From: Justin Tee <justintee8345@gmail.com>
To: linux-scsi@vger.kernel.org
Cc: jsmart2021@gmail.com, justin.tee@broadcom.com,
Justin Tee <justintee8345@gmail.com>
Subject: [PATCH 01/10] lpfc: Protect against potential lpfc_debugfs_lockstat_write buffer overflow
Date: Wed, 1 Mar 2023 15:16:17 -0800 [thread overview]
Message-ID: <20230301231626.9621-2-justintee8345@gmail.com> (raw)
In-Reply-To: <20230301231626.9621-1-justintee8345@gmail.com>
A static code analysis tool flagged the possibility of buffer overflow when
using copy_from_user for a debugfs entry.
Currently, it is possible that copy_from_user copies more bytes than what
would fit in the mybuf char array. Add a min restriction check between
sizeof(mybuf) - 1 and nbytes passed from the userspace buffer to protect
against buffer overflow.
Signed-off-by: Justin Tee <justin.tee@broadcom.com>
---
drivers/scsi/lpfc/lpfc_debugfs.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c
index f5252e45a48a..3e365e5e194a 100644
--- a/drivers/scsi/lpfc/lpfc_debugfs.c
+++ b/drivers/scsi/lpfc/lpfc_debugfs.c
@@ -2157,10 +2157,13 @@ lpfc_debugfs_lockstat_write(struct file *file, const char __user *buf,
char mybuf[64];
char *pbuf;
int i;
+ size_t bsize;
memset(mybuf, 0, sizeof(mybuf));
- if (copy_from_user(mybuf, buf, nbytes))
+ bsize = min(nbytes, (sizeof(mybuf) - 1));
+
+ if (copy_from_user(mybuf, buf, bsize))
return -EFAULT;
pbuf = &mybuf[0];
@@ -2181,7 +2184,7 @@ lpfc_debugfs_lockstat_write(struct file *file, const char __user *buf,
qp->lock_conflict.wq_access = 0;
}
}
- return nbytes;
+ return bsize;
}
#endif
--
2.38.0
next prev parent reply other threads:[~2023-03-01 23:07 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-01 23:16 [PATCH 00/10] lpfc: Update lpfc to revision 14.2.0.11 Justin Tee
2023-03-01 23:16 ` Justin Tee [this message]
2023-03-01 23:16 ` [PATCH 02/10] lpfc: Reorder freeing of various dma buffers and their list removal Justin Tee
2023-03-01 23:16 ` [PATCH 03/10] lpfc: Fix lockdep warning for rx_monitor lock when unloading driver Justin Tee
2023-03-01 23:16 ` [PATCH 04/10] lpfc: Record LOGO state with discovery engine even if aborted Justin Tee
2023-03-01 23:16 ` [PATCH 05/10] lpfc: Defer issuing new PLOGI if received RSCN before completing REG_LOGIN Justin Tee
2023-03-01 23:16 ` [PATCH 06/10] lpfc: Correct used_rpi count when devloss tmo fires with no recovery Justin Tee
2023-03-01 23:16 ` [PATCH 07/10] lpfc: Skip waiting for register ready bits when in unrecoverable state Justin Tee
2023-03-01 23:16 ` [PATCH 08/10] lpfc: Revise lpfc_error_lost_link reason code evaluation logic Justin Tee
2023-03-01 23:16 ` [PATCH 09/10] lpfc: Update lpfc version to 14.2.0.11 Justin Tee
2023-03-01 23:16 ` [PATCH 10/10] lpfc: Copyright updates for 14.2.0.11 patches Justin Tee
2023-03-07 3:04 ` [PATCH 00/10] lpfc: Update lpfc to revision 14.2.0.11 Martin K. Petersen
2023-03-10 3:14 ` Martin K. Petersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230301231626.9621-2-justintee8345@gmail.com \
--to=justintee8345@gmail.com \
--cc=jsmart2021@gmail.com \
--cc=justin.tee@broadcom.com \
--cc=linux-scsi@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox