[PATCH openEuler-22.03-LTS-SP1] octeontx2-af: avoid off-by-one read from userspace - Kernel

6 Jun 2024

From: Bui Quang Minh minhquangbui99@gmail.com
stable inclusion
from stable-v5.10.217
commit bcdac70adceb44373da204c3c297f2a98e13216e
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9TM64
CVE: CVE-2024-36957
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit f299ee709fb45036454ca11e90cb2810fe771878 ]
We try to access count + 1 byte from userspace with memdup_user(buffer,
count + 1). However, the userspace only provides buffer of count bytes and
only these count bytes are verified to be okay to access. To ensure the
copied buffer is NUL terminated, we use memdup_user_nul instead.
Fixes: 3a2eb515d136 ("octeontx2-af: Fix an off by one in rvu_dbg_qsize_write()")
Signed-off-by: Bui Quang Minh minhquangbui99@gmail.com
Link: https://lore.kernel.org/r/20240424-fix-oob-read-v2-6-f1f1b53a10f4@gmail.com
Signed-off-by: Jakub Kicinski kuba@kernel.org
Signed-off-by: Sasha Levin sashal@kernel.org
Signed-off-by: Guo Mengqi guomengqi3@huawei.com
---
 drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c
index 5205796859f6..d212bab3ddba 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c
@@ -420,12 +420,10 @@ static ssize_t rvu_dbg_qsize_write(struct file *filp,
    u16 pcifunc;
    int ret, lf;
-	cmd_buf = memdup_user(buffer, count + 1);
+	cmd_buf = memdup_user_nul(buffer, count);
    if (IS_ERR(cmd_buf))
    	return -ENOMEM;
-	cmd_buf[count] = '\0';
-
    cmd_buf_tmp = strchr(cmd_buf, '\n');
    if (cmd_buf_tmp) {
    	*cmd_buf_tmp = '\0';
-- 
2.17.1


    