| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <PH3PPF7A88A980A3D6E4FD4E6D0E9179E95E55CA@PH3PPF7A88A980A.namprd11.prod.outlook.com> Date: Tue, 22 Jul 2025 15:57:14 +0000 From: "Loktionov, Aleksandr" <aleksandr.loktionov@...el.com> To: Amir Mohammad Jahangirzad <a.jahangirzad@...il.com>, "Nguyen, Anthony L" <anthony.l.nguyen@...el.com>, "Kitszel, Przemyslaw" <przemyslaw.kitszel@...el.com>, "andrew+netdev@...n.ch" <andrew+netdev@...n.ch>, "davem@...emloft.net" <davem@...emloft.net>, "edumazet@...gle.com" <edumazet@...gle.com>, "kuba@...nel.org" <kuba@...nel.org>, "pabeni@...hat.com" <pabeni@...hat.com> CC: "intel-wired-lan@...ts.osuosl.org" <intel-wired-lan@...ts.osuosl.org>, "netdev@...r.kernel.org" <netdev@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org> Subject: RE: [Intel-wired-lan] [PATCH] i40e: replace snprintf() with scnprintf() > -----Original Message----- > From: Intel-wired-lan <intel-wired-lan-bounces@...osl.org> On Behalf > Of Amir Mohammad Jahangirzad > Sent: Tuesday, July 22, 2025 1:50 PM > To: Nguyen, Anthony L <anthony.l.nguyen@...el.com>; Kitszel, > Przemyslaw <przemyslaw.kitszel@...el.com>; andrew+netdev@...n.ch; > davem@...emloft.net; edumazet@...gle.com; kuba@...nel.org; > pabeni@...hat.com > Cc: intel-wired-lan@...ts.osuosl.org; netdev@...r.kernel.org; linux- > kernel@...r.kernel.org; Amir Mohammad Jahangirzad > <a.jahangirzad@...il.com> > Subject: [Intel-wired-lan] [PATCH] i40e: replace snprintf() with > scnprintf() > > In i40e_dbg_command_read(), a 256-byte buffer is allocated and filled > using snprintf(), then copied to userspace via copy_to_user(). > > The issue is that snprintf() returns the number of characters that > *Would* have been written, not the number that actually fit in the > buffer. > If the combined length of the netdev name and i40e_dbg_command_buf is > long (e.g. 288 + 3 bytes), snprintf() still returns 291 - even though > only > 256 bytes were written. > > This value is passed to copy_to_user(), which may read past the end of > the buffer and leak kernel memory to userspace. > > Replacing snprintf() with scnprintf() fixes this. It returns the > actual number of bytes written, ensuring we only copy valid data. > Can you add 'Fixes:' tag? And I think this patch should be directed to [Intel-wired-lan] [PATCH iwl-net] To be backported to all LTS kernels. > Signed-off-by: Amir Mohammad Jahangirzad <a.jahangirzad@...il.com> > --- > drivers/net/ethernet/intel/i40e/i40e_debugfs.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/ethernet/intel/i40e/i40e_debugfs.c > b/drivers/net/ethernet/intel/i40e/i40e_debugfs.c > index 6cd9da662ae1..19a78052800f 100644 > --- a/drivers/net/ethernet/intel/i40e/i40e_debugfs.c > +++ b/drivers/net/ethernet/intel/i40e/i40e_debugfs.c > @@ -70,7 +70,7 @@ static ssize_t i40e_dbg_command_read(struct file > *filp, char __user *buffer, > return -ENOSPC; > > main_vsi = i40e_pf_get_main_vsi(pf); > - len = snprintf(buf, buf_size, "%s: %s\n", main_vsi->netdev- > >name, > + len = scnprintf(buf, buf_size, "%s: %s\n", main_vsi->netdev- > >name, > i40e_dbg_command_buf); > > bytes_not_copied = copy_to_user(buffer, buf, len); > -- > 2.43.0
Powered by blists - more mailing lists