From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Justin Tee <justin.tee@broadcom.com>,
"Martin K . Petersen" <martin.petersen@oracle.com>,
Sasha Levin <sashal@kernel.org>,
james.smart@broadcom.com, dick.kennedy@broadcom.com,
jejb@linux.ibm.com, linux-scsi@vger.kernel.org
Subject: [PATCH AUTOSEL 5.4 03/18] scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow
Date: Thu, 4 May 2023 15:50:25 -0400 [thread overview]
Message-ID: <20230504195042.3808716-3-sashal@kernel.org> (raw)
In-Reply-To: <20230504195042.3808716-1-sashal@kernel.org>
From: Justin Tee <justin.tee@broadcom.com>
[ Upstream commit c6087b82a9146826564a55c5ca0164cac40348f5 ]
A static code analysis tool flagged the possibility of buffer overflow when
using copy_from_user() for a debugfs entry.
Currently, it is possible that copy_from_user() copies more bytes than what
would fit in the mybuf char array. Add a min() restriction check between
sizeof(mybuf) - 1 and nbytes passed from the userspace buffer to protect
against buffer overflow.
Link: https://lore.kernel.org/r/20230301231626.9621-2-justintee8345@gmail.com
Signed-off-by: Justin Tee <justin.tee@broadcom.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/lpfc/lpfc_debugfs.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c
index 69551132f304c..291fccf02d453 100644
--- a/drivers/scsi/lpfc/lpfc_debugfs.c
+++ b/drivers/scsi/lpfc/lpfc_debugfs.c
@@ -2046,6 +2046,7 @@ lpfc_debugfs_lockstat_write(struct file *file, const char __user *buf,
char mybuf[64];
char *pbuf;
int i;
+ size_t bsize;
/* Protect copy from user */
if (!access_ok(buf, nbytes))
@@ -2053,7 +2054,9 @@ lpfc_debugfs_lockstat_write(struct file *file, const char __user *buf,
memset(mybuf, 0, sizeof(mybuf));
- if (copy_from_user(mybuf, buf, nbytes))
+ bsize = min(nbytes, (sizeof(mybuf) - 1));
+
+ if (copy_from_user(mybuf, buf, bsize))
return -EFAULT;
pbuf = &mybuf[0];
@@ -2074,7 +2077,7 @@ lpfc_debugfs_lockstat_write(struct file *file, const char __user *buf,
qp->lock_conflict.wq_access = 0;
}
}
- return nbytes;
+ return bsize;
}
#endif
--
2.39.2
next prev parent reply other threads:[~2023-05-04 20:04 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-04 19:50 [PATCH AUTOSEL 5.4 01/18] wifi: brcmfmac: cfg80211: Pass the PMK in binary instead of hex Sasha Levin
2023-05-04 19:50 ` [PATCH AUTOSEL 5.4 02/18] ext2: Check block size validity during mount Sasha Levin
2023-05-04 19:50 ` Sasha Levin [this message]
2023-05-04 19:50 ` [PATCH AUTOSEL 5.4 04/18] wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies() Sasha Levin
2023-05-04 19:50 ` [PATCH AUTOSEL 5.4 05/18] net: pasemi: Fix return type of pasemi_mac_start_tx() Sasha Levin
2023-05-04 19:50 ` [PATCH AUTOSEL 5.4 06/18] net: Catch invalid index in XPS mapping Sasha Levin
2023-05-04 19:50 ` [PATCH AUTOSEL 5.4 07/18] scsi: target: iscsit: Free cmds before session free Sasha Levin
2023-05-04 19:50 ` [PATCH AUTOSEL 5.4 08/18] lib: cpu_rmap: Avoid use after free on rmap->obj array entries Sasha Levin
2023-05-04 19:50 ` [PATCH AUTOSEL 5.4 09/18] scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition Sasha Levin
2023-05-04 19:50 ` [PATCH AUTOSEL 5.4 10/18] gfs2: Fix inode height consistency check Sasha Levin
2023-05-04 19:50 ` [PATCH AUTOSEL 5.4 11/18] ext4: set goal start correctly in ext4_mb_normalize_request Sasha Levin
2023-05-04 19:50 ` [PATCH AUTOSEL 5.4 12/18] ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa() Sasha Levin
2023-05-04 19:50 ` [PATCH AUTOSEL 5.4 13/18] f2fs: fix to drop all dirty pages during umount() if cp_error is set Sasha Levin
2023-05-04 19:50 ` [PATCH AUTOSEL 5.4 14/18] samples/bpf: Fix fout leak in hbm's run_bpf_prog Sasha Levin
2023-05-04 19:50 ` [PATCH AUTOSEL 5.4 15/18] wifi: iwlwifi: pcie: fix possible NULL pointer dereference Sasha Levin
2023-05-04 19:50 ` [PATCH AUTOSEL 5.4 16/18] wifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf Sasha Levin
2023-05-04 19:50 ` [PATCH AUTOSEL 5.4 17/18] wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace Sasha Levin
2023-05-04 19:50 ` [PATCH AUTOSEL 5.4 18/18] Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230504195042.3808716-3-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=dick.kennedy@broadcom.com \
--cc=james.smart@broadcom.com \
--cc=jejb@linux.ibm.com \
--cc=justin.tee@broadcom.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox