linux-nova icon indicating copy to clipboard operation
linux-nova copied to clipboard
verified publisher icon NVSL

Unsafe read of user buf in procfs

Open iaoing opened this issue 2 years ago • 0 comments

Issue

In functions nova_seq_delete_snapshot and nova_seq_test_perf, NOVA directly sscanf from the user's buffer, which is unsafe and could cause Segment Fault sometimes. Instead, in the function nova_seq_gc, NOVA copies the buffer from the user space to kernel space before sscanf the content.

https://github.com/NVSL/linux-nova/blob/976a4d1f3d5282863b23aa834e02012167be6ee2/fs/nova/sysfs.c#L317-L329 https://github.com/NVSL/linux-nova/blob/976a4d1f3d5282863b23aa834e02012167be6ee2/fs/nova/sysfs.c#L377-L392 https://github.com/NVSL/linux-nova/blob/976a4d1f3d5282863b23aa834e02012167be6ee2/fs/nova/sysfs.c#L419-L448

Fix

copy_from_user before sscanf.

iaoing avatar Jan 01 '24 23:01 iaoing