| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250829083015.1992751-1-linmq006@gmail.com>
Date: Fri, 29 Aug 2025 16:30:15 +0800
From: Miaoqian Lin <linmq006@...il.com>
To: chris@...kel.net,
jcmvbkbc@...il.com,
linmq006@...il.com,
thorsten.blum@...ux.dev,
viro@...iv.linux.org.uk
Cc: linux-kernel@...r.kernel.org,
stable@...r.kernel.org
Subject: [PATCH] xtensa: simdisk: add input size check in proc_write_simdisk
A malicious user could pass an arbitrarily bad value
to memdup_user_nul(), potentially causing kernel crash.
This follows the same pattern as commit ee76746387f6
("netdevsim: prevent bad user input in nsim_dev_health_break_write()")
Fixes: b6c7e873daf7 ("xtensa: ISS: add host file-based simulated disk")
Fixes: 16e5c1fc3604 ("convert a bunch of open-coded instances of memdup_user_nul()")
Cc: stable@...r.kernel.org
Signed-off-by: Miaoqian Lin <linmq006@...il.com>
---
arch/xtensa/platforms/iss/simdisk.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/arch/xtensa/platforms/iss/simdisk.c b/arch/xtensa/platforms/iss/simdisk.c
index 6ed009318d24..3cafc8feddee 100644
--- a/arch/xtensa/platforms/iss/simdisk.c
+++ b/arch/xtensa/platforms/iss/simdisk.c
@@ -231,10 +231,14 @@ static ssize_t proc_read_simdisk(struct file *file, char __user *buf,
static ssize_t proc_write_simdisk(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
- char *tmp = memdup_user_nul(buf, count);
+ char *tmp;
struct simdisk *dev = pde_data(file_inode(file));
int err;
+ if (count == 0 || count > PAGE_SIZE)
+ return -EINVAL;
+
+ tmp = memdup_user_nul(buf, count);
if (IS_ERR(tmp))
return PTR_ERR(tmp);
--
2.35.1
Powered by blists - more mailing lists