Skip to content

L
linux
Commit 13d0cecb authored by Bui Quang Minh's avatar Bui Quang Minh Committed by Martin K. Petersen
Browse files
Options

scsi: bfa: Ensure the copied buf is NUL terminated 

Currently, we allocate a nbytes-sized kernel buffer and copy nbytes from
userspace to that buffer. Later, we use sscanf on this buffer but we don't
ensure that the string is terminated inside the buffer, this can lead to
OOB read when using sscanf. Fix this issue by using memdup_user_nul instead
of memdup_user.

Fixes: 9f30b674 ("bfa: replace 2 kzalloc/copy_from_user by memdup_user")
Signed-off-by: default avatarBui Quang Minh <minhquangbui99@gmail.com>
Link: https://lore.kernel.org/r/20240424-fix-oob-read-v2-3-f1f1b53a10f4@gmail.comSigned-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
parent aca06177
Hide whitespace changes
Inline Side-by-side
Showing with 2 additions and 2 deletions
drivers/scsi/bfa/bfad_debugfs.c
View file @ 13d0cecb
......@@ -250,7 +250,7 @@ bfad_debugfs_write_regrd(struct file *file, const char __user *buf,
unsigned long flags;
void *kern_buf;
kern_buf = memdup_user(buf, nbytes);
kern_buf = memdup_user_nul(buf, nbytes);
if (IS_ERR(kern_buf))
return PTR_ERR(kern_buf);
......@@ -317,7 +317,7 @@ bfad_debugfs_write_regwr(struct file *file, const char __user *buf,
unsigned long flags;
void *kern_buf;
kern_buf = memdup_user(buf, nbytes);
kern_buf = memdup_user_nul(buf, nbytes);
if (IS_ERR(kern_buf))
return PTR_ERR(kern_buf);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7