[PATCH] s390/debug: reject zero-length input before trimming a newline

public inbox for linux-s390@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] s390/debug: reject zero-length input before trimming a newline
@ 2026-04-17  7:35 Pengpeng Hou
  2026-04-17  9:41 ` Benjamin Block
  2026-04-17 13:07 ` Vasily Gorbik
  0 siblings, 2 replies; 3+ messages in thread
From: Pengpeng Hou @ 2026-04-17  7:35 UTC (permalink / raw)
  To: Heiko Carstens, Vasily Gorbik
  Cc: Alexander Gordeev, Christian Borntraeger, Sven Schnelle,
	Benjamin Block, Thorsten Blum, Tigran Mkrtchyan, Kees Cook,
	linux-s390, linux-kernel, Pengpeng Hou

debug_get_user_string() duplicates the userspace buffer with
memdup_user_nul() and then unconditionally looks at buffer[user_len - 1]
to strip a trailing newline.

A zero-length write reaches this helper unchanged, so the newline trim
reads before the start of the allocated buffer.

Reject empty writes before accessing the last input byte.

Fixes: 66a464dbc8e0 ("[PATCH] s390: debug feature changes")

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
 arch/s390/kernel/debug.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/arch/s390/kernel/debug.c b/arch/s390/kernel/debug.c
index 31430e9bcfdd..2612f634e826 100644
--- a/arch/s390/kernel/debug.c
+++ b/arch/s390/kernel/debug.c
@@ -1414,6 +1414,9 @@ static inline char *debug_get_user_string(const char __user *user_buf,
 {
 	char *buffer;
 
+	if (!user_len)
+		return ERR_PTR(-EINVAL);
+
 	buffer = memdup_user_nul(user_buf, user_len);
 	if (IS_ERR(buffer))
 		return buffer;
-- 
2.50.1 (Apple Git-155)


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] s390/debug: reject zero-length input before trimming a newline
  2026-04-17  7:35 [PATCH] s390/debug: reject zero-length input before trimming a newline Pengpeng Hou
@ 2026-04-17  9:41 ` Benjamin Block
  2026-04-17 13:07 ` Vasily Gorbik
  1 sibling, 0 replies; 3+ messages in thread
From: Benjamin Block @ 2026-04-17  9:41 UTC (permalink / raw)
  To: Pengpeng Hou
  Cc: Heiko Carstens, Vasily Gorbik, Alexander Gordeev,
	Christian Borntraeger, Sven Schnelle, Thorsten Blum,
	Tigran Mkrtchyan, Kees Cook, linux-s390, linux-kernel

On Fri, Apr 17, 2026 at 03:35:30PM +0800, Pengpeng Hou wrote:
> debug_get_user_string() duplicates the userspace buffer with
> memdup_user_nul() and then unconditionally looks at buffer[user_len - 1]
> to strip a trailing newline.
> 
> A zero-length write reaches this helper unchanged, so the newline trim
> reads before the start of the allocated buffer.
> 
> Reject empty writes before accessing the last input byte.
> 
> Fixes: 66a464dbc8e0 ("[PATCH] s390: debug feature changes")
> 

There shouldn't be a blank line here.

> Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
> ---
>  arch/s390/kernel/debug.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/arch/s390/kernel/debug.c b/arch/s390/kernel/debug.c
> index 31430e9bcfdd..2612f634e826 100644
> --- a/arch/s390/kernel/debug.c
> +++ b/arch/s390/kernel/debug.c
> @@ -1414,6 +1414,9 @@ static inline char *debug_get_user_string(const char __user *user_buf,
>  {
>  	char *buffer;
>  
> +	if (!user_len)
> +		return ERR_PTR(-EINVAL);
> +
>  	buffer = memdup_user_nul(user_buf, user_len);
>  	if (IS_ERR(buffer))
>  		return buffer;

Otherwise this looks good to me.


Reviewed-by: Benjamin Block <bblock@linux.ibm.com>

-- 
Best Regards, Benjamin Block        /        Linux on IBM Z Kernel Development
IBM Deutschland Research & Development GmbH    /   https://www.ibm.com/privacy
Vors. Aufs.-R.: Wolfgang Wendt         /        Geschäftsführung: David Faller
Sitz der Ges.: Ehningen     /     Registergericht: AmtsG Stuttgart, HRB 243294

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] s390/debug: reject zero-length input before trimming a newline
  2026-04-17  7:35 [PATCH] s390/debug: reject zero-length input before trimming a newline Pengpeng Hou
  2026-04-17  9:41 ` Benjamin Block
@ 2026-04-17 13:07 ` Vasily Gorbik
  1 sibling, 0 replies; 3+ messages in thread
From: Vasily Gorbik @ 2026-04-17 13:07 UTC (permalink / raw)
  To: Pengpeng Hou
  Cc: Heiko Carstens, Alexander Gordeev, Christian Borntraeger,
	Sven Schnelle, Benjamin Block, Thorsten Blum, Tigran Mkrtchyan,
	Kees Cook, linux-s390, linux-kernel

On Fri, Apr 17, 2026 at 03:35:30PM +0800, Pengpeng Hou wrote:
> debug_get_user_string() duplicates the userspace buffer with
> memdup_user_nul() and then unconditionally looks at buffer[user_len - 1]
> to strip a trailing newline.
> 
> A zero-length write reaches this helper unchanged, so the newline trim
> reads before the start of the allocated buffer.
> 
> Reject empty writes before accessing the last input byte.
> 
> Fixes: 66a464dbc8e0 ("[PATCH] s390: debug feature changes")
> 
> Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
> ---
>  arch/s390/kernel/debug.c | 3 +++
>  1 file changed, 3 insertions(+)

Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
Tested-by: Vasily Gorbik <gor@linux.ibm.com>

Added
Cc: stable@vger.kernel.org

And applied, thank you!

I've also addressed Sashiko's complaint [1] about debug_input_flush_fn()
as a separate patch.

[1] https://sashiko.dev/#/patchset/20260417073530.96002-1-pengpeng%40iscas.ac.cn

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-04-17 13:07 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-17  7:35 [PATCH] s390/debug: reject zero-length input before trimming a newline Pengpeng Hou
2026-04-17  9:41 ` Benjamin Block
2026-04-17 13:07 ` Vasily Gorbik

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox