bna: ensure the copied buf is NUL terminated
mainline inclusion from mainline-v6.9-rc7 commit 8c34096c7fdf272fd4c0c37fe411cd2e3ed0ee9f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9U1KE CVE: CVE-2024-36934 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8c34096c7fdf272fd4c0c37fe411cd2e3ed0ee9f ----------------------------------------------------------- Currently, we allocate a nbytes-sized kernel buffer and copy nbytes from userspace to that buffer. Later, we use sscanf on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using sscanf. Fix this issue by using memdup_user_nul instead of memdup_user. Fixes: 7afc5dbd ("bna: Add debugfs interface.") Signed-off-by:Bui Quang Minh <minhquangbui99@gmail.com> Link: https://lore.kernel.org/r/20240424-fix-oob-read-v2-2-f1f1b53a10f4@gmail.com Signed-off-by:
Loading
Please sign in to comment