From: Jonathan Cameron <jic23@kernel.org>
To: Markus Burri <markus.burri@mt.com>
Cc: linux-kernel@vger.kernel.org,
Mahesh J Salgaonkar <mahesh@linux.ibm.com>,
"Oliver O'Halloran" <oohall@gmail.com>,
Madhavan Srinivasan <maddy@linux.ibm.com>,
Michael Ellerman <mpe@ellerman.id.au>,
Nicholas Piggin <npiggin@gmail.com>,
Christophe Leroy <christophe.leroy@csgroup.eu>,
Naveen N Rao <naveen@kernel.org>,
Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>,
Maciej Falkowski <maciej.falkowski@linux.intel.com>,
Oded Gabbay <ogabbay@kernel.org>,
Linus Walleij <linus.walleij@linaro.org>,
Bartosz Golaszewski <brgl@bgdev.pl>, Nuno Sa <nuno.sa@analog.com>,
Olivier Moysan <olivier.moysan@foss.st.com>,
Lars-Peter Clausen <lars@metafoo.de>,
linuxppc-dev@lists.ozlabs.org, dri-devel@lists.freedesktop.org,
linux-gpio@vger.kernel.org, linux-iio@vger.kernel.org,
Markus Burri <markus.burri@bbv.ch>
Subject: Re: [PATCH v4 3/6] iio: fix potential out-of-bound write
Date: Sun, 25 May 2025 10:23:31 +0100 [thread overview]
Message-ID: <20250525102331.46a4d778@jic23-huawei> (raw)
In-Reply-To: <20250508130612.82270-4-markus.burri@mt.com>
On Thu, 8 May 2025 15:06:09 +0200
Markus Burri <markus.burri@mt.com> wrote:
> The buffer is set to 20 characters. If a caller write more characters,
> count is truncated to the max available space in "simple_write_to_buffer".
> To protect from OoB access, check that the input size fit into buffer and
> add a zero terminator after copy to the end of the copied data.
>
> Signed-off-by: Markus Burri <markus.burri@mt.com>
> ---
Applied to the fixes-togreg branch of iio.git.
I'd still like some more eyes on this if anyone has time though as
experience teaches me that subtle tweaks to string manipulation end
conditions are easy places to make mistakes!
I'll not be pushing out as non rebasing until I rebase on rc1 anyway
so we have time.
Thanks,
Jonathan
> drivers/iio/industrialio-core.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
> index b9f4113ae5fc..ebf17ea5a5f9 100644
> --- a/drivers/iio/industrialio-core.c
> +++ b/drivers/iio/industrialio-core.c
> @@ -410,12 +410,15 @@ static ssize_t iio_debugfs_write_reg(struct file *file,
> char buf[80];
> int ret;
>
> + if (count >= sizeof(buf))
> + return -EINVAL;
> +
> ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf,
> count);
> if (ret < 0)
> return ret;
>
> - buf[count] = '\0';
> + buf[ret] = '\0';
>
> ret = sscanf(buf, "%i %i", ®, &val);
>
next prev parent reply other threads:[~2025-05-25 9:23 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-08 13:06 [PATCH v4 0/6] Fix potential out-of-bounds error in some drivers Markus Burri
2025-05-08 13:06 ` [PATCH v4 1/6] iio: backend: fix out-of-bound write Markus Burri
2025-05-11 14:27 ` Jonathan Cameron
2025-05-25 9:19 ` Jonathan Cameron
2025-05-08 13:06 ` [PATCH v4 2/6] accel/ivpu: Use effective buffer size for zero terminator Markus Burri
2025-05-12 10:32 ` Jacek Lawrynowicz
2025-05-12 13:15 ` Jacek Lawrynowicz
2025-05-08 13:06 ` [PATCH v4 3/6] iio: fix potential out-of-bound write Markus Burri
2025-05-25 9:23 ` Jonathan Cameron [this message]
2025-05-25 9:26 ` Jonathan Cameron
2025-05-08 13:06 ` [PATCH v4 4/6] gpio: " Markus Burri
2025-05-09 9:37 ` kernel test robot
2025-05-09 12:40 ` Bartosz Golaszewski
2025-05-08 13:06 ` [PATCH v4 5/6] powerpc/eeh: fix potential OoB Markus Burri
2025-05-20 3:16 ` Mahesh J Salgaonkar
2025-05-08 13:06 ` [PATCH v4 6/6] powerpc/eeh-powernv: " Markus Burri
2025-05-20 3:18 ` Mahesh J Salgaonkar
2025-05-09 10:21 ` [PATCH v4 0/6] Fix potential out-of-bounds error in some drivers Bartosz Golaszewski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250525102331.46a4d778@jic23-huawei \
--to=jic23@kernel.org \
--cc=brgl@bgdev.pl \
--cc=christophe.leroy@csgroup.eu \
--cc=dri-devel@lists.freedesktop.org \
--cc=jacek.lawrynowicz@linux.intel.com \
--cc=lars@metafoo.de \
--cc=linus.walleij@linaro.org \
--cc=linux-gpio@vger.kernel.org \
--cc=linux-iio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=maciej.falkowski@linux.intel.com \
--cc=maddy@linux.ibm.com \
--cc=mahesh@linux.ibm.com \
--cc=markus.burri@bbv.ch \
--cc=markus.burri@mt.com \
--cc=mpe@ellerman.id.au \
--cc=naveen@kernel.org \
--cc=npiggin@gmail.com \
--cc=nuno.sa@analog.com \
--cc=ogabbay@kernel.org \
--cc=olivier.moysan@foss.st.com \
--cc=oohall@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).