lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <ea889379-7cc9-4e03-8040-2797acfb375c@gaisler.com>
Date: Wed, 14 Jan 2026 09:40:28 +0100
From: Andreas Larsson <andreas@...sler.com>
To: Miaoqian Lin <linmq006@...il.com>, "David S. Miller"
 <davem@...emloft.net>, Ingo Molnar <mingo@...nel.org>,
 Thomas Gleixner <tglx@...utronix.de>, Lars Kotthoff
 <metalhead@...alhead.ws>, sparclinux@...r.kernel.org,
 linux-kernel@...r.kernel.org
Cc: stable@...r.kernel.org
Subject: Re: [PATCH] sparc/led: prevent buffer underflow on zero-length write

On 2025-10-30 08:21, Miaoqian Lin wrote:
> Fix out-of-bounds access in led_proc_write() when count is 0.
> Accessing buf[count - 1] with count=0 reads/writes buf[-1].
> 
> Check for count==0 and return -EINVAL early to fix this.
> 
> Found via static analysis and code review.
> 
> Fixes: ee1858d3122d ("[SPARC]: Add sun4m LED driver.")
> Cc: stable@...r.kernel.org
> Signed-off-by: Miaoqian Lin <linmq006@...il.com>
> ---
>  arch/sparc/kernel/led.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/arch/sparc/kernel/led.c b/arch/sparc/kernel/led.c
> index f4fb82b019bb..aa0ca0d8d0e2 100644
> --- a/arch/sparc/kernel/led.c
> +++ b/arch/sparc/kernel/led.c
> @@ -70,6 +70,9 @@ static ssize_t led_proc_write(struct file *file, const char __user *buffer,
>  {
>  	char *buf = NULL;
>  
> +	if (count == 0)
> +		return -EINVAL;
> +
>  	if (count > LED_MAX_LENGTH)
>  		count = LED_MAX_LENGTH;
>  

Thank you for the patch.

I see no need to fail on the empty string in particular when further
down we have a default case:

	} else {
		auxio_set_led(AUXIO_LED_OFF);
	}

for any string not matching particular cases.

Instead, please stop the incorrect buffer access with something like:

diff --git a/arch/sparc/kernel/led.c b/arch/sparc/kernel/led.c
index f4fb82b019bb9..9b53ac1fe533d 100644
--- a/arch/sparc/kernel/led.c
+++ b/arch/sparc/kernel/led.c
@@ -78,7 +78,7 @@ static ssize_t led_proc_write(struct file *file, const char __user *buffer,
                return PTR_ERR(buf);
 
        /* work around \n when echo'ing into proc */
-       if (buf[count - 1] == '\n')
+       if (count > 0 && buf[count - 1] == '\n')
                buf[count - 1] = '\0';
 
        /* before we change anything we want to stop any running timers,

Thanks,
Andreas

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ