iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

scsi: lpfc: Prevent buffer overflow crashes in debugfs with malformed user input

Browse Source 
[ Upstream commit f8191d40aa612981ce897e66cda6a88db8df17bb ]

Malformed user input to debugfs results in buffer overflow crashes.  Adapt
input string lengths to fit within internal buffers, leaving space for NULL
terminators.

Link: https://lore.kernel.org/r/20220701211425.2708-3-jsmart2021@gmail.com
Co-developed-by: Justin Tee <justin.tee@broadcom.com>
Signed-off-by: Justin Tee <justin.tee@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
James Smart 2022-07-01 14:14:15 -07:00 committed by Greg Kroah-Hartman
parent 92f8378250
commit 2d544e9d19
1 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
drivers/scsi/lpfc/lpfc_debugfs.c
View File

@ -2607,8 +2607,8 @@ lpfc_debugfs_multixripools_write(struct file *file, const char __user *buf,
struct lpfc_sli4_hdw_queue *qp;
struct lpfc_multixri_pool *multixri_pool;
if (nbytes > 64)
nbytes = 64;
if (nbytes > sizeof(mybuf) - 1)
nbytes = sizeof(mybuf) - 1;
memset(mybuf, 0, sizeof(mybuf));
@ -2688,8 +2688,8 @@ lpfc_debugfs_nvmestat_write(struct file *file, const char __user *buf,
if (!phba->targetport)
return -ENXIO;
if (nbytes > 64)
nbytes = 64;
if (nbytes > sizeof(mybuf) - 1)
nbytes = sizeof(mybuf) - 1;
memset(mybuf, 0, sizeof(mybuf));
@ -2826,8 +2826,8 @@ lpfc_debugfs_ioktime_write(struct file *file, const char __user *buf,
char mybuf[64];
char *pbuf;
if (nbytes > 64)
nbytes = 64;
if (nbytes > sizeof(mybuf) - 1)
nbytes = sizeof(mybuf) - 1;
memset(mybuf, 0, sizeof(mybuf));
@ -2954,8 +2954,8 @@ lpfc_debugfs_nvmeio_trc_write(struct file *file, const char __user *buf,
char mybuf[64];
char *pbuf;
if (nbytes > 63)
nbytes = 63;
if (nbytes > sizeof(mybuf) - 1)
nbytes = sizeof(mybuf) - 1;
memset(mybuf, 0, sizeof(mybuf));
@ -3060,8 +3060,8 @@ lpfc_debugfs_hdwqstat_write(struct file *file, const char __user *buf,
char *pbuf;
int i;
if (nbytes > 64)
nbytes = 64;
if (nbytes > sizeof(mybuf) - 1)
nbytes = sizeof(mybuf) - 1;
memset(mybuf, 0, sizeof(mybuf));