| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251215122214.381098-2-thorsten.blum@linux.dev>
Date: Mon, 15 Dec 2025 13:22:14 +0100
From: Thorsten Blum <thorsten.blum@...ux.dev>
To: Alexander Gordeev <agordeev@...ux.ibm.com>,
Gerald Schaefer <gerald.schaefer@...ux.ibm.com>,
Heiko Carstens <hca@...ux.ibm.com>,
Vasily Gorbik <gor@...ux.ibm.com>,
Christian Borntraeger <borntraeger@...ux.ibm.com>,
Sven Schnelle <svens@...ux.ibm.com>
Cc: Thorsten Blum <thorsten.blum@...ux.dev>,
linux-s390@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: [PATCH] s390/cmm: Account for NUL when calculating 'len' in cmm_timeout_handler
When the input length 'lenp' equals sizeof(buf), the current code copies
all 64 bytes, but then immediately overwrites the last byte with a NUL
terminator. Limit the number of bytes to copy to 'sizeof(buf) - 1' to
reserve space for the NUL terminator.
Signed-off-by: Thorsten Blum <thorsten.blum@...ux.dev>
---
arch/s390/mm/cmm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/s390/mm/cmm.c b/arch/s390/mm/cmm.c
index eb7ef63fab1e..06512bc178a5 100644
--- a/arch/s390/mm/cmm.c
+++ b/arch/s390/mm/cmm.c
@@ -311,9 +311,9 @@ static int cmm_timeout_handler(const struct ctl_table *ctl, int write,
}
if (write) {
- len = min(*lenp, sizeof(buf));
+ len = min(*lenp, sizeof(buf) - 1);
memcpy(buf, buffer, len);
- buf[len - 1] = '\0';
+ buf[len] = '\0';
cmm_skip_blanks(buf, &p);
nr = simple_strtoul(p, &p, 0);
cmm_skip_blanks(p, &p);
--
Thorsten Blum <thorsten.blum@...ux.dev>
GPG: 1D60 735E 8AEF 3BE4 73B6 9D84 7336 78FD 8DFE EAD4
Powered by blists - more mailing lists