[PATCH 0/3] scsi: qedf: sanitise uaccess
From: Oleksandr Natalenko
Date: Fri Jul 28 2023 - 02:59:14 EST
qedf driver, debugfs part of it specifically, touches __user pointers
directly for printing out info to userspace via sprintf(), which may
cause crash like this:
BUG: unable to handle kernel paging request at 00007ffd1d6b43a0
IP: [<ffffffffaa7a882a>] string.isra.7+0x6a/0xf0
Oops: 0003 [#1] SMP
Call Trace:
[<ffffffffaa7a9f31>] vsnprintf+0x201/0x6a0
[<ffffffffaa7aa556>] sprintf+0x56/0x80
[<ffffffffc04227ed>] qedf_dbg_stop_io_on_error_cmd_read+0x6d/0x90 [qedf]
[<ffffffffaa65bb2f>] vfs_read+0x9f/0x170
[<ffffffffaa65cb82>] SyS_pread64+0x92/0xc0
Avoid this by preparing the info in a kernel buffer first, either
allocated on stack for small printouts, or via vmalloc() for big ones,
and then copying it to the userspace properly.
Previous submission is an RFC: [1]. There are no code changes since
then. The RFC prefix is dropped. The Tested-by tag from Laurence is
added.
There's similar submission from Saurav [2], but we agreed I could nack
it and proceed with my one.
[1] https://lore.kernel.org/linux-scsi/20230724120241.40495-1-oleksandr@xxxxxxxxxx/
[2] https://lore.kernel.org/linux-scsi/20230726101236.11922-1-skashyap@xxxxxxxxxxx/
Oleksandr Natalenko (3):
scsi: qedf: do not touch __user pointer in
qedf_dbg_stop_io_on_error_cmd_read() directly
scsi: qedf: do not touch __user pointer in qedf_dbg_debug_cmd_read()
directly
scsi: qedf: do not touch __user pointer in qedf_dbg_fp_int_cmd_read()
directly
drivers/scsi/qedf/qedf_dbg.h | 2 ++
drivers/scsi/qedf/qedf_debugfs.c | 35 +++++++++++++++++++-------------
2 files changed, 23 insertions(+), 14 deletions(-)
--
2.41.0