mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-02 15:18:19 +00:00
octeontx2-af: avoid off-by-one read from userspace
[ Upstream commitf299ee709f
] We try to access count + 1 byte from userspace with memdup_user(buffer, count + 1). However, the userspace only provides buffer of count bytes and only these count bytes are verified to be okay to access. To ensure the copied buffer is NUL terminated, we use memdup_user_nul instead. Fixes:3a2eb515d1
("octeontx2-af: Fix an off by one in rvu_dbg_qsize_write()") Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com> Link: https://lore.kernel.org/r/20240424-fix-oob-read-v2-6-f1f1b53a10f4@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
parent
6f0f19b79c
commit
bcdac70adc
1 changed files with 1 additions and 3 deletions
|
@ -420,12 +420,10 @@ static ssize_t rvu_dbg_qsize_write(struct file *filp,
|
|||
u16 pcifunc;
|
||||
int ret, lf;
|
||||
|
||||
cmd_buf = memdup_user(buffer, count + 1);
|
||||
cmd_buf = memdup_user_nul(buffer, count);
|
||||
if (IS_ERR(cmd_buf))
|
||||
return -ENOMEM;
|
||||
|
||||
cmd_buf[count] = '\0';
|
||||
|
||||
cmd_buf_tmp = strchr(cmd_buf, '\n');
|
||||
if (cmd_buf_tmp) {
|
||||
*cmd_buf_tmp = '\0';
|
||||
|
|
Loading…
Reference in a new issue