Commit 118ee5bc authored Jul 04, 2024 by Bui Quang Minh Committed by openeuler-sync-bot Jul 17, 2024

scsi: qedf: Ensure the copied buf is NUL terminated

mainline inclusion
from mainline-v6.10-rc1
commit d0184a375ee797eb657d74861ba0935b6e405c62
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SHD
CVE: CVE-2024-38559

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d0184a375ee797eb657d74861ba0935b6e405c62



--------------------------------

Currently, we allocate a count-sized kernel buffer and copy count from
userspace to that buffer. Later, we use kstrtouint on this buffer but we
don't ensure that the string is terminated inside the buffer, this can
lead to OOB read when using kstrtouint. Fix this issue by using
memdup_user_nul instead of memdup_user.

Fixes: 61d8658b ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.")
Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com>
Link: https://lore.kernel.org/r/20240424-fix-oob-read-v2-4-f1f1b53a10f4@gmail.com


Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Zheng Zucheng <zhengzucheng@huawei.com>
(cherry picked from commit cfb3b8be)

parent 5abddf38

drivers/scsi/qedf/qedf_debugfs.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -170,7 +170,7 @@ qedf_dbg_debug_cmd_write(struct file filp, const char __user buffer,
		if (!count \|\| *ppos)
		return 0;

		kern_buf = memdup_user(buffer, count);
		kern_buf = memdup_user_nul(buffer, count);
		if (IS_ERR(kern_buf))
		return PTR_ERR(kern_buf);