scsi: qedf: sanitise uaccess
qedf
driver, debugfs
part of it specifically, touches __user
pointers directly for printing out info to userspace via sprintf()
, which may cause crash like this:
BUG: unable to handle kernel paging request at 00007ffd1d6b43a0
IP: [<ffffffffaa7a882a>] string.isra.7+0x6a/0xf0
Oops: 0003 [#1] SMP
Call Trace:
[<ffffffffaa7a9f31>] vsnprintf+0x201/0x6a0
[<ffffffffaa7aa556>] sprintf+0x56/0x80
[<ffffffffc04227ed>] qedf_dbg_stop_io_on_error_cmd_read+0x6d/0x90 [qedf]
[<ffffffffaa65bb2f>] vfs_read+0x9f/0x170
[<ffffffffaa65cb82>] SyS_pread64+0x92/0xc0
Avoid this by preparing the info in a kernel buffer first, either allocated on stack for small printouts, or via vmalloc()
for big ones,
and then copying it to the userspace properly.
Bugzilla: https://bugzilla.redhat.com/2228080
Upstream Status: linux-next.git
Tested: on a real HW
Conflicts: None
Signed-off-by: Oleksandr Natalenko oleksandr@redhat.com
Edited by Oleksandr Natalenko