[PATCH 0/3] scsi: qedf: sanitise uaccess

[PATCH 0/3] scsi: qedf: sanitise uaccess

[Oleksandr Natalenko]

qedf driver, debugfs part of it specifically, touches __user pointers
directly for printing out info to userspace via sprintf(), which may
cause crash like this:

BUG: unable to handle kernel paging request at 00007ffd1d6b43a0
IP: [<ffffffffaa7a882a>] string.isra.7+0x6a/0xf0
Oops: 0003 [#1] SMP
Call Trace:
 [<ffffffffaa7a9f31>] vsnprintf+0x201/0x6a0
 [<ffffffffaa7aa556>] sprintf+0x56/0x80
 [<ffffffffc04227ed>] qedf_dbg_stop_io_on_error_cmd_read+0x6d/0x90 [qedf]
 [<ffffffffaa65bb2f>] vfs_read+0x9f/0x170
 [<ffffffffaa65cb82>] SyS_pread64+0x92/0xc0

Avoid this by preparing the info in a kernel buffer first, either
allocated on stack for small printouts, or via vmalloc() for big ones,
and then copying it to the userspace properly.

Previous submission is an RFC: [1]. There are no code changes since
then. The RFC prefix is dropped. The Tested-by tag from Laurence is
added.

There's similar submission from Saurav [2], but we agreed I could nack
it and proceed with my one.

[1] https://lore.kernel.org/linux-scsi/20230724120241.40495-1-oleksandr@redhat.com/
[2] https://lore.kernel.org/linux-scsi/20230726101236.11922-1-skashyap@marvell.com/

Oleksandr Natalenko (3):
  scsi: qedf: do not touch __user pointer in
    qedf_dbg_stop_io_on_error_cmd_read() directly
  scsi: qedf: do not touch __user pointer in qedf_dbg_debug_cmd_read()
    directly
  scsi: qedf: do not touch __user pointer in qedf_dbg_fp_int_cmd_read()
    directly

 drivers/scsi/qedf/qedf_dbg.h     |  2 ++
 drivers/scsi/qedf/qedf_debugfs.c | 35 +++++++++++++++++++-------------
 2 files changed, 23 insertions(+), 14 deletions(-)

-- 
2.41.0

[PATCH 1/3] scsi: qedf: do not touch __user pointer in qedf_dbg_stop_io_on_error_cmd_read() directly

[Oleksandr Natalenko]

The qedf_dbg_stop_io_on_error_cmd_read() function invokes sprintf()
directly on a __user pointer, which may crash the kernel.

Avoid doing that by using a small on-stack buffer for sprintf()
and then calling simple_read_from_buffer() which does a proper
copy_to_user() call.

Fixes: 61d8658b4a ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.")
Link: https://lore.kernel.org/lkml/20230724120241.40495-1-oleksandr@redhat.com/
Link: https://lore.kernel.org/linux-scsi/20230726101236.11922-1-skashyap@marvell.com/
Cc: Saurav Kashyap <skashyap@marvell.com>
Cc: Rob Evers <revers@redhat.com>
Cc: Johannes Thumshirn <Johannes.Thumshirn@wdc.com>
Cc: Jozef Bacik <jobacik@redhat.com>
Cc: Laurence Oberman <loberman@redhat.com>
Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
Cc: GR-QLogic-Storage-Upstream@marvell.com
Cc: linux-scsi@vger.kernel.org
Tested-by: Laurence Oberman <loberman@redhat.com>
Signed-off-by: Oleksandr Natalenko <oleksandr@redhat.com>
---
 drivers/scsi/qedf/qedf_debugfs.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/drivers/scsi/qedf/qedf_debugfs.c b/drivers/scsi/qedf/qedf_debugfs.c
index a3ed681c8ce3f..4d1b99569d490 100644
--- a/drivers/scsi/qedf/qedf_debugfs.c
+++ b/drivers/scsi/qedf/qedf_debugfs.c
@@ -185,18 +185,17 @@ qedf_dbg_stop_io_on_error_cmd_read(struct file *filp, char __user *buffer,
 				   size_t count, loff_t *ppos)
 {
 	int cnt;
+	char cbuf[7];
 	struct qedf_dbg_ctx *qedf_dbg =
 				(struct qedf_dbg_ctx *)filp->private_data;
 	struct qedf_ctx *qedf = container_of(qedf_dbg,
 	    struct qedf_ctx, dbg_ctx);
 
 	QEDF_INFO(qedf_dbg, QEDF_LOG_DEBUGFS, "entered\n");
-	cnt = sprintf(buffer, "%s\n",
+	cnt = sprintf(cbuf, "%s\n",
 	    qedf->stop_io_on_error ? "true" : "false");
 
-	cnt = min_t(int, count, cnt - *ppos);
-	*ppos += cnt;
-	return cnt;
+	return simple_read_from_buffer(buffer, count, ppos, cbuf, cnt);
 }
 
 static ssize_t
-- 
2.41.0

[PATCH 2/3] scsi: qedf: do not touch __user pointer in qedf_dbg_debug_cmd_read() directly

[Oleksandr Natalenko]

The qedf_dbg_debug_cmd_read() function invokes sprintf()
directly on a __user pointer, which may crash the kernel.

Avoid doing that by using a small on-stack buffer for sprintf()
and then calling simple_read_from_buffer() which does a proper
copy_to_user() call.

Fixes: 61d8658b4a ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.")
Link: https://lore.kernel.org/lkml/20230724120241.40495-1-oleksandr@redhat.com/
Link: https://lore.kernel.org/linux-scsi/20230726101236.11922-1-skashyap@marvell.com/
Cc: Saurav Kashyap <skashyap@marvell.com>
Cc: Rob Evers <revers@redhat.com>
Cc: Johannes Thumshirn <Johannes.Thumshirn@wdc.com>
Cc: Jozef Bacik <jobacik@redhat.com>
Cc: Laurence Oberman <loberman@redhat.com>
Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
Cc: GR-QLogic-Storage-Upstream@marvell.com
Cc: linux-scsi@vger.kernel.org
Tested-by: Laurence Oberman <loberman@redhat.com>
Signed-off-by: Oleksandr Natalenko <oleksandr@redhat.com>
---
 drivers/scsi/qedf/qedf_debugfs.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/drivers/scsi/qedf/qedf_debugfs.c b/drivers/scsi/qedf/qedf_debugfs.c
index 4d1b99569d490..f910af0029a2c 100644
--- a/drivers/scsi/qedf/qedf_debugfs.c
+++ b/drivers/scsi/qedf/qedf_debugfs.c
@@ -138,15 +138,14 @@ qedf_dbg_debug_cmd_read(struct file *filp, char __user *buffer, size_t count,
 			loff_t *ppos)
 {
 	int cnt;
+	char cbuf[35];
 	struct qedf_dbg_ctx *qedf_dbg =
 				(struct qedf_dbg_ctx *)filp->private_data;
 
 	QEDF_INFO(qedf_dbg, QEDF_LOG_DEBUGFS, "debug mask=0x%x\n", qedf_debug);
-	cnt = sprintf(buffer, "debug mask = 0x%x\n", qedf_debug);
+	cnt = sprintf(cbuf, "debug mask = 0x%x\n", qedf_debug);
 
-	cnt = min_t(int, count, cnt - *ppos);
-	*ppos += cnt;
-	return cnt;
+	return simple_read_from_buffer(buffer, count, ppos, cbuf, cnt);
 }
 
 static ssize_t
-- 
2.41.0

[PATCH 3/3] scsi: qedf: do not touch __user pointer in qedf_dbg_fp_int_cmd_read() directly

[Oleksandr Natalenko]

The qedf_dbg_fp_int_cmd_read() function invokes sprintf()
directly on a __user pointer, which may crash the kernel.

Avoid doing that by vmalloc()'ating a buffer for scnprintf()
and then calling simple_read_from_buffer() which does a proper
copy_to_user() call.

Fixes: 61d8658b4a ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.")
Link: https://lore.kernel.org/lkml/20230724120241.40495-1-oleksandr@redhat.com/
Link: https://lore.kernel.org/linux-scsi/20230726101236.11922-1-skashyap@marvell.com/
Cc: Saurav Kashyap <skashyap@marvell.com>
Cc: Rob Evers <revers@redhat.com>
Cc: Johannes Thumshirn <Johannes.Thumshirn@wdc.com>
Cc: Jozef Bacik <jobacik@redhat.com>
Cc: Laurence Oberman <loberman@redhat.com>
Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
Cc: GR-QLogic-Storage-Upstream@marvell.com
Cc: linux-scsi@vger.kernel.org
Tested-by: Laurence Oberman <loberman@redhat.com>
Signed-off-by: Oleksandr Natalenko <oleksandr@redhat.com>
---
 drivers/scsi/qedf/qedf_dbg.h     |  2 ++
 drivers/scsi/qedf/qedf_debugfs.c | 21 +++++++++++++++------
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/drivers/scsi/qedf/qedf_dbg.h b/drivers/scsi/qedf/qedf_dbg.h
index f4d81127239eb..5ec2b817c694a 100644
--- a/drivers/scsi/qedf/qedf_dbg.h
+++ b/drivers/scsi/qedf/qedf_dbg.h
@@ -59,6 +59,8 @@ extern uint qedf_debug;
 #define QEDF_LOG_NOTICE	0x40000000	/* Notice logs */
 #define QEDF_LOG_WARN		0x80000000	/* Warning logs */
 
+#define QEDF_DEBUGFS_LOG_LEN (2 * PAGE_SIZE)
+
 /* Debug context structure */
 struct qedf_dbg_ctx {
 	unsigned int host_no;
diff --git a/drivers/scsi/qedf/qedf_debugfs.c b/drivers/scsi/qedf/qedf_debugfs.c
index f910af0029a2c..6db996b73fe39 100644
--- a/drivers/scsi/qedf/qedf_debugfs.c
+++ b/drivers/scsi/qedf/qedf_debugfs.c
@@ -8,6 +8,7 @@
 #include <linux/uaccess.h>
 #include <linux/debugfs.h>
 #include <linux/module.h>
+#include <linux/vmalloc.h>
 
 #include "qedf.h"
 #include "qedf_dbg.h"
@@ -98,7 +99,9 @@ static ssize_t
 qedf_dbg_fp_int_cmd_read(struct file *filp, char __user *buffer, size_t count,
 			 loff_t *ppos)
 {
+	ssize_t ret;
 	size_t cnt = 0;
+	char *cbuf;
 	int id;
 	struct qedf_fastpath *fp = NULL;
 	struct qedf_dbg_ctx *qedf_dbg =
@@ -108,19 +111,25 @@ qedf_dbg_fp_int_cmd_read(struct file *filp, char __user *buffer, size_t count,
 
 	QEDF_INFO(qedf_dbg, QEDF_LOG_DEBUGFS, "entered\n");
 
-	cnt = sprintf(buffer, "\nFastpath I/O completions\n\n");
+	cbuf = vmalloc(QEDF_DEBUGFS_LOG_LEN);
+	if (!cbuf)
+		return 0;
+
+	cnt += scnprintf(cbuf + cnt, QEDF_DEBUGFS_LOG_LEN - cnt, "\nFastpath I/O completions\n\n");
 
 	for (id = 0; id < qedf->num_queues; id++) {
 		fp = &(qedf->fp_array[id]);
 		if (fp->sb_id == QEDF_SB_ID_NULL)
 			continue;
-		cnt += sprintf((buffer + cnt), "#%d: %lu\n", id,
-			       fp->completions);
+		cnt += scnprintf(cbuf + cnt, QEDF_DEBUGFS_LOG_LEN - cnt,
+				 "#%d: %lu\n", id, fp->completions);
 	}
 
-	cnt = min_t(int, count, cnt - *ppos);
-	*ppos += cnt;
-	return cnt;
+	ret = simple_read_from_buffer(buffer, count, ppos, cbuf, cnt);
+
+	vfree(cbuf);
+
+	return ret;
 }
 
 static ssize_t
-- 
2.41.0

Re: [PATCH 0/3] scsi: qedf: sanitise uaccess

[Oleksandr Natalenko]

[-- Attachment #1: Type: text/plain, Size: 2193 bytes --]

On pátek 28. července 2023 8:58:16 CEST Oleksandr Natalenko wrote:
> qedf driver, debugfs part of it specifically, touches __user pointers
> directly for printing out info to userspace via sprintf(), which may
> cause crash like this:
> 
> BUG: unable to handle kernel paging request at 00007ffd1d6b43a0
> IP: [<ffffffffaa7a882a>] string.isra.7+0x6a/0xf0
> Oops: 0003 [#1] SMP
> Call Trace:
>  [<ffffffffaa7a9f31>] vsnprintf+0x201/0x6a0
>  [<ffffffffaa7aa556>] sprintf+0x56/0x80
>  [<ffffffffc04227ed>] qedf_dbg_stop_io_on_error_cmd_read+0x6d/0x90 [qedf]
>  [<ffffffffaa65bb2f>] vfs_read+0x9f/0x170
>  [<ffffffffaa65cb82>] SyS_pread64+0x92/0xc0
> 
> Avoid this by preparing the info in a kernel buffer first, either
> allocated on stack for small printouts, or via vmalloc() for big ones,
> and then copying it to the userspace properly.
> 
> Previous submission is an RFC: [1]. There are no code changes since
> then. The RFC prefix is dropped. The Tested-by tag from Laurence is
> added.
> 
> There's similar submission from Saurav [2], but we agreed I could nack
> it and proceed with my one.
> 
> [1] https://lore.kernel.org/linux-scsi/20230724120241.40495-1-oleksandr@redhat.com/
> [2] https://lore.kernel.org/linux-scsi/20230726101236.11922-1-skashyap@marvell.com/
> 
> Oleksandr Natalenko (3):
>   scsi: qedf: do not touch __user pointer in
>     qedf_dbg_stop_io_on_error_cmd_read() directly
>   scsi: qedf: do not touch __user pointer in qedf_dbg_debug_cmd_read()
>     directly
>   scsi: qedf: do not touch __user pointer in qedf_dbg_fp_int_cmd_read()
>     directly
> 
>  drivers/scsi/qedf/qedf_dbg.h     |  2 ++
>  drivers/scsi/qedf/qedf_debugfs.c | 35 +++++++++++++++++++-------------
>  2 files changed, 23 insertions(+), 14 deletions(-)
> 
> 

Oops, I forgot to add:

Reviewed-by: Laurence Oberman <loberman@redhat.com>

as per [1].

My ask to the maintainer to add it if the submission is accepted, or let me know if I should do a v2 instead.

[1] https://lore.kernel.org/linux-scsi/4f35b02968a18e636e1689c9d52729ef63a438f9.camel@redhat.com/

-- 
Oleksandr Natalenko (post-factum)
Principal Software Maintenance Engineer

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

RE: [EXT] [PATCH 0/3] scsi: qedf: sanitise uaccess

[Saurav Kashyap]

Acked-by: Saurav Kashyap <skashyap@marvell.com> for full series.

> -----Original Message-----
> From: Oleksandr Natalenko <oleksandr@redhat.com>
> Sent: Friday, July 28, 2023 12:28 PM
> To: linux-kernel@vger.kernel.org
> Cc: linux-scsi@vger.kernel.org; Saurav Kashyap <skashyap@marvell.com>;
> Johannes Thumshirn <Johannes.Thumshirn@wdc.com>; GR-QLogic-Storage-
> Upstream <GR-QLogic-Storage-Upstream@marvell.com>; James E.J. Bottomley
> <jejb@linux.ibm.com>; Martin K. Petersen <martin.petersen@oracle.com>;
> Jozef Bacik <jobacik@redhat.com>; Laurence Oberman
> <loberman@redhat.com>; Rob Evers <revers@redhat.com>
> Subject: [EXT] [PATCH 0/3] scsi: qedf: sanitise uaccess
> 
> External Email
> 
> ----------------------------------------------------------------------
> qedf driver, debugfs part of it specifically, touches __user pointers
> directly for printing out info to userspace via sprintf(), which may
> cause crash like this:
> 
> BUG: unable to handle kernel paging request at 00007ffd1d6b43a0
> IP: [<ffffffffaa7a882a>] string.isra.7+0x6a/0xf0
> Oops: 0003 [#1] SMP
> Call Trace:
>  [<ffffffffaa7a9f31>] vsnprintf+0x201/0x6a0
>  [<ffffffffaa7aa556>] sprintf+0x56/0x80
>  [<ffffffffc04227ed>] qedf_dbg_stop_io_on_error_cmd_read+0x6d/0x90
> [qedf]
>  [<ffffffffaa65bb2f>] vfs_read+0x9f/0x170
>  [<ffffffffaa65cb82>] SyS_pread64+0x92/0xc0
> 
> Avoid this by preparing the info in a kernel buffer first, either
> allocated on stack for small printouts, or via vmalloc() for big ones,
> and then copying it to the userspace properly.
> 
> Previous submission is an RFC: [1]. There are no code changes since
> then. The RFC prefix is dropped. The Tested-by tag from Laurence is
> added.
> 
> There's similar submission from Saurav [2], but we agreed I could nack
> it and proceed with my one.
> 
> [1] https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__lore.kernel.org_linux-2Dscsi_20230724120241.40495-2D1-2Doleksandr-
> 40redhat.com_&d=DwIDAg&c=nKjWec2b6R0mOyPaz7xtfQ&r=ZHZbmY_LbM3
> DUZK_BDO1OITP3ot_Vkb_5w-
> gas5TBMQ&m=I6CdYJNbvw1q9OWTYmMTCWzCcXFG7MelqlMZ_DmhEMDeW
> ViVj2b3_EadDZUUdzNT&s=joHzWsadjq2HUMSxGvJZMkLQULriRotQk2RYPgDW
> pWc&e=
> [2] https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__lore.kernel.org_linux-2Dscsi_20230726101236.11922-2D1-2Dskashyap-
> 40marvell.com_&d=DwIDAg&c=nKjWec2b6R0mOyPaz7xtfQ&r=ZHZbmY_LbM
> 3DUZK_BDO1OITP3ot_Vkb_5w-
> gas5TBMQ&m=I6CdYJNbvw1q9OWTYmMTCWzCcXFG7MelqlMZ_DmhEMDeW
> ViVj2b3_EadDZUUdzNT&s=q2LVoTVsEfj1rCnih48VaDUxOCOobRLhIaTatga1qm
> Q&e=
> 
> Oleksandr Natalenko (3):
>   scsi: qedf: do not touch __user pointer in
>     qedf_dbg_stop_io_on_error_cmd_read() directly
>   scsi: qedf: do not touch __user pointer in qedf_dbg_debug_cmd_read()
>     directly
>   scsi: qedf: do not touch __user pointer in qedf_dbg_fp_int_cmd_read()
>     directly
> 
>  drivers/scsi/qedf/qedf_dbg.h     |  2 ++
>  drivers/scsi/qedf/qedf_debugfs.c | 35 +++++++++++++++++++-------------
>  2 files changed, 23 insertions(+), 14 deletions(-)
> 
> --
> 2.41.0

Re: [PATCH 0/3] scsi: qedf: sanitise uaccess

[Johannes Thumshirn]

Looks good,

Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>

RE: [PATCH 1/3] scsi: qedf: do not touch __user pointer in qedf_dbg_stop_io_on_error_cmd_read() directly

[David Laight]

From: Oleksandr Natalenko
> Sent: 28 July 2023 07:58
> 
> The qedf_dbg_stop_io_on_error_cmd_read() function invokes sprintf()
> directly on a __user pointer, which may crash the kernel.
> 
> Avoid doing that by using a small on-stack buffer for sprintf()
> and then calling simple_read_from_buffer() which does a proper
> copy_to_user() call.
> 
> Fixes: 61d8658b4a ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.")
...
> diff --git a/drivers/scsi/qedf/qedf_debugfs.c b/drivers/scsi/qedf/qedf_debugfs.c
> index a3ed681c8ce3f..4d1b99569d490 100644
> --- a/drivers/scsi/qedf/qedf_debugfs.c
> +++ b/drivers/scsi/qedf/qedf_debugfs.c
> @@ -185,18 +185,17 @@ qedf_dbg_stop_io_on_error_cmd_read(struct file *filp, char __user *buffer,
>  				   size_t count, loff_t *ppos)
>  {
>  	int cnt;
> +	char cbuf[7];
>  	struct qedf_dbg_ctx *qedf_dbg =
>  				(struct qedf_dbg_ctx *)filp->private_data;
>  	struct qedf_ctx *qedf = container_of(qedf_dbg,
>  	    struct qedf_ctx, dbg_ctx);
> 
>  	QEDF_INFO(qedf_dbg, QEDF_LOG_DEBUGFS, "entered\n");
> -	cnt = sprintf(buffer, "%s\n",
> +	cnt = sprintf(cbuf, "%s\n",
>  	    qedf->stop_io_on_error ? "true" : "false");

You've made cbuf[] exactly just big enough.
If anyone breathes on this code it could overflow.
You really should use scnprintf() for safety.

> 
> -	cnt = min_t(int, count, cnt - *ppos);
> -	*ppos += cnt;
> -	return cnt;
> +	return simple_read_from_buffer(buffer, count, ppos, cbuf, cnt);

Or just:
	if (gedf->stop_on_error)
		return simple_read_from_buffer(buffer, count, ppos, "true\n", 5);
	return simple_read_from_buffer(buffer, count, ppos, "false\n", 6);

	David

	
>  }
> 
>  static ssize_t
> --
> 2.41.0

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

RE: [PATCH 2/3] scsi: qedf: do not touch __user pointer in qedf_dbg_debug_cmd_read() directly

[David Laight]

From: Oleksandr Natalenko
> Sent: 28 July 2023 07:58
> 
> The qedf_dbg_debug_cmd_read() function invokes sprintf()
> directly on a __user pointer, which may crash the kernel.
                                      ^^^ will

> 
> Avoid doing that by using a small on-stack buffer for sprintf()
> and then calling simple_read_from_buffer() which does a proper
> copy_to_user() call.
...
> diff --git a/drivers/scsi/qedf/qedf_debugfs.c b/drivers/scsi/qedf/qedf_debugfs.c
> index 4d1b99569d490..f910af0029a2c 100644
> --- a/drivers/scsi/qedf/qedf_debugfs.c
> +++ b/drivers/scsi/qedf/qedf_debugfs.c
> @@ -138,15 +138,14 @@ qedf_dbg_debug_cmd_read(struct file *filp, char __user *buffer, size_t count,
>  			loff_t *ppos)
>  {
>  	int cnt;
> +	char cbuf[35];

Why 35?
I pick a multiple of 8 that if 'enough.

>  	struct qedf_dbg_ctx *qedf_dbg =
>  				(struct qedf_dbg_ctx *)filp->private_data;
> 
>  	QEDF_INFO(qedf_dbg, QEDF_LOG_DEBUGFS, "debug mask=0x%x\n", qedf_debug);
> -	cnt = sprintf(buffer, "debug mask = 0x%x\n", qedf_debug);
> +	cnt = sprintf(cbuf, "debug mask = 0x%x\n", qedf_debug);

Use scnprintf() to be sure it doesn't overflow.
Much safer if someone does a quick update or copies the code.

	David

> 
> -	cnt = min_t(int, count, cnt - *ppos);
> -	*ppos += cnt;
> -	return cnt;
> +	return simple_read_from_buffer(buffer, count, ppos, cbuf, cnt);
>  }
> 
>  static ssize_t
> --
> 2.41.0

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Re: [PATCH 1/3] scsi: qedf: do not touch __user pointer in qedf_dbg_stop_io_on_error_cmd_read() directly

[Oleksandr Natalenko]

[-- Attachment #1: Type: text/plain, Size: 2236 bytes --]

Hello.

On pátek 28. července 2023 17:23:25 CEST David Laight wrote:
> From: Oleksandr Natalenko
> > Sent: 28 July 2023 07:58
> > 
> > The qedf_dbg_stop_io_on_error_cmd_read() function invokes sprintf()
> > directly on a __user pointer, which may crash the kernel.
> > 
> > Avoid doing that by using a small on-stack buffer for sprintf()
> > and then calling simple_read_from_buffer() which does a proper
> > copy_to_user() call.
> > 
> > Fixes: 61d8658b4a ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.")
> ...
> > diff --git a/drivers/scsi/qedf/qedf_debugfs.c b/drivers/scsi/qedf/qedf_debugfs.c
> > index a3ed681c8ce3f..4d1b99569d490 100644
> > --- a/drivers/scsi/qedf/qedf_debugfs.c
> > +++ b/drivers/scsi/qedf/qedf_debugfs.c
> > @@ -185,18 +185,17 @@ qedf_dbg_stop_io_on_error_cmd_read(struct file *filp, char __user *buffer,
> >  				   size_t count, loff_t *ppos)
> >  {
> >  	int cnt;
> > +	char cbuf[7];
> >  	struct qedf_dbg_ctx *qedf_dbg =
> >  				(struct qedf_dbg_ctx *)filp->private_data;
> >  	struct qedf_ctx *qedf = container_of(qedf_dbg,
> >  	    struct qedf_ctx, dbg_ctx);
> > 
> >  	QEDF_INFO(qedf_dbg, QEDF_LOG_DEBUGFS, "entered\n");
> > -	cnt = sprintf(buffer, "%s\n",
> > +	cnt = sprintf(cbuf, "%s\n",
> >  	    qedf->stop_io_on_error ? "true" : "false");
> 
> You've made cbuf[] exactly just big enough.
> If anyone breathes on this code it could overflow.
> You really should use scnprintf() for safety.

OK, I'll do scnprintf(cbuf, sizeof(cbuf), ...) in the next version of the submission.

Thanks.

> > 
> > -	cnt = min_t(int, count, cnt - *ppos);
> > -	*ppos += cnt;
> > -	return cnt;
> > +	return simple_read_from_buffer(buffer, count, ppos, cbuf, cnt);
> 
> Or just:
> 	if (gedf->stop_on_error)
> 		return simple_read_from_buffer(buffer, count, ppos, "true\n", 5);
> 	return simple_read_from_buffer(buffer, count, ppos, "false\n", 6);
> 
> 	David
> 
> 	
> >  }
> > 
> >  static ssize_t
> > --
> > 2.41.0
> 
> -
> Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
> Registration No: 1397386 (Wales)
> 
> 


-- 
Oleksandr Natalenko (post-factum)
Principal Software Maintenance Engineer

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH 2/3] scsi: qedf: do not touch __user pointer in qedf_dbg_debug_cmd_read() directly

[Oleksandr Natalenko]

[-- Attachment #1: Type: text/plain, Size: 2021 bytes --]

Hello/

On pátek 28. července 2023 17:26:11 CEST David Laight wrote:
> From: Oleksandr Natalenko
> > Sent: 28 July 2023 07:58
> > 
> > The qedf_dbg_debug_cmd_read() function invokes sprintf()
> > directly on a __user pointer, which may crash the kernel.
>                                       ^^^ will

I don't think it is 100% guaranteed, but for sure this is not a correct behaviour.

> > 
> > Avoid doing that by using a small on-stack buffer for sprintf()
> > and then calling simple_read_from_buffer() which does a proper
> > copy_to_user() call.
> ...
> > diff --git a/drivers/scsi/qedf/qedf_debugfs.c b/drivers/scsi/qedf/qedf_debugfs.c
> > index 4d1b99569d490..f910af0029a2c 100644
> > --- a/drivers/scsi/qedf/qedf_debugfs.c
> > +++ b/drivers/scsi/qedf/qedf_debugfs.c
> > @@ -138,15 +138,14 @@ qedf_dbg_debug_cmd_read(struct file *filp, char __user *buffer, size_t count,
> >  			loff_t *ppos)
> >  {
> >  	int cnt;
> > +	char cbuf[35];
> 
> Why 35?
> I pick a multiple of 8 that if 'enough.

OK, I overestimated this, it should have been 27, but I'll make it 32 to be a multiple of 8.

Thanks.

> >  	struct qedf_dbg_ctx *qedf_dbg =
> >  				(struct qedf_dbg_ctx *)filp->private_data;
> > 
> >  	QEDF_INFO(qedf_dbg, QEDF_LOG_DEBUGFS, "debug mask=0x%x\n", qedf_debug);
> > -	cnt = sprintf(buffer, "debug mask = 0x%x\n", qedf_debug);
> > +	cnt = sprintf(cbuf, "debug mask = 0x%x\n", qedf_debug);
> 
> Use scnprintf() to be sure it doesn't overflow.
> Much safer if someone does a quick update or copies the code.
> 
> 	David
> 
> > 
> > -	cnt = min_t(int, count, cnt - *ppos);
> > -	*ppos += cnt;
> > -	return cnt;
> > +	return simple_read_from_buffer(buffer, count, ppos, cbuf, cnt);
> >  }
> > 
> >  static ssize_t
> > --
> > 2.41.0
> 
> -
> Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
> Registration No: 1397386 (Wales)
> 
> 


-- 
Oleksandr Natalenko (post-factum)
Principal Software Maintenance Engineer

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]