summaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorBui Quang Minh <minhquangbui99@gmail.com>2024-04-24 21:44:23 +0700
committerJakub Kicinski <kuba@kernel.org>2024-04-25 19:23:51 -0700
commitf299ee709fb45036454ca11e90cb2810fe771878 (patch)
tree372ccd84a71818b0731f7ef829fbb527541f6d7f /drivers
parent8c34096c7fdf272fd4c0c37fe411cd2e3ed0ee9f (diff)
downloadlinux-stable-f299ee709fb45036454ca11e90cb2810fe771878.tar.gz
linux-stable-f299ee709fb45036454ca11e90cb2810fe771878.tar.bz2
linux-stable-f299ee709fb45036454ca11e90cb2810fe771878.zip
octeontx2-af: avoid off-by-one read from userspace
We try to access count + 1 byte from userspace with memdup_user(buffer, count + 1). However, the userspace only provides buffer of count bytes and only these count bytes are verified to be okay to access. To ensure the copied buffer is NUL terminated, we use memdup_user_nul instead. Fixes: 3a2eb515d136 ("octeontx2-af: Fix an off by one in rvu_dbg_qsize_write()") Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com> Link: https://lore.kernel.org/r/20240424-fix-oob-read-v2-6-f1f1b53a10f4@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c4
1 files changed, 1 insertions, 3 deletions
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c
index 2500f5ba4f5a..881d704644fb 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c
@@ -999,12 +999,10 @@ static ssize_t rvu_dbg_qsize_write(struct file *filp,
u16 pcifunc;
int ret, lf;
- cmd_buf = memdup_user(buffer, count + 1);
+ cmd_buf = memdup_user_nul(buffer, count);
if (IS_ERR(cmd_buf))
return -ENOMEM;
- cmd_buf[count] = '\0';
-
cmd_buf_tmp = strchr(cmd_buf, '\n');
if (cmd_buf_tmp) {
*cmd_buf_tmp = '\0';