| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250722115017.206969-1-a.jahangirzad@gmail.com> Date: Tue, 22 Jul 2025 15:20:17 +0330 From: Amir Mohammad Jahangirzad <a.jahangirzad@...il.com> To: anthony.l.nguyen@...el.com, przemyslaw.kitszel@...el.com, andrew+netdev@...n.ch, davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com Cc: intel-wired-lan@...ts.osuosl.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, Amir Mohammad Jahangirzad <a.jahangirzad@...il.com> Subject: [PATCH] i40e: replace snprintf() with scnprintf() In i40e_dbg_command_read(), a 256-byte buffer is allocated and filled using snprintf(), then copied to userspace via copy_to_user(). The issue is that snprintf() returns the number of characters that *Would* have been written, not the number that actually fit in the buffer. If the combined length of the netdev name and i40e_dbg_command_buf is long (e.g. 288 + 3 bytes), snprintf() still returns 291 - even though only 256 bytes were written. This value is passed to copy_to_user(), which may read past the end of the buffer and leak kernel memory to userspace. Replacing snprintf() with scnprintf() fixes this. It returns the actual number of bytes written, ensuring we only copy valid data. Signed-off-by: Amir Mohammad Jahangirzad <a.jahangirzad@...il.com> --- drivers/net/ethernet/intel/i40e/i40e_debugfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/intel/i40e/i40e_debugfs.c b/drivers/net/ethernet/intel/i40e/i40e_debugfs.c index 6cd9da662ae1..19a78052800f 100644 --- a/drivers/net/ethernet/intel/i40e/i40e_debugfs.c +++ b/drivers/net/ethernet/intel/i40e/i40e_debugfs.c @@ -70,7 +70,7 @@ static ssize_t i40e_dbg_command_read(struct file *filp, char __user *buffer, return -ENOSPC; main_vsi = i40e_pf_get_main_vsi(pf); - len = snprintf(buf, buf_size, "%s: %s\n", main_vsi->netdev->name, + len = scnprintf(buf, buf_size, "%s: %s\n", main_vsi->netdev->name, i40e_dbg_command_buf); bytes_not_copied = copy_to_user(buffer, buf, len); -- 2.43.0
Powered by blists - more mailing lists