From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 80FE54315F; Mon, 4 Aug 2025 00:32:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754267532; cv=none; b=umu913EcjFwN9TdQGq/zcdp0318HTk4LWzm7Ew65Xg7tgUFNKTc3N+EGwKlayZoVTujMcDOSc0d01uGDvrk5A5Pzs1pqEOmNIFRYnD3jNitS61u51NRWxpXM9zlbb64DhlTJYx/WsCHvdg++Zn/NkoTqjlXRHrBNjP1W5s8ja2w= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754267532; c=relaxed/simple; bh=ZPf3y8UrpvGVigSALUXzeTYLmEvYJTLX6qMadoEXjoM=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=D8DZQ70lCU18Tr3eMpi1DKp0FRbpISlPjI6SApqVJ0CXWITTHUizC1RFwAC69KLhNu90G0L1QiZwl1eT9XHHB0yF1F1DbN0E5jHkEGtKaYtVY1bRmq/KFwqPqNjmutGT4ojlTDFm9T2I5R+tQPdz5n9Vn4IMsmaIu8efbtAhhjI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=G9e9my0Q; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="G9e9my0Q" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0311CC4CEF0; Mon, 4 Aug 2025 00:32:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1754267532; bh=ZPf3y8UrpvGVigSALUXzeTYLmEvYJTLX6qMadoEXjoM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=G9e9my0QOpCxk1aC0kgpx8Ln9Zwb8PKiunDlux3H3CvGWAkwuwvyO4fnzDuAxk9YG C1brTTTQMQhH3NM+h0X7fnFidL7YUbI9S9QPni+QoL0ctehkNTxrUoDOwtW9D5w6EG ySe8ItChRN7AP1K4agqVvgixSUO5K75j1y0jBmmTO6uhOvA/eMf/q2DbPZGKWrRK41 C9FykiwNvNxw5MR9GeUiWxCogxIdDqI9ksWmlcGYYS5TQLL/02lYqnxyr40t+DhW5i vkEHnTdcLquvbGCnPEkd5aFh8xQ6ic3T2y8j9DLvrq3qUXPqvh41cA7obn365XRKA5 9u4Y9+VW+eblg== From: Sasha Levin To: patches@lists.linux.dev, stable@vger.kernel.org Cc: Lifeng Zheng , Chanwoo Choi , Sasha Levin , myungjoo.ham@samsung.com, kyungmin.park@samsung.com, linux-pm@vger.kernel.org Subject: [PATCH AUTOSEL 6.12 20/69] PM / devfreq: governor: Replace sscanf() with kstrtoul() in set_freq_store() Date: Sun, 3 Aug 2025 20:30:30 -0400 Message-Id: <20250804003119.3620476-20-sashal@kernel.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250804003119.3620476-1-sashal@kernel.org> References: <20250804003119.3620476-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 6.12.41 Content-Transfer-Encoding: 8bit From: Lifeng Zheng [ Upstream commit 914cc799b28f17d369d5b4db3b941957d18157e8 ] Replace sscanf() with kstrtoul() in set_freq_store() and check the result to avoid invalid input. Signed-off-by: Lifeng Zheng Link: https://lore.kernel.org/lkml/20250421030020.3108405-2-zhenglifeng1@huawei.com/ Signed-off-by: Chanwoo Choi Signed-off-by: Sasha Levin --- LLM Generated explanations, may be completely bogus: ## Backport Status: YES This commit should be backported to stable kernel trees for the following reasons: 1. **Security Issue - Input Validation Bug**: The original code uses `sscanf(buf, "%lu", &wanted)` at line 45 without checking the return value. This is a security vulnerability because: - `sscanf()` returns the number of successfully parsed items - If the input is malformed or contains invalid characters, `sscanf()` may return 0 but leave `wanted` uninitialized - The code then proceeds to use this potentially uninitialized value in `data->user_frequency = wanted` - This could lead to setting arbitrary frequency values from uninitialized stack data 2. **Real User Impact**: The devfreq userspace governor allows users to manually set device frequencies through sysfs. Invalid input handling could cause: - Setting incorrect frequencies based on uninitialized memory - Potential system instability if invalid frequencies are applied to hardware - Security implications as uninitialized stack data could be used 3. **Small and Contained Fix**: The change is minimal and low-risk: - Replaces `sscanf()` with `kstrtoul()` which has proper error checking - Adds explicit error handling that returns early on invalid input - The change is confined to a single function (`set_freq_store()`) - No architectural changes or new features added 4. **Follows Kernel Best Practices**: The kernel has been systematically replacing `sscanf()` with `kstrto*()` functions for better input validation. This is evident from similar commits found in the git log (e.g., commit a5556fa1107d for asus-wmi). 5. **Critical Subsystem**: While devfreq might not be as critical as core memory management, it controls device frequency scaling which can affect: - Power management - System performance - Hardware stability 6. **No Negative Side Effects**: The change only adds proper validation and doesn't modify the core functionality. Valid inputs will continue to work exactly as before. The commit fixes a clear bug (missing input validation) that could lead to undefined behavior and potential security issues, making it an excellent candidate for stable backporting according to stable tree rules. drivers/devfreq/governor_userspace.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/devfreq/governor_userspace.c b/drivers/devfreq/governor_userspace.c index d1aa6806b683..175de0c0b50e 100644 --- a/drivers/devfreq/governor_userspace.c +++ b/drivers/devfreq/governor_userspace.c @@ -9,6 +9,7 @@ #include #include #include +#include #include #include #include @@ -39,10 +40,13 @@ static ssize_t set_freq_store(struct device *dev, struct device_attribute *attr, unsigned long wanted; int err = 0; + err = kstrtoul(buf, 0, &wanted); + if (err) + return err; + mutex_lock(&devfreq->lock); data = devfreq->governor_data; - sscanf(buf, "%lu", &wanted); data->user_frequency = wanted; data->valid = true; err = update_devfreq(devfreq); -- 2.39.5