From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Thorsten Blum <thorsten.blum@linux.dev>,
Herbert Xu <herbert@gondor.apana.org.au>
Subject: [PATCH 5.10 01/24] crypto: octeontx - Fix length check to avoid truncation in ucode_load_store
Date: Tue, 17 Feb 2026 21:31:14 +0100 [thread overview]
Message-ID: <20260217200000.768049926@linuxfoundation.org> (raw)
In-Reply-To: <20260217200000.708219618@linuxfoundation.org>
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit 5565a72b24fa7935a9f30af386e92c8c9dfb23b9 upstream.
OTX_CPT_UCODE_NAME_LENGTH limits the microcode name to 64 bytes. If a
user writes a string of exactly 64 characters, the original code used
'strlen(buf) > 64' to check the length, but then strscpy() copies only
63 characters before adding a NUL terminator, silently truncating the
copied string.
Fix this off-by-one error by using 'count' directly for the length check
to ensure long names are rejected early and copied without truncation.
Cc: stable@vger.kernel.org
Fixes: d9110b0b01ff ("crypto: marvell - add support for OCTEON TX CPT engine")
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/marvell/octeontx/otx_cptpf_ucode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/crypto/marvell/octeontx/otx_cptpf_ucode.c
+++ b/drivers/crypto/marvell/octeontx/otx_cptpf_ucode.c
@@ -1337,7 +1337,7 @@ static ssize_t ucode_load_store(struct d
int del_grp_idx = -1;
int ucode_idx = 0;
- if (strlen(buf) > OTX_CPT_UCODE_NAME_LENGTH)
+ if (count >= OTX_CPT_UCODE_NAME_LENGTH)
return -EINVAL;
eng_grps = container_of(attr, struct otx_cpt_eng_grps, ucode_load_attr);
next prev parent reply other threads:[~2026-02-17 20:43 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-17 20:31 [PATCH 5.10 00/24] 5.10.251-rc1 review Greg Kroah-Hartman
2026-02-17 20:31 ` Greg Kroah-Hartman [this message]
2026-02-17 20:31 ` [PATCH 5.10 02/24] crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 03/24] crypto: virtio - Add spinlock protection with virtqueue notification Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 04/24] nilfs2: Fix potential block overflow that cause system hang Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 05/24] scsi: qla2xxx: Delay module unload while fabric scan in progress Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 06/24] scsi: qla2xxx: Query FW again before proceeding with login Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 07/24] gpio: omap: do not register driver in probe() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 08/24] ALSA: hda/realtek: Fix headset mic for TongFang X6AR55xU Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 09/24] gpio: sprd: Change sprd_gpio lock to raw_spin_lock Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 10/24] romfs: check sb_set_blocksize() return value Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 11/24] =?UTF-8?q?drm/tegra:=20hdmi:=20sor:=20Fix=20error:=20variable=20?= =?UTF-8?q?=E2=80=98j=E2=80=99=20set=20but=20not=20used?= Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 12/24] platform/x86: classmate-laptop: Add missing NULL pointer checks Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 13/24] gpiolib: acpi: Fix gpio count with string references Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 14/24] fs: dlm: fix invalid derefence of sb_lvbptr Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 15/24] selftests: mptcp: pm: ensure unknown flags are ignored Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 16/24] crypto: virtio - Remove duplicated virtqueue_kick in virtio_crypto_skcipher_crypt_req Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 17/24] scsi: qla2xxx: Validate sp before freeing associated memory Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 18/24] scsi: qla2xxx: Free sp in error path to fix system crash Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 19/24] scsi: qla2xxx: Fix bsg_done() causing double free Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 20/24] fbdev: rivafb: fix divide error in nv3_arb() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 21/24] fbdev: smscufx: properly copy ioctl memory to kernelspace Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 22/24] f2fs: fix out-of-bounds access in sysfs attribute read/write Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 23/24] f2fs: fix to avoid UAF in f2fs_write_end_io() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 24/24] USB: serial: option: add Telit FN920C04 RNDIS compositions Greg Kroah-Hartman
2026-02-17 22:11 ` [PATCH 5.10 00/24] 5.10.251-rc1 review Florian Fainelli
2026-02-18 3:42 ` Woody Suwalski
2026-02-18 8:22 ` Jon Hunter
2026-02-18 9:08 ` Brett A C Sheffield
2026-02-18 9:12 ` Pavel Machek
2026-02-18 12:01 ` Mark Brown
2026-02-19 0:44 ` Barry K. Nathan
2026-02-19 2:11 ` Dominique Martinet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260217200000.768049926@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=herbert@gondor.apana.org.au \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=thorsten.blum@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.