mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
1,148,272 Commits 103 Branches 5,015 Tags 5.4 GiB
C 97.6%
Assembly 1%
Shell 0.5%
Python 0.3%
Makefile 0.3%
Go to file
Lin Ma 85b8c282d1 scsi: iscsi: Add strlen() check in iscsi_if_set{_host}_param() 
[ Upstream commit ce51c81700 ]

The functions iscsi_if_set_param() and iscsi_if_set_host_param() convert an
nlattr payload to type char* and then call C string handling functions like
sscanf and kstrdup:

  char *data = (char*)ev + sizeof(*ev);
  ...
  sscanf(data, "%d", &value);

However, since the nlattr is provided by the user-space program and the
nlmsg skb is allocated with GFP_KERNEL instead of GFP_ZERO flag (see
netlink_alloc_large_skb() in netlink_sendmsg()), dirty data on the heap can
lead to an OOB access for those string handling functions.

By investigating how the bug is introduced, we find it is really
interesting as the old version parsing code starting from commit
fd7255f51a ("[SCSI] iscsi: add sysfs attrs for uspace sync up") treated
the nlattr as integer bytes instead of string and had length check in
iscsi_copy_param():

  if (ev->u.set_param.len != sizeof(uint32_t))
    BUG();

But, since the commit a54a52caad ("[SCSI] iscsi: fixup set/get param
functions"), the code treated the nlattr as C string while forgetting to
add any strlen checks(), opening the possibility of an OOB access.

Fix the potential OOB by adding the strlen() check before accessing the
buf. If the data passes this check, all low-level set_param handlers can
safely treat this buf as legal C string.

Fixes: fd7255f51a ("[SCSI] iscsi: add sysfs attrs for uspace sync up")
Fixes: 1d9bf13a9c ("[SCSI] iscsi class: add iscsi host set param event")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Link: https://lore.kernel.org/r/20230723075820.3713119-1-linma@zju.edu.cn
Reviewed-by: Chris Leech <cleech@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2023-09-13 09:42:51 +02:00
Documentation dt-bindings: extcon: maxim,max77843: restrict connector properties 2023-09-13 09:42:50 +02:00
LICENSES LICENSES/LGPL-2.1: Add LGPL-2.1-or-later as valid identifiers 2021-12-16 14:33:10 +01:00
arch powerpc/iommu: Fix notifiers being shared by PCI and VIO buses 2023-09-13 09:42:48 +02:00
block block/mq-deadline: use correct way to throttling write requests 2023-09-13 09:42:42 +02:00
certs certs: Fix build error when PKCS#11 URI contains semicolon 2023-02-09 11:28:11 +01:00
crypto crypto: api - Use work queue in crypto_destroy_instance 2023-09-13 09:42:32 +02:00
drivers scsi: iscsi: Add strlen() check in iscsi_if_set{_host}_param() 2023-09-13 09:42:51 +02:00
fs pNFS: Fix assignment of xprtdata.cred 2023-09-13 09:42:49 +02:00
include NFSv4.2: Rework scratch handling for READ_PLUS 2023-09-13 09:42:48 +02:00
init sched/psi: Select KERNFS as needed 2023-09-13 09:42:28 +02:00
io_uring io_uring: fix drain stalls by invalid SQE 2023-09-13 09:42:43 +02:00
ipc ipc: fix memory leak in init_mqueue_fs() 2022-12-31 13:32:01 +01:00
kernel cgroup/cpuset: Inherit parent's load balance state in v2 2023-09-13 09:42:49 +02:00
lib maple_tree: disable mas_wr_append() when other readers are possible 2023-08-30 16:11:13 +02:00
mm net-memcg: Fix scope of sockmem pressure indicators 2023-09-13 09:42:33 +02:00
net netrom: Deny concurrent connect(). 2023-09-13 09:42:35 +02:00
rust rust: allocator: Prevent mis-aligned allocation 2023-08-11 12:08:18 +02:00
samples samples/bpf: fix broken map lookup probe 2023-09-13 09:42:34 +02:00
scripts kbuild: rust_is_available: fix confusion when a version appears in the path 2023-09-13 09:42:32 +02:00
security smackfs: Prevent underflow in smk_set_cipso() 2023-09-13 09:42:42 +02:00
sound ALSA: ac97: Fix possible error value of *rac97 2023-09-13 09:42:44 +02:00
tools selftests/bpf: Clean up fmod_ret in bench_rename test script 2023-09-13 09:42:33 +02:00
usr usr/gen_init_cpio.c: remove unnecessary -1 values from int file 2022-10-03 14:21:44 -07:00
virt kvm/vfio: ensure kvg instance stays around in kvm_vfio_group_add() 2023-09-13 09:42:46 +02:00
.clang-format inet: ping: use hlist_nulls rcu iterator during lookup 2022-12-01 12:42:46 +01:00
.cocciconfig
.get_maintainer.ignore get_maintainer: add Alan to .get_maintainer.ignore 2022-08-20 15:17:44 -07:00
.gitattributes .gitattributes: use 'dts' diff driver for dts files 2019-12-04 19:44:11 -08:00
.gitignore Kbuild: add Rust support 2022-09-28 09:02:20 +02:00
.mailmap 9 hotfixes. 6 for MM, 3 for other areas. Four of these patches address 2022-12-10 17:10:52 -08:00
.rustfmt.toml rust: add `.rustfmt.toml` 2022-09-28 09:02:20 +02:00
COPYING COPYING: state that all contributions really are covered by this file 2020-02-10 13:32:20 -08:00
CREDITS MAINTAINERS: Remove Michal Marek from Kbuild maintainers 2022-11-16 14:53:00 +09:00
Kbuild Kbuild updates for v6.1 2022-10-10 12:00:45 -07:00
Kconfig kbuild: ensure full rebuild when the compiler is updated 2020-05-12 13:28:33 +09:00
MAINTAINERS devlink: move code to a dedicated directory 2023-08-30 16:11:00 +02:00
Makefile kbuild: rust_is_available: remove -v option 2023-09-13 09:42:32 +02:00
README Drop all 00-INDEX files from Documentation/ 2018-09-09 15:08:58 -06:00

README 

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.