| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aQB8PRlaBY_9-L8d@smile.fi.intel.com> Date: Tue, 28 Oct 2025 10:18:05 +0200 From: Andy Shevchenko <andriy.shevchenko@...el.com> To: Miaoqian Lin <linmq006@...il.com> Cc: Lars-Peter Clausen <lars@...afoo.de>, Michael Hennerich <Michael.Hennerich@...log.com>, Jonathan Cameron <jic23@...nel.org>, David Lechner <dlechner@...libre.com>, Nuno Sá <nuno.sa@...log.com>, Andy Shevchenko <andy@...nel.org>, Angelo Dureghello <adureghello@...libre.com>, linux-iio@...r.kernel.org, linux-kernel@...r.kernel.org, stable@...r.kernel.org Subject: Re: [PATCH] iio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source On Mon, Oct 27, 2025 at 11:07:13PM +0800, Miaoqian Lin wrote: > When simple_write_to_buffer() succeeds, it returns the number of bytes > actually copied to the buffer, which may be less than the requested > 'count' if the buffer size is insufficient. However, the current code > incorrectly uses 'count' as the index for null termination instead of > the actual bytes copied, leading to out-of-bound write. > > Add a check for the count and use the return value as the index. ... > + if (count >= sizeof(buf)) > + return -ENOSPC; But this makes the validation too strict now. > ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf, > count); You definitely failed to read the code that implements the above. > if (ret < 0) > return ret; > > - buf[count] = '\0'; > + buf[ret] = '\0'; NAK. This patch is an unneeded churn. -- With Best Regards, Andy Shevchenko
Powered by blists - more mailing lists