octeontx2-af: avoid off-by-one read from userspace (!4453) · Merge requests · Red Hat / centos-stream / src / kernel / centos-stream-9

Kamal Heib requested to merge kheib/centos-stream-9:39873 into main Jun 08, 2024

JIRA: https://issues.redhat.com/browse/RHEL-39873
CVE: CVE-2024-36957

commit f299ee709fb45036454ca11e90cb2810fe771878
Author: Bui Quang Minh minhquangbui99@gmail.com
Date: Wed Apr 24 21:44:23 2024 +0700

octeontx2-af: avoid off-by-one read from userspace  

We try to access count + 1 byte from userspace with memdup_user(buffer,  
count + 1). However, the userspace only provides buffer of count bytes and  
only these count bytes are verified to be okay to access. To ensure the  
copied buffer is NUL terminated, we use memdup_user_nul instead.  

Fixes: 3a2eb515d136 ("octeontx2-af: Fix an off by one in rvu_dbg_qsize_write()")  
Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com>  
Link: https://lore.kernel.org/r/20240424-fix-oob-read-v2-6-f1f1b53a10f4@gmail.com  
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Signed-off-by: Kamal Heib kheib@redhat.com

octeontx2-af: avoid off-by-one read from userspace

Merge request reports