQ== X-CSE-MsgGUID: 8EmlvmEuT8+Ut7spIoLwrQ== X-IronPort-AV: E=McAfee;i="6600,9927,11052"; a="26905757" X-IronPort-AV: E=Sophos;i="6.07,222,1708416000"; d="scan'208";a="26905757" Received: from fmviesa009.fm.intel.com ([10.60.135.149]) by orvoesa102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 23 Apr 2024 04:10:45 -0700 X-CSE-ConnectionGUID: GHANmPF1QaSu/tzRusNdUw== X-CSE-MsgGUID: zm+oKK03QECvY3VX9hfdGA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,222,1708416000"; d="scan'208";a="24342606" Received: from mszycik-mobl1.ger.corp.intel.com (HELO [10.246.35.198]) ([10.246.35.198]) by fmviesa009-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 23 Apr 2024 04:10:37 -0700 Message-ID: Date: Tue, 23 Apr 2024 13:10:16 +0200 Precedence: bulk X-Mailing-List: linux-scsi@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [Intel-wired-lan] [PATCH 0/5] Ensure the copied buf is NULL terminated To: Bui Quang Minh , Jesse Brandeburg , Tony Nguyen , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Paul M Stillwell Jr , Rasesh Mody , Sudarsana Kalluru , GR-Linux-NIC-Dev@marvell.com, Krishna Gudipati , Anil Gurumurthy , Sudarsana Kalluru , "James E.J. Bottomley" , "Martin K. Petersen" , Fabian Frederick , Saurav Kashyap , Javed Hasan , GR-QLogic-Storage-Upstream@marvell.com, Nilesh Javali , Arun Easi , Manish Rangankar , Vineeth Vijayan , Peter Oberparleiter , Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Christian Borntraeger , Sven Schnelle Cc: Jens Axboe , linux-s390@vger.kernel.org, linux-scsi@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, intel-wired-lan@lists.osuosl.org, Saurav Kashyap References: <20240422-fix-oob-read-v1-0-e02854c30174@gmail.com> Content-Language: en-US From: Marcin Szycik In-Reply-To: <20240422-fix-oob-read-v1-0-e02854c30174@gmail.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 22.04.2024 18:41, Bui Quang Minh wrote: > Hi everyone, > > I found that some drivers contains an out-of-bound read pattern like this > > kern_buf = memdup_user(user_buf, count); > ... > sscanf(kern_buf, ...); > > The sscanf can be replaced by some other string-related functions. This > pattern can lead to out-of-bound read of kern_buf in string-related > functions. > > This series fix the above issue by replacing memdup_user with > memdup_user_nul or allocating count + 1 buffer then writing the NULL > terminator to end of buffer after userspace copying. > > Thanks, > Quang Minh. > > Signed-off-by: Bui Quang Minh > --- > Bui Quang Minh (5): > drivers/net/ethernet/intel-ice: ensure the copied buf is NULL terminated > drivers/net/brocade-bnad: ensure the copied buf is NULL terminated > drivers/scsi/bfa/bfad: ensure the copied buf is NULL terminated > drivers/scsi/qedf: ensure the copied buf is NULL terminated > drivers/s390/cio: ensure the copied buf is NULL terminated Typically you don't include path to module in title, instead: ice: ensure the copied buf is NULL terminated bna: ensure the copied buf is NULL terminated etc. > > drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 4 ++-- > drivers/net/ethernet/intel/ice/ice_debugfs.c | 8 ++++---- > drivers/s390/cio/cio_inject.c | 3 ++- > drivers/scsi/bfa/bfad_debugfs.c | 4 ++-- > drivers/scsi/qedf/qedf_debugfs.c | 2 +- > 5 files changed, 11 insertions(+), 10 deletions(-) > --- > base-commit: ed30a4a51bb196781c8058073ea720133a65596f > change-id: 20240422-fix-oob-read-19ae7f8f3711 > > Best regards, Thanks, Marcin