From patchwork Wed Apr 24 14:44:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bui Quang Minh X-Patchwork-Id: 1927223 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=osuosl.org header.i=@osuosl.org header.a=rsa-sha256 header.s=default header.b=Z5WCtRs4; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=osuosl.org (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org; envelope-from=intel-wired-lan-bounces@osuosl.org; receiver=patchwork.ozlabs.org) Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VPjMc40T1z1yP2 for ; Thu, 25 Apr 2024 01:19:40 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 82E1B40734; Wed, 24 Apr 2024 15:19:36 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id b-6H3OpWDUzt; Wed, 24 Apr 2024 15:19:35 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.166.34; helo=ash.osuosl.org; envelope-from=intel-wired-lan-bounces@osuosl.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 448CC41690 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=osuosl.org; s=default; t=1713971975; bh=9AlBe3kk5ztZRFTkgvZ6SOgy/VblETXj3psnO1nVDEQ=; h=From:Date:To:Subject:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe:Cc:From; b=Z5WCtRs4MO0rLFf6jiuRD+Z04Z8lXVD/assNRX6VJJWOlj4RKxrughQQhLLDxTwCt HBDzyr4tzghPsuB6E3ugv+R5c4VUh5vFpMYjzjzguaROQ/3hayFVRhv7rLNIzBZiIu xTov6urg8+Kp/HI1+pyuzZpaw1ODrFnzrAzHy16PpHNwDJUkbZIDtHTEL8TZJ3Vqv8 UVxQORjeBsj5rDnoCnHbje+WlVfMD76TiW8UQthhSjNd3DEik89fYCQih5+BRPdZSo IqNlyb5/SQ4/guwDsOiKIis7ktKHQwhmPnD0PSJlLfg1vQoYLVtRNVw0dnkCSbWAhz J+t9c+DJONyng== Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp2.osuosl.org (Postfix) with ESMTP id 448CC41690; Wed, 24 Apr 2024 15:19:35 +0000 (UTC) X-Original-To: intel-wired-lan@lists.osuosl.org Delivered-To: intel-wired-lan@lists.osuosl.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id 208911BF57C for ; Wed, 24 Apr 2024 14:44:43 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 0C3AC60BE4 for ; Wed, 24 Apr 2024 14:44:43 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id 2mjEYcIR9SZh for ; Wed, 24 Apr 2024 14:44:42 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2607:f8b0:4864:20::431; helo=mail-pf1-x431.google.com; envelope-from=minhquangbui99@gmail.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp3.osuosl.org E7F4260BD9 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org E7F4260BD9 Received: from mail-pf1-x431.google.com (mail-pf1-x431.google.com [IPv6:2607:f8b0:4864:20::431]) by smtp3.osuosl.org (Postfix) with ESMTPS id E7F4260BD9 for ; Wed, 24 Apr 2024 14:44:41 +0000 (UTC) Received: by mail-pf1-x431.google.com with SMTP id d2e1a72fcca58-6ee0642f718so785639b3a.0 for ; Wed, 24 Apr 2024 07:44:41 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713969881; x=1714574681; h=cc:to:content-transfer-encoding:mime-version:message-id:date :subject:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=9AlBe3kk5ztZRFTkgvZ6SOgy/VblETXj3psnO1nVDEQ=; b=YRRnsgDow+Y/zP2A45c0hFgYqBnpNNtVB6yS5VzCoLj5rEyNpEBzUnqMKRUHS1DITx eJgMDeBONvLaTlm29OhcJ+0vtN98YNoBal8xoe8AKjgctldd+LEG/nLXhUiEbMxMH0KB zzaEwIPNAe95Yn9mf2RfIX9YIVq42q6dXwMBW2CDPInmOsJ3jT9hkYHwq5Cx/B9s1V6f GVmroTyrby/Kv9BgKLe1nqLbXl3Tu5VeNUCYXa/PFirwQjzyd6GE4B8jmEZ5iEZQcu75 n628zb8OF2v9qEQU+K9Riq2Phqi1V6TwLPEpJo09w8ALmL/5Qs4GtvQUajEvgvbKUo7B vcfQ== X-Gm-Message-State: AOJu0YzAsQXvMjRJOpCyRlrMORgnQIIsae+hXeeKK+rhRs8TS/85mial jdf3OuLKzxsTL8iibfE27CyzWKXsGnfBJcWTSxuGWm3ZFQmShVF7 X-Google-Smtp-Source: AGHT+IEZ2apyKdcveQJKiKV0/EodXodOYVr/N97y8zIovzzSFGYRD4Ce2vZBNWEv4JnoIEF0HZVlwg== X-Received: by 2002:a05:6a20:3c8a:b0:1a9:97ab:d09a with SMTP id b10-20020a056a203c8a00b001a997abd09amr4044692pzj.16.1713969880981; Wed, 24 Apr 2024 07:44:40 -0700 (PDT) Received: from [127.0.1.1] ([2001:ee0:50f5:5d0:6ca6:7f20:5242:67cc]) by smtp.googlemail.com with ESMTPSA id a5-20020aa78e85000000b006e554afa254sm11495743pfr.38.2024.04.24.07.44.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Apr 2024 07:44:40 -0700 (PDT) From: Bui Quang Minh Date: Wed, 24 Apr 2024 21:44:17 +0700 Message-Id: <20240424-fix-oob-read-v2-0-f1f1b53a10f4@gmail.com> MIME-Version: 1.0 X-B4-Tracking: v=1; b=H4sIAMEaKWYC/3WMQQ6CMBBFr0Jm7ZhOqSm68h6GRS1TmESoaQ3Rk N7dyt7l+z/vbZA5CWe4NBskXiVLXCroQwN+csvIKENl0EobZbTGIG+M8Y6J3YB0dmxDF1pLBFV 5Jq7/nrv1lSfJr5g+e32l3/ontBIqZKW7k/GtImuu4+zkcfRxhr6U8gUzNIQ7qAAAAA== To: Jesse Brandeburg , Tony Nguyen , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Paul M Stillwell Jr , Rasesh Mody , Sudarsana Kalluru , GR-Linux-NIC-Dev@marvell.com, Anil Gurumurthy , Sudarsana Kalluru , "James E.J. Bottomley" , "Martin K. Petersen" , Fabian Frederick , Saurav Kashyap , GR-QLogic-Storage-Upstream@marvell.com, Nilesh Javali , Arun Easi , Manish Rangankar , Vineeth Vijayan , Peter Oberparleiter , Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Christian Borntraeger , Sven Schnelle , Sunil Goutham , Linu Cherian , Geetha sowjanya , Jerin Jacob , hariprasad , Subbaraya Sundeep X-Mailer: b4 0.13.0 X-Mailman-Approved-At: Wed, 24 Apr 2024 15:19:32 +0000 X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713969881; x=1714574681; darn=lists.osuosl.org; h=cc:to:content-transfer-encoding:mime-version:message-id:date :subject:from:from:to:cc:subject:date:message-id:reply-to; bh=9AlBe3kk5ztZRFTkgvZ6SOgy/VblETXj3psnO1nVDEQ=; b=OcoJTZMKilLSY0rWc8WSifIRV3EQ7I8JNzO+YlXZM+tcmRzn8DrKYt9LvQ4nJsFWag 8dzi2G5JHo6ddXYsQCBxrPZbcTO/YRngDz23mru+De031R2DVyCEl/DaqRxRYJ3okMh1 hG/QMcWuijeQL6H4NZ/3H5fKF57fxEjhfbEYBSteLmLT6shttqQAJJo6eMucONUQEcTh mkRAp+a2lOPR8K1Ck2P9i6rhYEBlLLMSF9o19PjzsQgY5UUDTjc9zRDbA2vLvtan+oiN jqsJKNsQgrpGlU8tgTDghEu6xVZ7tM/a/k/AD0BIbxb+O1U4ACTgG5zIP/A1C+GJvsbS 9MNQ== X-Mailman-Original-Authentication-Results: smtp3.osuosl.org; dmarc=pass (p=none dis=none) header.from=gmail.com X-Mailman-Original-Authentication-Results: smtp3.osuosl.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601 header.b=OcoJTZMK Subject: [Intel-wired-lan] [PATCH v2 0/6] Ensure the copied buf is NUL terminated X-BeenThere: intel-wired-lan@osuosl.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Intel Wired Ethernet Linux Kernel Driver Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jens Axboe , linux-s390@vger.kernel.org, linux-scsi@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, intel-wired-lan@lists.osuosl.org, Przemek Kitszel , Saurav Kashyap , Bui Quang Minh Errors-To: intel-wired-lan-bounces@osuosl.org Sender: "Intel-wired-lan" Hi everyone, I found that some drivers contains an out-of-bound read pattern like this kern_buf = memdup_user(user_buf, count); ... sscanf(kern_buf, ...); The sscanf can be replaced by some other string-related functions. This pattern can lead to out-of-bound read of kern_buf in string-related functions. This series fix the above issue by replacing memdup_user with memdup_user_nul. Thanks, Quang Minh. To: Jesse Brandeburg To: Tony Nguyen To: David S. Miller To: Eric Dumazet To: Jakub Kicinski To: Paolo Abeni To: Paul M Stillwell Jr To: Rasesh Mody To: Sudarsana Kalluru To: GR-Linux-NIC-Dev@marvell.com To: Anil Gurumurthy To: Sudarsana Kalluru To: James E.J. Bottomley To: Martin K. Petersen To: Fabian Frederick To: Saurav Kashyap To: GR-QLogic-Storage-Upstream@marvell.com To: Nilesh Javali To: Arun Easi To: Manish Rangankar To: Vineeth Vijayan To: Peter Oberparleiter To: Heiko Carstens To: Vasily Gorbik To: Alexander Gordeev To: Christian Borntraeger To: Sven Schnelle To: Dupuis, Chad To: Sunil Goutham To: Linu Cherian To: Geetha sowjanya To: Jerin Jacob To: hariprasad To: Subbaraya Sundeep Cc: intel-wired-lan@lists.osuosl.org Cc: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: linux-scsi@vger.kernel.org Cc: Saurav Kashyap Cc: linux-s390@vger.kernel.org Cc: Jens Axboe Signed-off-by: Bui Quang Minh Changes in v2: - Patch 5: use memdup_user_nul instead - Add patch 6 - Link to v1: https://lore.kernel.org/r/20240422-fix-oob-read-v1-0-e02854c30174@gmail.com --- Bui Quang Minh (6): ice: ensure the copied buf is NUL terminated bna: ensure the copied buf is NUL terminated bfa: ensure the copied buf is NUL terminated qedf: ensure the copied buf is NUL terminated cio: ensure the copied buf is NUL terminated octeontx2-af: avoid off-by-one read from userspace drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 4 ++-- drivers/net/ethernet/intel/ice/ice_debugfs.c | 8 ++++---- drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c | 4 +--- drivers/s390/cio/cio_inject.c | 2 +- drivers/scsi/bfa/bfad_debugfs.c | 4 ++-- drivers/scsi/qedf/qedf_debugfs.c | 2 +- 6 files changed, 11 insertions(+), 13 deletions(-) --- base-commit: ed30a4a51bb196781c8058073ea720133a65596f change-id: 20240422-fix-oob-read-19ae7f8f3711 Best regards,