From 1ce23d5f20eec9ef48c2d40ed7831ee8ab9733c4 Mon Sep 17 00:00:00 2001
From: Kamal Heib <kheib@redhat.com>
Date: Fri, 7 Jun 2024 20:10:25 -0400
Subject: [PATCH] octeontx2-af: avoid off-by-one read from userspace

JIRA: https://issues.redhat.com/browse/RHEL-39873
CVE: CVE-2024-36957

commit f299ee709fb45036454ca11e90cb2810fe771878
Author: Bui Quang Minh <minhquangbui99@gmail.com>
Date:   Wed Apr 24 21:44:23 2024 +0700

    octeontx2-af: avoid off-by-one read from userspace

    We try to access count + 1 byte from userspace with memdup_user(buffer,
    count + 1). However, the userspace only provides buffer of count bytes and
    only these count bytes are verified to be okay to access. To ensure the
    copied buffer is NUL terminated, we use memdup_user_nul instead.

    Fixes: 3a2eb515d136 ("octeontx2-af: Fix an off by one in rvu_dbg_qsize_write()")
    Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com>
    Link: https://lore.kernel.org/r/20240424-fix-oob-read-v2-6-f1f1b53a10f4@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Signed-off-by: Kamal Heib <kheib@redhat.com>
---
 drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c
index 9533b1d92960..803039bef684 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c
@@ -999,12 +999,10 @@ static ssize_t rvu_dbg_qsize_write(struct file *filp,
 	u16 pcifunc;
 	int ret, lf;
 
-	cmd_buf = memdup_user(buffer, count + 1);
+	cmd_buf = memdup_user_nul(buffer, count);
 	if (IS_ERR(cmd_buf))
 		return -ENOMEM;
 
-	cmd_buf[count] = '\0';
-
 	cmd_buf_tmp = strchr(cmd_buf, '\n');
 	if (cmd_buf_tmp) {
 		*cmd_buf_tmp = '\0';