Gitiles
Code Review Sign In
LeafOS / LeafOS-Devices / android_kernel_samsung_gta4xl / 2461969d18d1b3a8ca40c5203819221813d2fa47
commit2461969d18d1b3a8ca40c5203819221813d2fa47[log] [tgz]
authorBui Quang Minh <minhquangbui99@gmail.com>Wed Apr 24 21:44:20 2024 +0700
committerVegard Nossum <vegard.nossum@oracle.com>Mon Jul 08 08:14:57 2024 +0000
tree435deca625d8099d60b23c0582272a8941ee3cc4
parent3d986276f8b5fa0dc170e1b35f0659b9ba4b2cd0 [diff]
scsi: bfa: Ensure the copied buf is NUL terminated

[ Upstream commit 13d0cecb4626fae67c00c84d3c7851f6b62f7df3 ]

Currently, we allocate a nbytes-sized kernel buffer and copy nbytes from
userspace to that buffer. Later, we use sscanf on this buffer but we don't
ensure that the string is terminated inside the buffer, this can lead to
OOB read when using sscanf. Fix this issue by using memdup_user_nul instead
of memdup_user.

Fixes: 9f30b674759b ("bfa: replace 2 kzalloc/copy_from_user by memdup_user")
Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com>
Link: https://lore.kernel.org/r/20240424-fix-oob-read-v2-3-f1f1b53a10f4@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 481fc0c8617304a67649027c4a44723a139a0462)
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
1 file changed
tree: 435deca625d8099d60b23c0582272a8941ee3cc4
  1. .elts/
  2. arch/
  3. block/
  4. certs/
  5. crypto/
  6. Documentation/
  7. drivers/
  8. firmware/
  9. fs/
  10. include/
  11. init/
  12. ipc/
  13. kernel/
  14. lib/
  15. mm/
  16. net/
  17. samples/
  18. scripts/
  19. security/
  20. sound/
  21. tools/
  22. usr/
  23. virt/
  24. .cocciconfig
  25. .get_maintainer.ignore
  26. .gitattributes
  27. .gitignore
  28. .mailmap
  29. COPYING
  30. CREDITS
  31. Kbuild
  32. Kconfig
  33. MAINTAINERS
  34. Makefile
  35. README