From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: James Smart <jsmart2021@gmail.com>,
Justin Tee <justin.tee@broadcom.com>,
"Martin K . Petersen" <martin.petersen@oracle.com>,
Sasha Levin <sashal@kernel.org>,
james.smart@broadcom.com, dick.kennedy@broadcom.com,
jejb@linux.ibm.com, linux-scsi@vger.kernel.org
Subject: [PATCH AUTOSEL 5.4 10/21] scsi: lpfc: Prevent buffer overflow crashes in debugfs with malformed user input
Date: Sun, 14 Aug 2022 11:35:20 -0400 [thread overview]
Message-ID: <20220814153531.2379705-10-sashal@kernel.org> (raw)
In-Reply-To: <20220814153531.2379705-1-sashal@kernel.org>
From: James Smart <jsmart2021@gmail.com>
[ Upstream commit f8191d40aa612981ce897e66cda6a88db8df17bb ]
Malformed user input to debugfs results in buffer overflow crashes. Adapt
input string lengths to fit within internal buffers, leaving space for NULL
terminators.
Link: https://lore.kernel.org/r/20220701211425.2708-3-jsmart2021@gmail.com
Co-developed-by: Justin Tee <justin.tee@broadcom.com>
Signed-off-by: Justin Tee <justin.tee@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/lpfc/lpfc_debugfs.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c
index e15bb3dfe995..69551132f304 100644
--- a/drivers/scsi/lpfc/lpfc_debugfs.c
+++ b/drivers/scsi/lpfc/lpfc_debugfs.c
@@ -2402,8 +2402,8 @@ lpfc_debugfs_multixripools_write(struct file *file, const char __user *buf,
struct lpfc_sli4_hdw_queue *qp;
struct lpfc_multixri_pool *multixri_pool;
- if (nbytes > 64)
- nbytes = 64;
+ if (nbytes > sizeof(mybuf) - 1)
+ nbytes = sizeof(mybuf) - 1;
/* Protect copy from user */
if (!access_ok(buf, nbytes))
@@ -2487,8 +2487,8 @@ lpfc_debugfs_nvmestat_write(struct file *file, const char __user *buf,
if (!phba->targetport)
return -ENXIO;
- if (nbytes > 64)
- nbytes = 64;
+ if (nbytes > sizeof(mybuf) - 1)
+ nbytes = sizeof(mybuf) - 1;
memset(mybuf, 0, sizeof(mybuf));
@@ -2629,8 +2629,8 @@ lpfc_debugfs_nvmektime_write(struct file *file, const char __user *buf,
char mybuf[64];
char *pbuf;
- if (nbytes > 64)
- nbytes = 64;
+ if (nbytes > sizeof(mybuf) - 1)
+ nbytes = sizeof(mybuf) - 1;
memset(mybuf, 0, sizeof(mybuf));
@@ -2757,8 +2757,8 @@ lpfc_debugfs_nvmeio_trc_write(struct file *file, const char __user *buf,
char mybuf[64];
char *pbuf;
- if (nbytes > 63)
- nbytes = 63;
+ if (nbytes > sizeof(mybuf) - 1)
+ nbytes = sizeof(mybuf) - 1;
memset(mybuf, 0, sizeof(mybuf));
@@ -2863,8 +2863,8 @@ lpfc_debugfs_cpucheck_write(struct file *file, const char __user *buf,
char *pbuf;
int i, j;
- if (nbytes > 64)
- nbytes = 64;
+ if (nbytes > sizeof(mybuf) - 1)
+ nbytes = sizeof(mybuf) - 1;
memset(mybuf, 0, sizeof(mybuf));
--
2.35.1
next prev parent reply other threads:[~2022-08-14 15:53 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-14 15:35 [PATCH AUTOSEL 5.4 01/21] PCI: Add ACS quirk for Broadcom BCM5750x NICs Sasha Levin
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 02/21] usb: cdns3 fix use-after-free at workaround 2 Sasha Levin
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 03/21] usb: gadget: uvc: call uvc uvcg_warn on completed status instead of uvcg_info Sasha Levin
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 04/21] irqchip/tegra: Fix overflow implicit truncation warnings Sasha Levin
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 05/21] drm/meson: " Sasha Levin
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 06/21] usb: host: ohci-ppc-of: Fix refcount leak bug Sasha Levin
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 07/21] usb: renesas: " Sasha Levin
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 08/21] vboxguest: Do not use devm for irq Sasha Levin
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 09/21] clk: qcom: ipq8074: dont disable gcc_sleep_clk_src Sasha Levin
2022-08-14 15:35 ` Sasha Levin [this message]
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 11/21] gadgetfs: ep_io - wait until IRQ finishes Sasha Levin
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 12/21] cxl: Fix a memory leak in an error handling path Sasha Levin
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 13/21] PCI/ACPI: Guard ARM64-specific mcfg_quirks Sasha Levin
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 14/21] um: add "noreboot" command line option for PANIC_TIMEOUT=-1 setups Sasha Levin
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 15/21] selftests/kprobe: Do not test for GRP/ without event failures Sasha Levin
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 16/21] dmaengine: sprd: Cleanup in .remove() after pm_runtime_get_sync() failed Sasha Levin
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 17/21] ARM: 9203/1: kconfig: fix MODULE_PLTS for KASAN with KASAN_VMALLOC Sasha Levin
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 18/21] nvmet-tcp: fix lockdep complaint on nvmet_tcp_wq flush during queue teardown Sasha Levin
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 19/21] drivers:md:fix a potential use-after-free bug Sasha Levin
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 20/21] ext4: avoid remove directory when directory is corrupted Sasha Levin
2022-08-14 15:35 ` [PATCH AUTOSEL 5.4 21/21] ext4: avoid resizing to a partial cluster size Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220814153531.2379705-10-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=dick.kennedy@broadcom.com \
--cc=james.smart@broadcom.com \
--cc=jejb@linux.ibm.com \
--cc=jsmart2021@gmail.com \
--cc=justin.tee@broadcom.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).