From patchwork Thu Feb 13 11:00:24 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Seiderer X-Patchwork-Id: 864977 Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CD7CB215060; Thu, 13 Feb 2025 11:00:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=212.227.17.20 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739444449; cv=none; b=WeoFaSddniOTO06yqVkJxwKGBs4G8ObSuc1xfENk8WdNDjYm6jY9bkG3Qljh4Pr7ixc2RocX0/c1+mznRE5HzdczTmraU6STZUL7Z1d1DZWblANpJtviYqf+iXmf+II3yGILqvBPW6e/9JR7GeZbsFpVm/ZhtHN5acPfoHTvQhQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1739444449; c=relaxed/simple; bh=lFJTNeYYEBTkaC/3wh2Lv43QxbvTD6janjNU/XCDQVs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=jhffwF5v3of/lVMOKh7TFN2z83pFLmJCZyFbS5cban93dJwRXfow2mmWtOQPlQEG0QLtqcW0th9qLCenuhZlbuF90Wl22M6cWpNScbYrUuk0eCu5imHAtbnyh5XObbEk1lpFwBYy8SgDi3X+Xu8EEK0sB8L+l8pjs3wQtq+a40Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=gmx.net; spf=pass smtp.mailfrom=gmx.net; dkim=pass (2048-bit key) header.d=gmx.net header.i=ps.report@gmx.net header.b=o+45TAaZ; arc=none smtp.client-ip=212.227.17.20 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=gmx.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmx.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmx.net header.i=ps.report@gmx.net header.b="o+45TAaZ" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.net; s=s31663417; t=1739444432; x=1740049232; i=ps.report@gmx.net; bh=lFJTNeYYEBTkaC/3wh2Lv43QxbvTD6janjNU/XCDQVs=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:Message-ID:In-Reply-To: References:MIME-Version:Content-Transfer-Encoding:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=o+45TAaZfs7E507/6DlmcD1bzYRYDjd7zxd6954SrV+WHxkwrZW17UJJhAvCPJlw caF+5U6+/rOIUCFLpaGSxs4hGaPrx3ZUHGuuf911g2V4SruBUfa7bc5S10lQG4KE7 v6XzZawM6JfqQRlcodXpMPfkOcmKv5G8LRAcD3GPj4GEDuMfGpI16Ud2dM3ChNvqp uMWlrBEiGbQAACoVAlw96fda7dLtGJIva7x/g0hif3sOAG7xHLohSAOtsbghJAVko vVdAOx91ThrashZOTrIZf1818Lowwh5dKSJkkqxqTUVgsSmecQA6NriRWSfz0xMki ZYmHquVupHMQsbCflA== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from localhost.fritz.box ([82.135.81.197]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MRmjq-1tpel02Nfm-00OyhE; Thu, 13 Feb 2025 12:00:32 +0100 From: Peter Seiderer To: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Shuah Khan , Peter Seiderer , Artem Chernyshev , Nam Cao , Frederic Weisbecker Subject: [PATCH net-next v5 7/8] net: pktgen: fix access outside of user given buffer in pktgen_thread_write() Date: Thu, 13 Feb 2025 12:00:24 +0100 Message-ID: <20250213110025.1436160-8-ps.report@gmx.net> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250213110025.1436160-1-ps.report@gmx.net> References: <20250213110025.1436160-1-ps.report@gmx.net> Precedence: bulk X-Mailing-List: linux-kselftest@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Provags-ID: V03:K1:xwBeQ76e5NWdP6OGK1SQo1exT1I0ZuxTszWvW+QPJKFufEhp9n4 Qq4U2fTYTJAoqUlDmqXmGmM6ynqU0JVW6J0QNeYsxXfXcP3Z7e/avKKJkmVl/TDllhbAlIG 5LlZzkq8miwcf+60tKZWZVR2tTZ0E3elQlbavhpvsNRmOAqIgWc5VnXHTpetkNJZgbdgNdR 7ZWP2BCr2fgmsNUUBRyhQ== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:vCIvKXRtjmk=;Quf+BsN0TXFXZWhk/LMpum2tphc +2XaUXH9FBN+e9P0fdauvt8nOmzxu+exPdmXUNYmDniyxoKiBz+BDHP48LP5aizR/B+Sm2VtU pgHCG9u8QaFR8tHfamsLACaaguxamO+53xJQPJwG8NCCum+loifILxDZ/HtPVVTMHb5NWQ0o1 ylOX4/YEIOMJKY6Nq0avo3XT6bKnvyaiIZzdAyiVUlvlm5hPzibsW8rbVKe0VnggSML2vqwdj NxTMCiK6K/RX1G7FbNOQewAgdgHndr+9qrSUN+l8skxCtTznsyFDanHrreGzOo1zbPqw4tWek vjt/c2A57OLWJ40tmTuSZ0F+sYn82DHx5Wwbs/bIThsnCaBChODvktue2G/BbTPaRjy66TkUS HicRcCxpJOOb48uNmuFR9H1fkaCKbYqbU937CHI98Hk9lVx300C5UzxKfAKo224hzCGbOWZCH dy59wUa5kDMOFekv6gZ6fxThrCsERVr9PlvxuHHBI1tpOkAYEB1kDBDDZPN+vIBJbsEugGpfI NXs59VGjIBiB4W5Jmy3r/qcc0es57+Qw26OHUfaMMstFvbZIdH+3uqIHA7KRJkQ0VYu8pw8mB P8/Q8wyUGT8srbE1u5nYoGlcLWsmC41zcXH6QjEGI/SY31my+esxaV7dUl1cNprU60pAb4fji ZDG86f5SvecY6UqaSJ8a4Qv49tJmA/R98mT3xz2wfO7ELM37gyyAXiYpbx/1GzUW3AOzSyPqv WquBXIN+wXRfZn/coJy6QpisZx0/ykoSbFsiXU4IYcO1uZUxKwIekKE2jYbcey+qv6pwHI9q6 m4XM5zpsto1ccgcXyoa+2N+fxo6fQb0Y/636UYJqKxM5Is/Fn1pVFI2uf/xskd+O/d8pIHpEm cf6iE05+Go8SeMicXBw5MBNsZQnP63cVot2mIkuEI+ixDsuEp4IMSb+L5cRLpBx8zoloBx1p5 JEdgG1qULCVd8YMIv1tviuvyM3T5d9/wOTZot8lpc/z0egiNDjBCNW53wJbe6dVQrqgSJ0f3J z1vzHUeij/NtnvDDHTrJg3JIHIaq0UQ8IHJryGkNPTUcyUAQlBlw9xtEmfJebpf4qB9xExs93 Kd0vjbiiDL4zBBTw4Oo7aZR4eWtFzNHaNz9ILnxBk2YarnMZzzlWxUcJaAvhRehpi9pdrt3LZ N3KHe0OaNgM1yT5u9hO2BBy+fpRqYYEoSc5ERCl5Iksbwdn7qNKA7fpjTj+CECVRLw+j7dUPh HLG++JvBxfYcv6/+iSebKkLpHyiwIviPC5dyt20SHWz4N6FJhL3T8tELdleU1xSFn2jixtHe7 +rd5LVwnmV3j2d8Eu2NbeVg5mkfnRsAX1PYkLNpP3AY0DGCZc1KFs7O6ptU4onaoM3pbeBbz6 BPGspW1yhPDo8QDu6x7WpjvqvOjzvASSCM+kV51hMUx1AU/bKBqwgjOm4h Honour the user given buffer size for the strn_len() calls (otherwise strn_len() will access memory outside of the user given buffer). Signed-off-by: Peter Seiderer Reviewed-by: Simon Horman --- Changes v4 -> v5 - split up patchset into part i/ii (suggested by Simon Horman) Changes v3 -> v4 - add rev-by Simon Horman Changes v2 -> v3: - no changes Changes v1 -> v2: - no changes --- net/core/pktgen.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/net/core/pktgen.c b/net/core/pktgen.c index f6e35ba035c7..55064713223e 100644 --- a/net/core/pktgen.c +++ b/net/core/pktgen.c @@ -1900,8 +1900,8 @@ static ssize_t pktgen_thread_write(struct file *file, i = len; /* Read variable name */ - - len = strn_len(&user_buffer[i], sizeof(name) - 1); + max = min(sizeof(name) - 1, count - i); + len = strn_len(&user_buffer[i], max); if (len < 0) return len; @@ -1931,7 +1931,8 @@ static ssize_t pktgen_thread_write(struct file *file, if (!strcmp(name, "add_device")) { char f[32]; memset(f, 0, 32); - len = strn_len(&user_buffer[i], sizeof(f) - 1); + max = min(sizeof(f) - 1, count - i); + len = strn_len(&user_buffer[i], max); if (len < 0) { ret = len; goto out;