Merge: octeontx2-af: avoid off-by-one read from userspace

MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/4453

JIRA: https://issues.redhat.com/browse/RHEL-39873  
CVE: CVE-2024-36957  
  
commit f299ee709fb45036454ca11e90cb2810fe771878  
Author: Bui Quang Minh <minhquangbui99@gmail.com>  
Date:   Wed Apr 24 21:44:23 2024 +0700  
  
    octeontx2-af: avoid off-by-one read from userspace  
  
    We try to access count + 1 byte from userspace with memdup_user(buffer,  
    count + 1). However, the userspace only provides buffer of count bytes and  
    only these count bytes are verified to be okay to access. To ensure the  
    copied buffer is NUL terminated, we use memdup_user_nul instead.  
  
    Fixes: 3a2eb515d1 ("octeontx2-af: Fix an off by one in rvu_dbg_qsize_write()")  
    Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com>  
    Link: https://lore.kernel.org/r/20240424-fix-oob-read-v2-6-f1f1b53a10f4@gmail.com  
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>  
  
Signed-off-by: Kamal Heib <kheib@redhat.com>

Approved-by: José Ignacio Tornos Martínez <jtornosm@redhat.com>
Approved-by: Chris von Recklinghausen <crecklin@redhat.com>
Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com>

Merged-by: Lucas Zampieri <lzampier@redhat.com>

drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c

@@ -999,12 +999,10 @@ static ssize_t rvu_dbg_qsize_write(struct file *filp,
 	u16 pcifunc;
 	int ret, lf;
 
-	cmd_buf = memdup_user(buffer, count + 1);
+	cmd_buf = memdup_user_nul(buffer, count);
 	if (IS_ERR(cmd_buf))
 		return -ENOMEM;
 
-	cmd_buf[count] = '\0';
-
 	cmd_buf_tmp = strchr(cmd_buf, '\n');
 	if (cmd_buf_tmp) {
 		*cmd_buf_tmp = '\0';