to
> OOB read when using scanf. Fix this issue by using memdup_user_nul instead.
>
> Fixes: a4f17cc72671 ("s390/cio: add CRW inject functionality")
> Signed-off-by: Bui Quang Minh
> ---
> drivers/s390/cio/cio_inject.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Reviewed-by: Heiko Carstens
On Tue, Apr 23, 2024 at 09:46:35PM +0700, Bui Quang Minh wrote:
> > > - buffer = vmemdup_user(buf, lbuf);
> > > + buffer = vmemdup_user(buf, lbuf + 1);
> > > if (IS_ERR(buffer))
> > > return -ENOMEM;
> > > + buffer[lbuf] = '\0';
> >
> > This would read one byte too much
On Mon, Apr 22, 2024 at 11:41:40PM +0700, Bui Quang Minh wrote:
> Currently, we allocate a lbuf-sized kernel buffer and copy lbuf from
> userspace to that buffer. Later, we use scanf on this buffer but we don't
> ensure that the string is terminated inside the buffer, this can lead to
> OOB read wh
