queue-4.19/misdn-make-sure-device-name-is-nul-terminated.patch

   1 From 677db97411bfb724aaf32ebb0fdca2a0b0ac25bd Mon Sep 17 00:00:00 2001
   2 From: Dan Carpenter <dan.carpenter@oracle.com>
   3 Date: Wed, 22 May 2019 11:45:13 +0300
   4 Subject: mISDN: make sure device name is NUL terminated
   5
   6 [ Upstream commit ccfb62f27beb295103e9392462b20a6ed807d0ea ]
   7
   8 The user can change the device_name with the IMSETDEVNAME ioctl, but we
   9 need to ensure that the user's name is NUL terminated.  Otherwise it
  10 could result in a buffer overflow when we copy the name back to the user
  11 with IMGETDEVINFO ioctl.
  12
  13 I also changed two strcpy() calls which handle the name to strscpy().
  14 Hopefully, there aren't any other ways to create a too long name, but
  15 it's nice to do this as a kernel hardening measure.
  16
  17 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
  18 Signed-off-by: David S. Miller <davem@davemloft.net>
  19 Signed-off-by: Sasha Levin <sashal@kernel.org>
  20 ---
  21  drivers/isdn/mISDN/socket.c | 5 +++--
  22  1 file changed, 3 insertions(+), 2 deletions(-)
  23
  24 diff --git a/drivers/isdn/mISDN/socket.c b/drivers/isdn/mISDN/socket.c
  25 index b2abc44fa5cb..a73337b74f41 100644
  26 --- a/drivers/isdn/mISDN/socket.c
  27 +++ b/drivers/isdn/mISDN/socket.c
  28 @@ -394,7 +394,7 @@ data_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
  29                         memcpy(di.channelmap, dev->channelmap,
  30                                sizeof(di.channelmap));
  31                         di.nrbchan = dev->nrbchan;
  32 -                       strcpy(di.name, dev_name(&dev->dev));
  33 +                       strscpy(di.name, dev_name(&dev->dev), sizeof(di.name));
  34                         if (copy_to_user((void __user *)arg, &di, sizeof(di)))
  35                                 err = -EFAULT;
  36                 } else
  37 @@ -677,7 +677,7 @@ base_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
  38                         memcpy(di.channelmap, dev->channelmap,
  39                                sizeof(di.channelmap));
  40                         di.nrbchan = dev->nrbchan;
  41 -                       strcpy(di.name, dev_name(&dev->dev));
  42 +                       strscpy(di.name, dev_name(&dev->dev), sizeof(di.name));
  43                         if (copy_to_user((void __user *)arg, &di, sizeof(di)))
  44                                 err = -EFAULT;
  45                 } else
  46 @@ -691,6 +691,7 @@ base_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
  47                         err = -EFAULT;
  48                         break;
  49                 }
  50 +               dn.name[sizeof(dn.name) - 1] = '\0';
  51                 dev = get_mdevice(dn.id);
  52                 if (dev)
  53                         err = device_rename(&dev->dev, dn.name);
  54 --
  55 2.20.1
  56