Commit f299ee70 authored by Bui Quang Minh's avatar Bui Quang Minh Committed by Jakub Kicinski

octeontx2-af: avoid off-by-one read from userspace

We try to access count + 1 byte from userspace with memdup_user(buffer,
count + 1). However, the userspace only provides buffer of count bytes and
only these count bytes are verified to be okay to access. To ensure the
copied buffer is NUL terminated, we use memdup_user_nul instead.

Fixes: 3a2eb515 ("octeontx2-af: Fix an off by one in rvu_dbg_qsize_write()")
Signed-off-by: default avatarBui Quang Minh <minhquangbui99@gmail.com>
Link: https://lore.kernel.org/r/20240424-fix-oob-read-v2-6-f1f1b53a10f4@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent 8c34096c
...@@ -999,12 +999,10 @@ static ssize_t rvu_dbg_qsize_write(struct file *filp, ...@@ -999,12 +999,10 @@ static ssize_t rvu_dbg_qsize_write(struct file *filp,
u16 pcifunc; u16 pcifunc;
int ret, lf; int ret, lf;
cmd_buf = memdup_user(buffer, count + 1); cmd_buf = memdup_user_nul(buffer, count);
if (IS_ERR(cmd_buf)) if (IS_ERR(cmd_buf))
return -ENOMEM; return -ENOMEM;
cmd_buf[count] = '\0';
cmd_buf_tmp = strchr(cmd_buf, '\n'); cmd_buf_tmp = strchr(cmd_buf, '\n');
if (cmd_buf_tmp) { if (cmd_buf_tmp) {
*cmd_buf_tmp = '\0'; *cmd_buf_tmp = '\0';
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment