* [PATCH] powerpc/pseries: add input size check in ofdt_write
@ 2025-10-30 5:17 Miaoqian Lin
0 siblings, 0 replies; only message in thread
From: Miaoqian Lin @ 2025-10-30 5:17 UTC (permalink / raw)
To: Madhavan Srinivasan, Michael Ellerman, Nicholas Piggin,
Christophe Leroy, Geliang Tang, linuxppc-dev, linux-kernel
Cc: linmq006, stable
A malicious user could pass an arbitrarily bad value
to memdup_user_nul(), potentially causing kernel crash.
This follows the same pattern as commit ee76746387f6
("netdevsim: prevent bad user input in nsim_dev_health_break_write()")
Found via static analysis and code review.
Fixes: 3783225130f0 ("powerpc/pseries: use memdup_user_nul")
Cc: stable@vger.kernel.org
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
---
arch/powerpc/platforms/pseries/reconfig.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/powerpc/platforms/pseries/reconfig.c b/arch/powerpc/platforms/pseries/reconfig.c
index 599bd2c78514..b6bc1d8b2207 100644
--- a/arch/powerpc/platforms/pseries/reconfig.c
+++ b/arch/powerpc/platforms/pseries/reconfig.c
@@ -366,6 +366,9 @@ static ssize_t ofdt_write(struct file *file, const char __user *buf, size_t coun
if (rv)
return rv;
+ if (count == 0 || count > PAGE_SIZE)
+ return -EINVAL;
+
kbuf = memdup_user_nul(buf, count);
if (IS_ERR(kbuf))
return PTR_ERR(kbuf);
--
2.39.5 (Apple Git-154)
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2025-10-30 5:18 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-30 5:17 [PATCH] powerpc/pseries: add input size check in ofdt_write Miaoqian Lin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).