Re: [PATCH v2 0/3] scsi: qedf: sanitise uaccess

From: Laurence Oberman
Date: Mon Jul 31 2023 - 14:34:20 EST

Next message: Thomas Weißschuh: "Re: [PATCH 1/4] selftests/nolibc: drop unused test helpers"
Previous message: Simon Horman: "Re: [PATCH v2 03/14] sysctl: Add ctl_table_size to ctl_table_header"
In reply to: Oleksandr Natalenko: "[PATCH v2 3/3] scsi: qedf: do not touch __user pointer in qedf_dbg_fp_int_cmd_read() directly"
Next in thread: Martin K. Petersen: "Re: [PATCH v2 0/3] scsi: qedf: sanitise uaccess"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 2023-07-31 at 10:40 +0200, Oleksandr Natalenko wrote:
> qedf driver, debugfs part of it specifically, touches __user pointers
> directly for printing out info to userspace via sprintf(), which may
> cause crash like this:
>
> BUG: unable to handle kernel paging request at 00007ffd1d6b43a0
> IP: [<ffffffffaa7a882a>] string.isra.7+0x6a/0xf0
> Oops: 0003 [#1] SMP
> Call Trace:
> [<ffffffffaa7a9f31>] vsnprintf+0x201/0x6a0
> [<ffffffffaa7aa556>] sprintf+0x56/0x80
> [<ffffffffc04227ed>] qedf_dbg_stop_io_on_error_cmd_read+0x6d/0x90
> [qedf]
> [<ffffffffaa65bb2f>] vfs_read+0x9f/0x170
> [<ffffffffaa65cb82>] SyS_pread64+0x92/0xc0
>
> Avoid this by preparing the info in a kernel buffer first, either
> allocated on stack for small printouts, or via vmalloc() for big
> ones,
> and then copying it to the userspace properly.
>
> Changes since v1 [1]:
>
> * use scnprintf() for on-stack buffers too
> * adjust an on-stack buffer size in qedf_dbg_debug_cmd_read() to be
> a
>     multiple of 8, and also size it properly
> * accumulate acks and reviews
>
> [1]
> https://lore.kernel.org/lkml/20230728065819.139694-1-oleksandr@xxxxxxxxxx/
>
> Oleksandr Natalenko (3):
> scsi: qedf: do not touch __user pointer in
>     qedf_dbg_stop_io_on_error_cmd_read() directly
> scsi: qedf: do not touch __user pointer in
> qedf_dbg_debug_cmd_read()
>     directly
> scsi: qedf: do not touch __user pointer in
> qedf_dbg_fp_int_cmd_read()
>     directly
>
> drivers/scsi/qedf/qedf_dbg.h     | 2 ++
> drivers/scsi/qedf/qedf_debugfs.c | 35 +++++++++++++++++++-----------
> --
> 2 files changed, 23 insertions(+), 14 deletions(-)
>
In case it's needed

For the series v2 against 6.5-rc3
Reviewed-by: Laurence Oberman <loberman@xxxxxxxxxx>
Tested-by: Laurence Oberman <loberman@xxxxxxxxxx>

Test notes

Linux segstorage5 6.5.0-rc3+

[root@segstorage5 qedf]# cd host2
[root@segstorage5 host2]# ls
clear_stats debug driver_stats fp_int io_trace offload_stats
stop_io_on_error

[root@segstorage5 host2]# cat stop_io_on_error
false

[root@segstorage5 host2]# cat fp_int

Fastpath I/O completions

#0: 844
#1: 990
#2: 1036
#3: 1116
#4: 953
#5: 822
#6: 882
#7: 1073
#8: 1030
#9: 992
#10: 789
#11: 705
#12: 490
#13: 532
#14: 646
#15: 705

[root@segstorage5 host2]# cat debug
debug mask = 0x2

Next message: Thomas Weißschuh: "Re: [PATCH 1/4] selftests/nolibc: drop unused test helpers"
Previous message: Simon Horman: "Re: [PATCH v2 03/14] sysctl: Add ctl_table_size to ctl_table_header"
In reply to: Oleksandr Natalenko: "[PATCH v2 3/3] scsi: qedf: do not touch __user pointer in qedf_dbg_fp_int_cmd_read() directly"
Next in thread: Martin K. Petersen: "Re: [PATCH v2 0/3] scsi: qedf: sanitise uaccess"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]