[thirdparty/kernel/stable-queue.git] / releases / 4.14.129 / misdn-make-sure-device-name-is-nul-terminated.patch

From 9d554ebac253c9465a5dbe8c339a0f0f74d41c71 Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Wed, 22 May 2019 11:45:13 +0300
Subject: mISDN: make sure device name is NUL terminated

[ Upstream commit ccfb62f27beb295103e9392462b20a6ed807d0ea ]

The user can change the device_name with the IMSETDEVNAME ioctl, but we
need to ensure that the user's name is NUL terminated.  Otherwise it
could result in a buffer overflow when we copy the name back to the user
with IMGETDEVINFO ioctl.

I also changed two strcpy() calls which handle the name to strscpy().
Hopefully, there aren't any other ways to create a too long name, but
it's nice to do this as a kernel hardening measure.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/isdn/mISDN/socket.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/isdn/mISDN/socket.c b/drivers/isdn/mISDN/socket.c
index 65cb4aac8dce..477e07036add 100644
--- a/drivers/isdn/mISDN/socket.c
+++ b/drivers/isdn/mISDN/socket.c
@@ -394,7 +394,7 @@ data_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
 			memcpy(di.channelmap, dev->channelmap,
 			       sizeof(di.channelmap));
 			di.nrbchan = dev->nrbchan;
-			strcpy(di.name, dev_name(&dev->dev));
+			strscpy(di.name, dev_name(&dev->dev), sizeof(di.name));
 			if (copy_to_user((void __user *)arg, &di, sizeof(di)))
 				err = -EFAULT;
 		} else
@@ -678,7 +678,7 @@ base_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
 			memcpy(di.channelmap, dev->channelmap,
 			       sizeof(di.channelmap));
 			di.nrbchan = dev->nrbchan;
-			strcpy(di.name, dev_name(&dev->dev));
+			strscpy(di.name, dev_name(&dev->dev), sizeof(di.name));
 			if (copy_to_user((void __user *)arg, &di, sizeof(di)))
 				err = -EFAULT;
 		} else
@@ -692,6 +692,7 @@ base_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
 			err = -EFAULT;
 			break;
 		}
+		dn.name[sizeof(dn.name) - 1] = '\0';
 		dev = get_mdevice(dn.id);
 		if (dev)
 			err = device_rename(&dev->dev, dn.name);
-- 
2.20.1
Commit	Line	Data
2a2a4ae2 SL	1	From 9d554ebac253c9465a5dbe8c339a0f0f74d41c71 Mon Sep 17 00:00:00 2001
	2	From: Dan Carpenter <dan.carpenter@oracle.com>
	3	Date: Wed, 22 May 2019 11:45:13 +0300
	4	Subject: mISDN: make sure device name is NUL terminated
	5
	6	[ Upstream commit ccfb62f27beb295103e9392462b20a6ed807d0ea ]
	7
	8	The user can change the device_name with the IMSETDEVNAME ioctl, but we
	9	need to ensure that the user's name is NUL terminated. Otherwise it
	10	could result in a buffer overflow when we copy the name back to the user
	11	with IMGETDEVINFO ioctl.
	12
	13	I also changed two strcpy() calls which handle the name to strscpy().
	14	Hopefully, there aren't any other ways to create a too long name, but
	15	it's nice to do this as a kernel hardening measure.
	16
	17	Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
	18	Signed-off-by: David S. Miller <davem@davemloft.net>
	19	Signed-off-by: Sasha Levin <sashal@kernel.org>
	20	---
	21	drivers/isdn/mISDN/socket.c \| 5 +++--
	22	1 file changed, 3 insertions(+), 2 deletions(-)
	23
	24	diff --git a/drivers/isdn/mISDN/socket.c b/drivers/isdn/mISDN/socket.c
	25	index 65cb4aac8dce..477e07036add 100644
	26	--- a/drivers/isdn/mISDN/socket.c
	27	+++ b/drivers/isdn/mISDN/socket.c
	28	@@ -394,7 +394,7 @@ data_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
	29	memcpy(di.channelmap, dev->channelmap,
	30	sizeof(di.channelmap));
	31	di.nrbchan = dev->nrbchan;
	32	- strcpy(di.name, dev_name(&dev->dev));
	33	+ strscpy(di.name, dev_name(&dev->dev), sizeof(di.name));
	34	if (copy_to_user((void __user *)arg, &di, sizeof(di)))
	35	err = -EFAULT;
	36	} else
	37	@@ -678,7 +678,7 @@ base_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
	38	memcpy(di.channelmap, dev->channelmap,
	39	sizeof(di.channelmap));
	40	di.nrbchan = dev->nrbchan;
	41	- strcpy(di.name, dev_name(&dev->dev));
	42	+ strscpy(di.name, dev_name(&dev->dev), sizeof(di.name));
	43	if (copy_to_user((void __user *)arg, &di, sizeof(di)))
	44	err = -EFAULT;
	45	} else
	46	@@ -692,6 +692,7 @@ base_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
	47	err = -EFAULT;
	48	break;
	49	}
	50	+ dn.name[sizeof(dn.name) - 1] = '\0';
	51	dev = get_mdevice(dn.id);
	52	if (dev)
	53	err = device_rename(&dev->dev, dn.name);
	54	--
	55	2.20.1
	56