github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-24 15:12:13 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph

scsi: scsi_debug: Fix some bugs in sdebug_error_write()

Browse Source 
There are two bug in this code:

 1) If count is zero, then it will lead to a NULL dereference.  The
    kmalloc() will successfully allocate zero bytes and the test for "if
    (buf[0] == '-')" will read beyond the end of the zero size buffer and
    Oops.

 2) The code does not ensure that the user's string is properly NUL
    terminated which could lead to a read overflow.

Fixes: a9996d722b ("scsi: scsi_debug: Add interface to manage error injection for a single device")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/7733643d-e102-4581-8d29-769472011c97@moroto.mountain
Reviewed-by: Wenchao Hao <haowenchao2@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
This commit is contained in:
Dan Carpenter 2023-11-06 17:04:33 +03:00 committed by Martin K. Petersen
parent 27900d7119
commit 860c3d03bb
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
drivers/scsi/scsi_debug.c
View File

@ -1019,7 +1019,7 @@ static ssize_t sdebug_error_write(struct file *file, const char __user *ubuf,
struct sdebug_err_inject *inject;
struct scsi_device *sdev = (struct scsi_device *)file->f_inode->i_private;
buf = kmalloc(count, GFP_KERNEL);
buf = kzalloc(count + 1, GFP_KERNEL);
if (!buf)
return -ENOMEM;