lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20260116040140.65394-2-chaitanyamishra.ai@gmail.com>
Date: Fri, 16 Jan 2026 09:31:40 +0530
From: Chaitanya Mishra <chaitanyamishra.ai@...il.com>
To: Eddie James <eajames@...ux.ibm.com>
Cc: Ninad Palsule <ninad@...ux.ibm.com>,
	linux-fsi@...ts.ozlabs.org,
	linux-kernel@...r.kernel.org,
	Chaitanya Mishra <chaitanyamishra.ai@...il.com>
Subject: [PATCH v1 1/1] fsi: cfam: clamp chunk length to remaining count

cfam_{read,write} split requests into up to 4-byte aligned chunks.
The per-iteration length is computed from the full count and the
current alignment. Once total_len advances, this can exceed the
remaining bytes, leading to copy_{to,from}_user() touching bytes past
the user buffer and advancing the file offset too far.

Clamp each chunk to the minimum of the alignment-based length and the
remaining bytes so each iteration handles only the bytes left.

Fixes: d1dcd6782576 ("fsi: Add cfam char devices")
Signed-off-by: Chaitanya Mishra <chaitanyamishra.ai@...il.com>
---
 drivers/fsi/fsi-core.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/drivers/fsi/fsi-core.c b/drivers/fsi/fsi-core.c
index c6c115993ebc..8a2a02df52ac 100644
--- a/drivers/fsi/fsi-core.c
+++ b/drivers/fsi/fsi-core.c
@@ -674,8 +674,7 @@ static ssize_t cfam_read(struct file *filep, char __user *buf, size_t count,
 	for (total_len = 0; total_len < count; total_len += read_len) {
 		__be32 data;
 
-		read_len = min_t(size_t, count, 4);
-		read_len -= off & 0x3;
+		read_len = min_t(size_t, 4 - (off & 0x3), count - total_len);
 
 		rc = fsi_slave_read(slave, off, &data, read_len);
 		if (rc)
@@ -711,8 +710,7 @@ static ssize_t cfam_write(struct file *filep, const char __user *buf,
 	for (total_len = 0; total_len < count; total_len += write_len) {
 		__be32 data;
 
-		write_len = min_t(size_t, count, 4);
-		write_len -= off & 0x3;
+		write_len = min_t(size_t, 4 - (off & 0x3), count - total_len);
 
 		rc = copy_from_user(&data, buf + total_len, write_len);
 		if (rc) {
-- 
2.50.1 (Apple Git-155)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ