Commit 1708e3cf authored Apr 24, 2024 by Bui Quang Minh Committed by Greg Kroah-Hartman Jun 16, 2024

scsi: bfa: Ensure the copied buf is NUL terminated



[ Upstream commit 13d0cecb ]

Currently, we allocate a nbytes-sized kernel buffer and copy nbytes from
userspace to that buffer. Later, we use sscanf on this buffer but we don't
ensure that the string is terminated inside the buffer, this can lead to
OOB read when using sscanf. Fix this issue by using memdup_user_nul instead
of memdup_user.

Fixes: 9f30b674 ("bfa: replace 2 kzalloc/copy_from_user by memdup_user")
Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com>
Link: https://lore.kernel.org/r/20240424-fix-oob-read-v2-3-f1f1b53a10f4@gmail.com


Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

parent 3dfc214d

Show whitespace changes

Inline Side-by-side

CodeLinaro @codelinaro
mentioned in commit 6317f88f
· Nov 05, 2025

mentioned in commit 6317f88f

mentioned in commit 6317f88f7802b2af8b4c923e9f7af299c1f10ca1

Toggle commit list

Please to comment