From: Markus Burri <markus.burri@mt.com>
To: linux-kernel@vger.kernel.org
Cc: Markus Burri <markus.burri@mt.com>,
Mahesh J Salgaonkar <mahesh@linux.ibm.com>,
"Oliver O'Halloran" <oohall@gmail.com>,
Madhavan Srinivasan <maddy@linux.ibm.com>,
Michael Ellerman <mpe@ellerman.id.au>,
Nicholas Piggin <npiggin@gmail.com>,
Christophe Leroy <christophe.leroy@csgroup.eu>,
Naveen N Rao <naveen@kernel.org>,
Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>,
Maciej Falkowski <maciej.falkowski@linux.intel.com>,
Oded Gabbay <ogabbay@kernel.org>,
Linus Walleij <linus.walleij@linaro.org>,
Bartosz Golaszewski <brgl@bgdev.pl>, Nuno Sa <nuno.sa@analog.com>,
Olivier Moysan <olivier.moysan@foss.st.com>,
Jonathan Cameron <jic23@kernel.org>,
Lars-Peter Clausen <lars@metafoo.de>,
linuxppc-dev@lists.ozlabs.org, dri-devel@lists.freedesktop.org,
linux-gpio@vger.kernel.org, linux-iio@vger.kernel.org,
Markus Burri <markus.burri@bbv.ch>
Subject: [PATCH v4 0/6] Fix potential out-of-bounds error in some drivers
Date: Thu, 8 May 2025 15:06:06 +0200 [thread overview]
Message-ID: <20250508130612.82270-1-markus.burri@mt.com> (raw)
Several drivers are using debugfs and follow the same pattern.
A buffer is created on the stack with a limited size to copy the given data
from user space. The copy is performed using simple_write_to_buffer.
This function limits the input according to the specified buffer size, but
it does not write a string terminator if the buffer is truncated.
Therefore, the driver adds this zero terminator afterward.
Unfortunately, the original buffer size is used as an index, which can lead
to an out-of-bounds error.
This patch set fixes this issue in all the drivers I have detected so far.
The fix is to return an error in case of an unexpectedly long buffer being
received and to use the effective written size for the zero terminator for
consistency.
Changes in V4:
* Revert the decrement of accepted size by one character
* Added patches for drivers with the same pattern
Changes in V3:
* Decrement accepted size by one character according to feedback
Changes in V2:
* Use effective written size as index instead of original size
---
[V3] https://lore.kernel.org/lkml/20250505203830.5117-1-markus.burri@mt.com/
[V2] https://lore.kernel.org/lkml/20250505045346.29647-1-markus.burri@mt.com/
[V1] https://lore.kernel.org/lkml/20250501063240.25295-1-markus.burri@mt.com/
Markus Burri (6):
iio: backend: fix out-of-bound write
accel/ivpu: Use effective buffer size for zero terminator
iio: fix potential out-of-bound write
gpio: fix potential out-of-bound write
powerpc/eeh: fix potential OoB
powerpc/eeh-powernv: fix potential OoB
arch/powerpc/kernel/eeh.c | 7 ++++++-
arch/powerpc/platforms/powernv/eeh-powernv.c | 7 ++++++-
drivers/accel/ivpu/ivpu_debugfs.c | 2 +-
drivers/gpio/gpio-virtuser.c | 12 ++++++++++--
drivers/iio/industrialio-backend.c | 5 ++++-
drivers/iio/industrialio-core.c | 5 ++++-
6 files changed, 31 insertions(+), 7 deletions(-)
base-commit: b4432656b36e5cc1d50a1f2dc15357543add530e
--
2.39.5
next reply other threads:[~2025-05-08 13:32 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-08 13:06 Markus Burri [this message]
2025-05-08 13:06 ` [PATCH v4 1/6] iio: backend: fix out-of-bound write Markus Burri
2025-05-11 14:27 ` Jonathan Cameron
2025-05-25 9:19 ` Jonathan Cameron
2025-05-08 13:06 ` [PATCH v4 2/6] accel/ivpu: Use effective buffer size for zero terminator Markus Burri
2025-05-12 10:32 ` Jacek Lawrynowicz
2025-05-12 13:15 ` Jacek Lawrynowicz
2025-05-08 13:06 ` [PATCH v4 3/6] iio: fix potential out-of-bound write Markus Burri
2025-05-25 9:23 ` Jonathan Cameron
2025-05-25 9:26 ` Jonathan Cameron
2025-05-08 13:06 ` [PATCH v4 4/6] gpio: " Markus Burri
2025-05-09 9:37 ` kernel test robot
2025-05-09 12:40 ` Bartosz Golaszewski
2025-05-08 13:06 ` [PATCH v4 5/6] powerpc/eeh: fix potential OoB Markus Burri
2025-05-20 3:16 ` Mahesh J Salgaonkar
2025-05-08 13:06 ` [PATCH v4 6/6] powerpc/eeh-powernv: " Markus Burri
2025-05-20 3:18 ` Mahesh J Salgaonkar
2025-05-09 10:21 ` [PATCH v4 0/6] Fix potential out-of-bounds error in some drivers Bartosz Golaszewski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250508130612.82270-1-markus.burri@mt.com \
--to=markus.burri@mt.com \
--cc=brgl@bgdev.pl \
--cc=christophe.leroy@csgroup.eu \
--cc=dri-devel@lists.freedesktop.org \
--cc=jacek.lawrynowicz@linux.intel.com \
--cc=jic23@kernel.org \
--cc=lars@metafoo.de \
--cc=linus.walleij@linaro.org \
--cc=linux-gpio@vger.kernel.org \
--cc=linux-iio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=maciej.falkowski@linux.intel.com \
--cc=maddy@linux.ibm.com \
--cc=mahesh@linux.ibm.com \
--cc=markus.burri@bbv.ch \
--cc=mpe@ellerman.id.au \
--cc=naveen@kernel.org \
--cc=npiggin@gmail.com \
--cc=nuno.sa@analog.com \
--cc=ogabbay@kernel.org \
--cc=olivier.moysan@foss.st.com \
--cc=oohall@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).