| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250508130612.82270-1-markus.burri@mt.com> Date: Thu, 8 May 2025 15:06:06 +0200 From: Markus Burri <markus.burri@...com> To: linux-kernel@...r.kernel.org Cc: Markus Burri <markus.burri@...com>, Mahesh J Salgaonkar <mahesh@...ux.ibm.com>, "Oliver O'Halloran" <oohall@...il.com>, Madhavan Srinivasan <maddy@...ux.ibm.com>, Michael Ellerman <mpe@...erman.id.au>, Nicholas Piggin <npiggin@...il.com>, Christophe Leroy <christophe.leroy@...roup.eu>, Naveen N Rao <naveen@...nel.org>, Jacek Lawrynowicz <jacek.lawrynowicz@...ux.intel.com>, Maciej Falkowski <maciej.falkowski@...ux.intel.com>, Oded Gabbay <ogabbay@...nel.org>, Linus Walleij <linus.walleij@...aro.org>, Bartosz Golaszewski <brgl@...ev.pl>, Nuno Sa <nuno.sa@...log.com>, Olivier Moysan <olivier.moysan@...s.st.com>, Jonathan Cameron <jic23@...nel.org>, Lars-Peter Clausen <lars@...afoo.de>, linuxppc-dev@...ts.ozlabs.org, dri-devel@...ts.freedesktop.org, linux-gpio@...r.kernel.org, linux-iio@...r.kernel.org, Markus Burri <markus.burri@....ch> Subject: [PATCH v4 0/6] Fix potential out-of-bounds error in some drivers Several drivers are using debugfs and follow the same pattern. A buffer is created on the stack with a limited size to copy the given data from user space. The copy is performed using simple_write_to_buffer. This function limits the input according to the specified buffer size, but it does not write a string terminator if the buffer is truncated. Therefore, the driver adds this zero terminator afterward. Unfortunately, the original buffer size is used as an index, which can lead to an out-of-bounds error. This patch set fixes this issue in all the drivers I have detected so far. The fix is to return an error in case of an unexpectedly long buffer being received and to use the effective written size for the zero terminator for consistency. Changes in V4: * Revert the decrement of accepted size by one character * Added patches for drivers with the same pattern Changes in V3: * Decrement accepted size by one character according to feedback Changes in V2: * Use effective written size as index instead of original size --- [V3] https://lore.kernel.org/lkml/20250505203830.5117-1-markus.burri@mt.com/ [V2] https://lore.kernel.org/lkml/20250505045346.29647-1-markus.burri@mt.com/ [V1] https://lore.kernel.org/lkml/20250501063240.25295-1-markus.burri@mt.com/ Markus Burri (6): iio: backend: fix out-of-bound write accel/ivpu: Use effective buffer size for zero terminator iio: fix potential out-of-bound write gpio: fix potential out-of-bound write powerpc/eeh: fix potential OoB powerpc/eeh-powernv: fix potential OoB arch/powerpc/kernel/eeh.c | 7 ++++++- arch/powerpc/platforms/powernv/eeh-powernv.c | 7 ++++++- drivers/accel/ivpu/ivpu_debugfs.c | 2 +- drivers/gpio/gpio-virtuser.c | 12 ++++++++++-- drivers/iio/industrialio-backend.c | 5 ++++- drivers/iio/industrialio-core.c | 5 ++++- 6 files changed, 31 insertions(+), 7 deletions(-) base-commit: b4432656b36e5cc1d50a1f2dc15357543add530e -- 2.39.5
Powered by blists - more mailing lists