From: Dan Carpenter <dan.carpenter@linaro.org>
To: Wenchao Hao <haowenchao2@huawei.com>
Cc: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>,
Vinod Koul <vkoul@kernel.org>,
"James E.J. Bottomley" <jejb@linux.ibm.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
Douglas Gilbert <dgilbert@interlog.com>,
dmaengine@vger.kernel.org, linux-scsi@vger.kernel.org,
kernel-janitors@vger.kernel.org
Subject: [PATCH 1/2] scsi: scsi_debug: fix some bugs in sdebug_error_write()
Date: Fri, 20 Oct 2023 17:15:12 +0300 [thread overview]
Message-ID: <96d50cf7-afec-46af-9d98-08099f8dc76e@moroto.mountain> (raw)
There are two bug in this code:
1) If count is zero, then it will lead to a NULL dereference. The
kmalloc() will successfully allocate zero bytes and the test for
"if (buf[0] == '-')" will read beyond the end of the zero size buffer
and Oops.
2) The code does not ensure that the user's string is properly NUL
terminated which could lead to a read overflow.
Fortunately, this is debugfs code and only root can write to it so
the security impact of these bugs is negligable.
Fixes: a9996d722b11 ("scsi: scsi_debug: Add interface to manage error injection for a single device")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
drivers/scsi/scsi_debug.c | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
index 67922e2c4c19..0a4e41d84df8 100644
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -1019,14 +1019,9 @@ static ssize_t sdebug_error_write(struct file *file, const char __user *ubuf,
struct sdebug_err_inject *inject;
struct scsi_device *sdev = (struct scsi_device *)file->f_inode->i_private;
- buf = kmalloc(count, GFP_KERNEL);
- if (!buf)
- return -ENOMEM;
-
- if (copy_from_user(buf, ubuf, count)) {
- kfree(buf);
- return -EFAULT;
- }
+ buf = strndup_user(ubuf, count + 1);
+ if (IS_ERR(buf))
+ return PTR_ERR(buf);
if (buf[0] == '-')
return sdebug_err_remove(sdev, buf, count);
--
2.42.0
next reply other threads:[~2023-10-20 14:15 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-20 14:15 Dan Carpenter [this message]
2023-10-21 10:10 ` [PATCH 1/2] scsi: scsi_debug: fix some bugs in sdebug_error_write() Wenchao Hao
2023-10-23 13:39 ` Dan Carpenter
2023-10-24 17:09 ` Wenchao Hao
2023-10-25 4:11 ` Dan Carpenter
2023-10-25 6:10 ` Wenchao Hao
2023-10-25 7:07 ` Dan Carpenter
2023-11-03 18:00 ` Wenchao Hao
2023-11-03 18:13 ` Wenchao Hao
2023-11-06 13:44 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=96d50cf7-afec-46af-9d98-08099f8dc76e@moroto.mountain \
--to=dan.carpenter@linaro.org \
--cc=Eugeniy.Paltsev@synopsys.com \
--cc=dgilbert@interlog.com \
--cc=dmaengine@vger.kernel.org \
--cc=haowenchao2@huawei.com \
--cc=jejb@linux.ibm.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox