From: Oleksandr Natalenko <oleksandr@redhat.com>
To: linux-kernel@vger.kernel.org
Cc: linux-scsi@vger.kernel.org, Saurav Kashyap <skashyap@marvell.com>,
Javed Hasan <jhasan@marvell.com>,
GR-QLogic-Storage-Upstream@marvell.com,
"James E.J. Bottomley" <jejb@linux.ibm.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
Jozef Bacik <jobacik@redhat.com>,
Laurence Oberman <loberman@redhat.com>,
Rob Evers <revers@redhat.com>
Subject: [RFC PATCH 0/3] scsi: qedf: sanitise uaccess
Date: Mon, 24 Jul 2023 14:02:38 +0200 [thread overview]
Message-ID: <20230724120241.40495-1-oleksandr@redhat.com> (raw)
qedf driver, debugfs part of it specifically, touches __user pointers
directly for printing out info to userspace via sprintf(), which may
cause crash like this:
BUG: unable to handle kernel paging request at 00007ffd1d6b43a0
IP: [<ffffffffaa7a882a>] string.isra.7+0x6a/0xf0
Oops: 0003 [#1] SMP
Call Trace:
[<ffffffffaa7a9f31>] vsnprintf+0x201/0x6a0
[<ffffffffaa7aa556>] sprintf+0x56/0x80
[<ffffffffc04227ed>] qedf_dbg_stop_io_on_error_cmd_read+0x6d/0x90 [qedf]
[<ffffffffaa65bb2f>] vfs_read+0x9f/0x170
[<ffffffffaa65cb82>] SyS_pread64+0x92/0xc0
Avoid this by preparing the info in a kernel buffer first, either
allocated on stack for small printouts, or via vmalloc() for big ones,
and then copying it to the userspace properly.
I'm not sure how big the vmalloc()'ed buffer should be, and also whether
vmalloc()'ing it directly in the _read() function is a good idea, hence
RFC prefix.
The qedf_dbg_stop_io_on_error_cmd_read()-related patch is actually tested,
the rest is compile-tested only.
Oleksandr Natalenko (3):
scsi: qedf: do not touch __user pointer in
qedf_dbg_stop_io_on_error_cmd_read() directly
scsi: qedf: do not touch __user pointer in qedf_dbg_debug_cmd_read()
directly
scsi: qedf: do not touch __user pointer in qedf_dbg_fp_int_cmd_read()
directly
drivers/scsi/qedf/qedf_dbg.h | 2 ++
drivers/scsi/qedf/qedf_debugfs.c | 35 +++++++++++++++++++-------------
2 files changed, 23 insertions(+), 14 deletions(-)
--
2.41.0
next reply other threads:[~2023-07-24 12:03 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-24 12:02 Oleksandr Natalenko [this message]
2023-07-24 12:02 ` [RFC PATCH 1/3] scsi: qedf: do not touch __user pointer in qedf_dbg_stop_io_on_error_cmd_read() directly Oleksandr Natalenko
2023-07-24 12:02 ` [RFC PATCH 2/3] scsi: qedf: do not touch __user pointer in qedf_dbg_debug_cmd_read() directly Oleksandr Natalenko
2023-07-24 12:02 ` [RFC PATCH 3/3] scsi: qedf: do not touch __user pointer in qedf_dbg_fp_int_cmd_read() directly Oleksandr Natalenko
2023-07-24 13:03 ` [RFC PATCH 0/3] scsi: qedf: sanitise uaccess Laurence Oberman
2023-07-24 16:27 ` Laurence Oberman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230724120241.40495-1-oleksandr@redhat.com \
--to=oleksandr@redhat.com \
--cc=GR-QLogic-Storage-Upstream@marvell.com \
--cc=jejb@linux.ibm.com \
--cc=jhasan@marvell.com \
--cc=jobacik@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=loberman@redhat.com \
--cc=martin.petersen@oracle.com \
--cc=revers@redhat.com \
--cc=skashyap@marvell.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).