Commit ccf1ef0a authored Sep 10, 2024 by Bui Quang Minh Committed by Zhang Zekun Sep 10, 2024

bna: ensure the copied buf is NUL terminated

mainline inclusion
from mainline-v6.9-rc7
commit 8c34096c7fdf272fd4c0c37fe411cd2e3ed0ee9f
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9U1KE
CVE: CVE-2024-36934

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8c34096c7fdf272fd4c0c37fe411cd2e3ed0ee9f



-----------------------------------------------------------

Currently, we allocate a nbytes-sized kernel buffer and copy nbytes from
userspace to that buffer. Later, we use sscanf on this buffer but we don't
ensure that the string is terminated inside the buffer, this can lead to
OOB read when using sscanf. Fix this issue by using memdup_user_nul
instead of memdup_user.

Fixes: 7afc5dbd ("bna: Add debugfs interface.")
Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com>
Link: https://lore.kernel.org/r/20240424-fix-oob-read-v2-2-f1f1b53a10f4@gmail.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Zhang Zekun <zhangzekun11@huawei.com>

parent 49cb18ca

drivers/net/ethernet/brocade/bna/bnad_debugfs.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -312,7 +312,7 @@ bnad_debugfs_write_regrd(struct file file, const char __user buf,
		void *kern_buf;

		/* Copy the user space buf */
		kern_buf = memdup_user(buf, nbytes);
		kern_buf = memdup_user_nul(buf, nbytes);
		if (IS_ERR(kern_buf))
		return PTR_ERR(kern_buf);

		@@ -372,7 +372,7 @@ bnad_debugfs_write_regwr(struct file file, const char __user buf,
		void *kern_buf;

		/* Copy the user space buf */
		kern_buf = memdup_user(buf, nbytes);
		kern_buf = memdup_user_nul(buf, nbytes);
		if (IS_ERR(kern_buf))
		return PTR_ERR(kern_buf);