Re: [PATCH 5/5] drivers/s390/cio: ensure the copied buf is NULL terminated

From: Heiko Carstens
Date: Wed Apr 24 2024 - 07:56:47 EST

Next message: Peter Xu: "Re: [PATCH v1 2/2] arm64/mm: Add uffd write-protect support"
Previous message: Bartosz Golaszewski: "Re: [PATCH] Bluetooth: qca: set power_ctrl_enabled on NULL returned by gpiod_get_optional()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Apr 23, 2024 at 09:46:35PM +0700, Bui Quang Minh wrote:
> > > - buffer = vmemdup_user(buf, lbuf);
> > > + buffer = vmemdup_user(buf, lbuf + 1);
> > > if (IS_ERR(buffer))
> > > return -ENOMEM;
> > > + buffer[lbuf] = '\0';
> >
> > This would read one byte too much from user space, and could potentially
> > fault.
> >
> > Why isn't this simply memdup_user_nul() like all others, which would do the
> > right thing?
..
> For this case, as the original code uses vmemdup_user, which internally uses
> kvmalloc not kmalloc, so I try to keep the original behavior. And
> vmemdup_user does not have the counterpart vmemdup_user_nul. I can
> kvmalloc(lbuf + 1), then copy_to_user(lbuf) and set buffer[lbuf] = '\0' or
> do you think I should create vmemdup_user_nul?

There is no need for vmalloc() instead of kmalloc() for this particular
case. The input string is supposed to be rather short (see the sscanf()
call). So converting to memdup_user_nul() is sufficient and solves the
potential problem.

Next message: Peter Xu: "Re: [PATCH v1 2/2] arm64/mm: Add uffd write-protect support"
Previous message: Bartosz Golaszewski: "Re: [PATCH] Bluetooth: qca: set power_ctrl_enabled on NULL returned by gpiod_get_optional()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]