qiurui
/
Centos-kernel-stream-9
mirror of https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

octeontx2-af: avoid off-by-one read from userspace 

JIRA: https://issues.redhat.com/browse/RHEL-39873
CVE: CVE-2024-36957

commit f299ee709fb45036454ca11e90cb2810fe771878
Author: Bui Quang Minh <minhquangbui99@gmail.com>
Date:   Wed Apr 24 21:44:23 2024 +0700

    octeontx2-af: avoid off-by-one read from userspace

    We try to access count + 1 byte from userspace with memdup_user(buffer,
    count + 1). However, the userspace only provides buffer of count bytes and
    only these count bytes are verified to be okay to access. To ensure the
    copied buffer is NUL terminated, we use memdup_user_nul instead.

    Fixes: 3a2eb515d1 ("octeontx2-af: Fix an off by one in rvu_dbg_qsize_write()")
    Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com>
    Link: https://lore.kernel.org/r/20240424-fix-oob-read-v2-6-f1f1b53a10f4@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Signed-off-by: Kamal Heib <kheib@redhat.com>
This commit is contained in:
Kamal Heib 2024-06-07 20:10:25 -04:00
parent 69b15dc7e5
commit 1ce23d5f20
1 changed files with 1 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c
View File

@ -999,12 +999,10 @@ static ssize_t rvu_dbg_qsize_write(struct file *filp,
u16 pcifunc;
int ret, lf;
cmd_buf = memdup_user(buffer, count + 1);
cmd_buf = memdup_user_nul(buffer, count);
if (IS_ERR(cmd_buf))
return -ENOMEM;
cmd_buf[count] = '\0';
cmd_buf_tmp = strchr(cmd_buf, '\n');
if (cmd_buf_tmp) {
*cmd_buf_tmp = '\0';