[PATCH] powerpc/eeh: NUL-terminate debugfs command buffers before sscanf()

public inbox for linuxppc-dev@ozlabs.org
 help / color / mirror / Atom feed

From: Pengpeng Hou <pengpeng@iscas.ac.cn>
To: Mahesh J Salgaonkar <mahesh@linux.ibm.com>,
	"Oliver O'Halloran" <oohall@gmail.com>
Cc: Madhavan Srinivasan <maddy@linux.ibm.com>,
	Michael Ellerman <mpe@ellerman.id.au>,
	Nicholas Piggin <npiggin@gmail.com>,
	"Christophe Leroy (CS GROUP)" <chleroy@kernel.org>,
	linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org,
	Pengpeng Hou <pengpeng@iscas.ac.cn>
Subject: [PATCH] powerpc/eeh: NUL-terminate debugfs command buffers before sscanf()
Date: Fri, 17 Apr 2026 15:52:05 +0800	[thread overview]
Message-ID: <20260417075205.29738-1-pengpeng@iscas.ac.cn> (raw)

eeh_force_recover_write() and pnv_eeh_ei_write() copy raw userspace
bytes into fixed stack buffers with simple_write_to_buffer() and then
pass those buffers straight to sscanf().

When userspace fills the buffer completely, the copied command is not
NUL-terminated and sscanf() can read past the end of the stack buffer.

Reject oversized writes and reserve one byte for a terminating NUL before
parsing the command string.

Fixes: 954bd99435b8 ("powerpc/eeh: Add eeh_force_recover to debugfs")
Fixes: 4cf174455899 ("powerpc/powernv: Drop PHB operation post_init()")

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
 arch/powerpc/kernel/eeh.c                    | 11 +++++++++--
 arch/powerpc/platforms/powernv/eeh-powernv.c | 11 +++++++++--
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/arch/powerpc/kernel/eeh.c b/arch/powerpc/kernel/eeh.c
index bb836f02101c..681701ffbf33 100644
--- a/arch/powerpc/kernel/eeh.c
+++ b/arch/powerpc/kernel/eeh.c
@@ -1729,11 +1729,18 @@ static ssize_t eeh_force_recover_write(struct file *filp,
 	uint32_t phbid, pe_no;
 	struct eeh_pe *pe;
 	char buf[20];
-	int ret;
+	ssize_t ret;
+
+	if (*ppos != 0 || count >= sizeof(buf))
+		return -EINVAL;
 
-	ret = simple_write_to_buffer(buf, sizeof(buf), ppos, user_buf, count);
+	ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf,
+				     count);
+	if (ret < 0)
+		return ret;
 	if (!ret)
 		return -EFAULT;
+	buf[ret] = '\0';
 
 	/*
 	 * When PE is NULL the event is a "special" event. Rather than
diff --git a/arch/powerpc/platforms/powernv/eeh-powernv.c b/arch/powerpc/platforms/powernv/eeh-powernv.c
index db3370d1673c..88a4acc11186 100644
--- a/arch/powerpc/platforms/powernv/eeh-powernv.c
+++ b/arch/powerpc/platforms/powernv/eeh-powernv.c
@@ -71,15 +71,22 @@ static ssize_t pnv_eeh_ei_write(struct file *filp,
 	int pe_no, type, func;
 	unsigned long addr, mask;
 	char buf[50];
-	int ret;
+	ssize_t ret;
 
 	if (!eeh_ops || !eeh_ops->err_inject)
 		return -ENXIO;
 
+	if (*ppos != 0 || count >= sizeof(buf))
+		return -EINVAL;
+
 	/* Copy over argument buffer */
-	ret = simple_write_to_buffer(buf, sizeof(buf), ppos, user_buf, count);
+	ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf,
+				     count);
+	if (ret < 0)
+		return ret;
 	if (!ret)
 		return -EFAULT;
+	buf[ret] = '\0';
 
 	/* Retrieve parameters */
 	ret = sscanf(buf, "%x:%x:%x:%lx:%lx",
-- 
2.50.1 (Apple Git-155)

                 reply	other threads:[~2026-04-17  7:52 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:bb836f02101 dfblob:681701ffbf3 dfblob:db3370d1673
dfblob:88a4acc1118 )
 OR (
bs:"[PATCH] powerpc/eeh: NUL-terminate debugfs command buffers before sscanf()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260417075205.29738-1-pengpeng@iscas.ac.cn \
    --to=pengpeng@iscas.ac.cn \
    --cc=chleroy@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linuxppc-dev@lists.ozlabs.org \
    --cc=maddy@linux.ibm.com \
    --cc=mahesh@linux.ibm.com \
    --cc=mpe@ellerman.id.au \
    --cc=npiggin@gmail.com \
    --cc=oohall@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox