]> git.baikalelectronics.ru Git - kernel.git/commitdiff
projects / kernel.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 745365a)
scsi: lpfc: Prevent buffer overflow crashes in debugfs with malformed user input
authorJames Smart <jsmart2021@gmail.com>
Fri, 1 Jul 2022 21:14:15 +0000 (14:14 -0700)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 25 Aug 2022 09:18:33 +0000 (11:18 +0200)
[ Upstream commit 65b05d5d35a42f06bd3fac96799d01b84d5842d4 ]

Malformed user input to debugfs results in buffer overflow crashes.  Adapt
input string lengths to fit within internal buffers, leaving space for NULL
terminators.

Link: https://lore.kernel.org/r/20220701211425.2708-3-jsmart2021@gmail.com
Co-developed-by: Justin Tee <justin.tee@broadcom.com>
Signed-off-by: Justin Tee <justin.tee@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
drivers/scsi/lpfc/lpfc_debugfs.c patch | blob | history

diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c
index e15bb3dfe9956c8f1a6b02fb77da2d4e0d3ccc85..69551132f304c104d714b5ff91b22bf702b0697a 100644 (file)
--- a/drivers/scsi/lpfc/lpfc_debugfs.c
+++ b/drivers/scsi/lpfc/lpfc_debugfs.c
@@ -2402,8 +2402,8 @@ lpfc_debugfs_multixripools_write(struct file *file, const char __user *buf,
        struct lpfc_sli4_hdw_queue *qp;
        struct lpfc_multixri_pool *multixri_pool;
 
-       if (nbytes > 64)
-               nbytes = 64;
+       if (nbytes > sizeof(mybuf) - 1)
+               nbytes = sizeof(mybuf) - 1;
 
        /* Protect copy from user */
        if (!access_ok(buf, nbytes))
@@ -2487,8 +2487,8 @@ lpfc_debugfs_nvmestat_write(struct file *file, const char __user *buf,
        if (!phba->targetport)
                return -ENXIO;
 
-       if (nbytes > 64)
-               nbytes = 64;
+       if (nbytes > sizeof(mybuf) - 1)
+               nbytes = sizeof(mybuf) - 1;
 
        memset(mybuf, 0, sizeof(mybuf));
 
@@ -2629,8 +2629,8 @@ lpfc_debugfs_nvmektime_write(struct file *file, const char __user *buf,
        char mybuf[64];
        char *pbuf;
 
-       if (nbytes > 64)
-               nbytes = 64;
+       if (nbytes > sizeof(mybuf) - 1)
+               nbytes = sizeof(mybuf) - 1;
 
        memset(mybuf, 0, sizeof(mybuf));
 
@@ -2757,8 +2757,8 @@ lpfc_debugfs_nvmeio_trc_write(struct file *file, const char __user *buf,
        char mybuf[64];
        char *pbuf;
 
-       if (nbytes > 63)
-               nbytes = 63;
+       if (nbytes > sizeof(mybuf) - 1)
+               nbytes = sizeof(mybuf) - 1;
 
        memset(mybuf, 0, sizeof(mybuf));
 
@@ -2863,8 +2863,8 @@ lpfc_debugfs_cpucheck_write(struct file *file, const char __user *buf,
        char *pbuf;
        int i, j;
 
-       if (nbytes > 64)
-               nbytes = 64;
+       if (nbytes > sizeof(mybuf) - 1)
+               nbytes = sizeof(mybuf) - 1;
 
        memset(mybuf, 0, sizeof(mybuf));
 
Linux Kernel Source Tree.