From: "Shengzhuo Wei" <me@cherr.cc>
To: "Shubhrajyoti Datta" <shubhrajyoti.datta@amd.com>,
"Sai Krishna Potthuri" <sai.krishna.potthuri@amd.com>,
"Borislav Petkov" <bp@alien8.de>,
"Tony Luck" <tony.luck@intel.com>,
"Michal Simek" <michal.simek@amd.com>
Cc: <linux-edac@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<linux-arm-kernel@lists.infradead.org>,
"Shengzhuo Wei" <me@cherr.cc>
Subject: [PATCH] EDAC/xilinx: Fix stack off-by-one in debugfs UE injection handlers
Date: Sat, 25 Apr 2026 02:49:05 +0800 [thread overview]
Message-ID: <20260425-edac-stack-off-by-one-v1-1-4b2dd2b9c7df@cherr.cc> (raw)
Two EDAC debugfs write handlers copy up to sizeof(buf) bytes into a
fixed-size stack buffer and then unconditionally NUL-terminate it via
buf[len] = '\0'. When userspace writes >= sizeof(buf) bytes, len
becomes sizeof(buf) and the NUL write lands 1 byte past the end of the
stack buffer.
Fix by clamping the copy length to sizeof(buf) - 1 so that the NUL
terminator is always in-bounds.
Fixes: 3bd2706c910f ("EDAC/zynqmp: Add EDAC support for Xilinx ZynqMP OCM")
Fixes: 83bf24051a60 ("EDAC/versal: Make the bit position of injected errors configurable")
Signed-off-by: Shengzhuo Wei <me@cherr.cc>
---
drivers/edac/versal_edac.c | 2 +-
drivers/edac/zynqmp_edac.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/edac/versal_edac.c b/drivers/edac/versal_edac.c
index 5a43b5d43ca28027c829f53aea50588297484c5c..917d7d1762aa9ec9f752e8419c24fd265048ff28 100644
--- a/drivers/edac/versal_edac.c
+++ b/drivers/edac/versal_edac.c
@@ -856,7 +856,7 @@ static ssize_t inject_data_ue_store(struct file *file, const char __user *data,
u8 len, ue0, ue1;
int i, ret;
- len = min_t(size_t, count, sizeof(buf));
+ len = min_t(size_t, count, sizeof(buf) - 1);
if (copy_from_user(buf, data, len))
return -EFAULT;
diff --git a/drivers/edac/zynqmp_edac.c b/drivers/edac/zynqmp_edac.c
index cdffc9e4194d42d4d11c5218c9f341ac46301a94..048a7b9becd622a5eeebf9c893ffdf9e163f5e9b 100644
--- a/drivers/edac/zynqmp_edac.c
+++ b/drivers/edac/zynqmp_edac.c
@@ -304,7 +304,7 @@ static ssize_t inject_ue_write(struct file *file, const char __user *data,
if (!data)
return -EFAULT;
- len = min_t(size_t, count, sizeof(buf));
+ len = min_t(size_t, count, sizeof(buf) - 1);
if (copy_from_user(buf, data, len))
return -EFAULT;
---
base-commit: dd6c438c3e64a5ff0b5d7e78f7f9be547803ef1b
change-id: 20260425-edac-stack-off-by-one-f6703cfe8213
Best regards,
--
Shengzhuo Wei <me@cherr.cc>
next reply other threads:[~2026-04-24 18:49 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-24 18:49 Shengzhuo Wei [this message]
2026-04-25 2:51 ` [PATCH] EDAC/xilinx: Fix stack off-by-one in debugfs UE injection handlers Zhuo, Qiuxu
2026-04-30 11:16 ` Datta, Shubhrajyoti
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260425-edac-stack-off-by-one-v1-1-4b2dd2b9c7df@cherr.cc \
--to=me@cherr.cc \
--cc=bp@alien8.de \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-edac@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=michal.simek@amd.com \
--cc=sai.krishna.potthuri@amd.com \
--cc=shubhrajyoti.datta@amd.com \
--cc=tony.luck@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox