From: Oleksandr Natalenko <oleksandr@redhat.com>
To: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Cc: David Laight <David.Laight@aculab.com>,
"linux-scsi@vger.kernel.org" <linux-scsi@vger.kernel.org>,
Saurav Kashyap <skashyap@marvell.com>,
Johannes Thumshirn <Johannes.Thumshirn@wdc.com>,
"GR-QLogic-Storage-Upstream@marvell.com"
<GR-QLogic-Storage-Upstream@marvell.com>,
"James E.J. Bottomley" <jejb@linux.ibm.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
Jozef Bacik <jobacik@redhat.com>,
Laurence Oberman <loberman@redhat.com>,
Rob Evers <revers@redhat.com>
Subject: Re: [PATCH 1/3] scsi: qedf: do not touch __user pointer in qedf_dbg_stop_io_on_error_cmd_read() directly
Date: Mon, 31 Jul 2023 10:01:46 +0200 [thread overview]
Message-ID: <2690368.mvXUDI8C0e@redhat.com> (raw)
In-Reply-To: <314512939ebd44508b767d799e7c30af@AcuMS.aculab.com>
[-- Attachment #1: Type: text/plain, Size: 2236 bytes --]
Hello.
On pátek 28. července 2023 17:23:25 CEST David Laight wrote:
> From: Oleksandr Natalenko
> > Sent: 28 July 2023 07:58
> >
> > The qedf_dbg_stop_io_on_error_cmd_read() function invokes sprintf()
> > directly on a __user pointer, which may crash the kernel.
> >
> > Avoid doing that by using a small on-stack buffer for sprintf()
> > and then calling simple_read_from_buffer() which does a proper
> > copy_to_user() call.
> >
> > Fixes: 61d8658b4a ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.")
> ...
> > diff --git a/drivers/scsi/qedf/qedf_debugfs.c b/drivers/scsi/qedf/qedf_debugfs.c
> > index a3ed681c8ce3f..4d1b99569d490 100644
> > --- a/drivers/scsi/qedf/qedf_debugfs.c
> > +++ b/drivers/scsi/qedf/qedf_debugfs.c
> > @@ -185,18 +185,17 @@ qedf_dbg_stop_io_on_error_cmd_read(struct file *filp, char __user *buffer,
> > size_t count, loff_t *ppos)
> > {
> > int cnt;
> > + char cbuf[7];
> > struct qedf_dbg_ctx *qedf_dbg =
> > (struct qedf_dbg_ctx *)filp->private_data;
> > struct qedf_ctx *qedf = container_of(qedf_dbg,
> > struct qedf_ctx, dbg_ctx);
> >
> > QEDF_INFO(qedf_dbg, QEDF_LOG_DEBUGFS, "entered\n");
> > - cnt = sprintf(buffer, "%s\n",
> > + cnt = sprintf(cbuf, "%s\n",
> > qedf->stop_io_on_error ? "true" : "false");
>
> You've made cbuf[] exactly just big enough.
> If anyone breathes on this code it could overflow.
> You really should use scnprintf() for safety.
OK, I'll do scnprintf(cbuf, sizeof(cbuf), ...) in the next version of the submission.
Thanks.
> >
> > - cnt = min_t(int, count, cnt - *ppos);
> > - *ppos += cnt;
> > - return cnt;
> > + return simple_read_from_buffer(buffer, count, ppos, cbuf, cnt);
>
> Or just:
> if (gedf->stop_on_error)
> return simple_read_from_buffer(buffer, count, ppos, "true\n", 5);
> return simple_read_from_buffer(buffer, count, ppos, "false\n", 6);
>
> David
>
>
> > }
> >
> > static ssize_t
> > --
> > 2.41.0
>
> -
> Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
> Registration No: 1397386 (Wales)
>
>
--
Oleksandr Natalenko (post-factum)
Principal Software Maintenance Engineer
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2023-07-31 8:03 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-28 6:58 [PATCH 0/3] scsi: qedf: sanitise uaccess Oleksandr Natalenko
2023-07-28 6:58 ` [PATCH 1/3] scsi: qedf: do not touch __user pointer in qedf_dbg_stop_io_on_error_cmd_read() directly Oleksandr Natalenko
2023-07-28 15:23 ` David Laight
2023-07-31 8:01 ` Oleksandr Natalenko [this message]
2023-07-28 6:58 ` [PATCH 2/3] scsi: qedf: do not touch __user pointer in qedf_dbg_debug_cmd_read() directly Oleksandr Natalenko
2023-07-28 15:26 ` David Laight
2023-07-31 8:11 ` Oleksandr Natalenko
2023-07-28 6:58 ` [PATCH 3/3] scsi: qedf: do not touch __user pointer in qedf_dbg_fp_int_cmd_read() directly Oleksandr Natalenko
2023-07-28 7:05 ` [PATCH 0/3] scsi: qedf: sanitise uaccess Oleksandr Natalenko
2023-07-28 7:26 ` [EXT] " Saurav Kashyap
2023-07-28 8:37 ` Johannes Thumshirn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2690368.mvXUDI8C0e@redhat.com \
--to=oleksandr@redhat.com \
--cc=David.Laight@aculab.com \
--cc=GR-QLogic-Storage-Upstream@marvell.com \
--cc=Johannes.Thumshirn@wdc.com \
--cc=jejb@linux.ibm.com \
--cc=jobacik@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=loberman@redhat.com \
--cc=martin.petersen@oracle.com \
--cc=revers@redhat.com \
--cc=skashyap@marvell.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.