* [PATCH 3/4] powerpc/pseries/ibmebus: reject zero-length bus attribute writes
@ 2026-03-30 6:29 Pengpeng Hou
0 siblings, 0 replies; only message in thread
From: Pengpeng Hou @ 2026-03-30 6:29 UTC (permalink / raw)
To: maddy; +Cc: mpe, npiggin, chleroy, linuxppc-dev, linux-kernel, pengpeng
probe_store() and remove_store() pass count to ibmebus_chomp(), whose
newline stripping logic unconditionally inspects out[count - 1]. A
zero-length write therefore reads one byte before the allocated buffer.
Reject empty writes before calling ibmebus_chomp().
Fixes: 0727702a3a6a ("[POWERPC] ibmebus: change probe/remove interface from using loc-code to DT path")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
arch/powerpc/platforms/pseries/ibmebus.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/arch/powerpc/platforms/pseries/ibmebus.c b/arch/powerpc/platforms/pseries/ibmebus.c
index cad2deb7e70d..5faf1a5754de 100644
--- a/arch/powerpc/platforms/pseries/ibmebus.c
+++ b/arch/powerpc/platforms/pseries/ibmebus.c
@@ -276,6 +276,9 @@ static ssize_t probe_store(const struct bus_type *bus, const char *buf, size_t c
char *path;
ssize_t rc = 0;
+ if (!count)
+ return -EINVAL;
+
path = ibmebus_chomp(buf, count);
if (!path)
return -ENOMEM;
@@ -312,6 +315,9 @@ static ssize_t remove_store(const struct bus_type *bus, const char *buf, size_t
struct device *dev;
char *path;
+ if (!count)
+ return -EINVAL;
+
path = ibmebus_chomp(buf, count);
if (!path)
return -ENOMEM;
--
2.50.1 (Apple Git-155)
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-03-30 6:29 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-30 6:29 [PATCH 3/4] powerpc/pseries/ibmebus: reject zero-length bus attribute writes Pengpeng Hou
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox