From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Justin Tee <justin.tee@broadcom.com>,
"Martin K . Petersen" <martin.petersen@oracle.com>,
Sasha Levin <sashal@kernel.org>,
james.smart@broadcom.com, dick.kennedy@broadcom.com,
jejb@linux.ibm.com, linux-scsi@vger.kernel.org
Subject: [PATCH AUTOSEL 5.10 05/24] scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow
Date: Thu, 4 May 2023 15:49:18 -0400 [thread overview]
Message-ID: <20230504194937.3808414-5-sashal@kernel.org> (raw)
In-Reply-To: <20230504194937.3808414-1-sashal@kernel.org>
From: Justin Tee <justin.tee@broadcom.com>
[ Upstream commit c6087b82a9146826564a55c5ca0164cac40348f5 ]
A static code analysis tool flagged the possibility of buffer overflow when
using copy_from_user() for a debugfs entry.
Currently, it is possible that copy_from_user() copies more bytes than what
would fit in the mybuf char array. Add a min() restriction check between
sizeof(mybuf) - 1 and nbytes passed from the userspace buffer to protect
against buffer overflow.
Link: https://lore.kernel.org/r/20230301231626.9621-2-justintee8345@gmail.com
Signed-off-by: Justin Tee <justin.tee@broadcom.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/lpfc/lpfc_debugfs.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c
index fbc76d69ea0b4..2b77cbbcdccb6 100644
--- a/drivers/scsi/lpfc/lpfc_debugfs.c
+++ b/drivers/scsi/lpfc/lpfc_debugfs.c
@@ -2159,10 +2159,13 @@ lpfc_debugfs_lockstat_write(struct file *file, const char __user *buf,
char mybuf[64];
char *pbuf;
int i;
+ size_t bsize;
memset(mybuf, 0, sizeof(mybuf));
- if (copy_from_user(mybuf, buf, nbytes))
+ bsize = min(nbytes, (sizeof(mybuf) - 1));
+
+ if (copy_from_user(mybuf, buf, bsize))
return -EFAULT;
pbuf = &mybuf[0];
@@ -2183,7 +2186,7 @@ lpfc_debugfs_lockstat_write(struct file *file, const char __user *buf,
qp->lock_conflict.wq_access = 0;
}
}
- return nbytes;
+ return bsize;
}
#endif
--
2.39.2
next prev parent reply other threads:[~2023-05-04 20:02 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-04 19:49 [PATCH AUTOSEL 5.10 01/24] wifi: ath: Silence memcpy run-time false positive warning Sasha Levin
2023-05-04 19:49 ` [PATCH AUTOSEL 5.10 02/24] bpf: Annotate data races in bpf_local_storage Sasha Levin
2023-05-04 19:49 ` [PATCH AUTOSEL 5.10 03/24] wifi: brcmfmac: cfg80211: Pass the PMK in binary instead of hex Sasha Levin
2023-05-04 19:49 ` [PATCH AUTOSEL 5.10 04/24] ext2: Check block size validity during mount Sasha Levin
2023-05-04 19:49 ` Sasha Levin [this message]
2023-05-04 19:49 ` [PATCH AUTOSEL 5.10 06/24] wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies() Sasha Levin
2023-05-04 19:49 ` [PATCH AUTOSEL 5.10 07/24] net: pasemi: Fix return type of pasemi_mac_start_tx() Sasha Levin
2023-05-04 19:49 ` [PATCH AUTOSEL 5.10 08/24] net: Catch invalid index in XPS mapping Sasha Levin
2023-05-04 19:49 ` [PATCH AUTOSEL 5.10 09/24] scsi: target: iscsit: Free cmds before session free Sasha Levin
2023-05-04 19:49 ` [PATCH AUTOSEL 5.10 10/24] lib: cpu_rmap: Avoid use after free on rmap->obj array entries Sasha Levin
2023-05-04 19:49 ` [PATCH AUTOSEL 5.10 11/24] scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition Sasha Levin
2023-05-04 19:49 ` [PATCH AUTOSEL 5.10 12/24] gfs2: Fix inode height consistency check Sasha Levin
2023-05-04 19:49 ` [PATCH AUTOSEL 5.10 13/24] ext4: set goal start correctly in ext4_mb_normalize_request Sasha Levin
2023-05-04 19:49 ` [PATCH AUTOSEL 5.10 14/24] ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa() Sasha Levin
2023-05-04 19:49 ` [PATCH AUTOSEL 5.10 15/24] f2fs: fix to drop all dirty pages during umount() if cp_error is set Sasha Levin
2023-05-04 19:49 ` [PATCH AUTOSEL 5.10 16/24] samples/bpf: Fix fout leak in hbm's run_bpf_prog Sasha Levin
2023-05-04 19:49 ` [PATCH AUTOSEL 5.10 17/24] wifi: iwlwifi: pcie: fix possible NULL pointer dereference Sasha Levin
2023-05-04 19:49 ` [PATCH AUTOSEL 5.10 18/24] wifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf Sasha Levin
2023-05-04 19:49 ` [PATCH AUTOSEL 5.10 19/24] null_blk: Always check queue mode setting from configfs Sasha Levin
2023-05-04 19:49 ` [PATCH AUTOSEL 5.10 20/24] wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace Sasha Levin
2023-05-04 19:49 ` [PATCH AUTOSEL 5.10 21/24] wifi: ath11k: Fix SKB corruption in REO destination ring Sasha Levin
2023-05-04 19:49 ` [PATCH AUTOSEL 5.10 22/24] ipvs: Update width of source for ip_vs_sync_conn_options Sasha Levin
2023-05-04 19:49 ` [PATCH AUTOSEL 5.10 23/24] Bluetooth: hci_bcm: Fall back to getting bdaddr from EFI if not set Sasha Levin
2023-05-04 19:49 ` [PATCH AUTOSEL 5.10 24/24] Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230504194937.3808414-5-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=dick.kennedy@broadcom.com \
--cc=james.smart@broadcom.com \
--cc=jejb@linux.ibm.com \
--cc=justin.tee@broadcom.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox