[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20250508130612.82270-1-markus.burri@mt.com>
Date: Thu, 8 May 2025 15:06:06 +0200
From: Markus Burri <markus.burri@...com>
To: linux-kernel@...r.kernel.org
Cc: Markus Burri <markus.burri@...com>,
Mahesh J Salgaonkar <mahesh@...ux.ibm.com>,
"Oliver O'Halloran" <oohall@...il.com>,
Madhavan Srinivasan <maddy@...ux.ibm.com>,
Michael Ellerman <mpe@...erman.id.au>,
Nicholas Piggin <npiggin@...il.com>,
Christophe Leroy <christophe.leroy@...roup.eu>,
Naveen N Rao <naveen@...nel.org>,
Jacek Lawrynowicz <jacek.lawrynowicz@...ux.intel.com>,
Maciej Falkowski <maciej.falkowski@...ux.intel.com>,
Oded Gabbay <ogabbay@...nel.org>,
Linus Walleij <linus.walleij@...aro.org>,
Bartosz Golaszewski <brgl@...ev.pl>,
Nuno Sa <nuno.sa@...log.com>,
Olivier Moysan <olivier.moysan@...s.st.com>,
Jonathan Cameron <jic23@...nel.org>,
Lars-Peter Clausen <lars@...afoo.de>,
linuxppc-dev@...ts.ozlabs.org,
dri-devel@...ts.freedesktop.org,
linux-gpio@...r.kernel.org,
linux-iio@...r.kernel.org,
Markus Burri <markus.burri@....ch>
Subject: [PATCH v4 0/6] Fix potential out-of-bounds error in some drivers
Several drivers are using debugfs and follow the same pattern.
A buffer is created on the stack with a limited size to copy the given data
from user space. The copy is performed using simple_write_to_buffer.
This function limits the input according to the specified buffer size, but
it does not write a string terminator if the buffer is truncated.
Therefore, the driver adds this zero terminator afterward.
Unfortunately, the original buffer size is used as an index, which can lead
to an out-of-bounds error.
This patch set fixes this issue in all the drivers I have detected so far.
The fix is to return an error in case of an unexpectedly long buffer being
received and to use the effective written size for the zero terminator for
consistency.
Changes in V4:
* Revert the decrement of accepted size by one character
* Added patches for drivers with the same pattern
Changes in V3:
* Decrement accepted size by one character according to feedback
Changes in V2:
* Use effective written size as index instead of original size
---
[V3] https://lore.kernel.org/lkml/20250505203830.5117-1-markus.burri@mt.com/
[V2] https://lore.kernel.org/lkml/20250505045346.29647-1-markus.burri@mt.com/
[V1] https://lore.kernel.org/lkml/20250501063240.25295-1-markus.burri@mt.com/
Markus Burri (6):
iio: backend: fix out-of-bound write
accel/ivpu: Use effective buffer size for zero terminator
iio: fix potential out-of-bound write
gpio: fix potential out-of-bound write
powerpc/eeh: fix potential OoB
powerpc/eeh-powernv: fix potential OoB
arch/powerpc/kernel/eeh.c | 7 ++++++-
arch/powerpc/platforms/powernv/eeh-powernv.c | 7 ++++++-
drivers/accel/ivpu/ivpu_debugfs.c | 2 +-
drivers/gpio/gpio-virtuser.c | 12 ++++++++++--
drivers/iio/industrialio-backend.c | 5 ++++-
drivers/iio/industrialio-core.c | 5 ++++-
6 files changed, 31 insertions(+), 7 deletions(-)
base-commit: b4432656b36e5cc1d50a1f2dc15357543add530e
--
2.39.5
Powered by blists - more mailing lists