* [PATCH] sparc/led: prevent buffer underflow on zero-length write
@ 2025-10-30 7:21 Miaoqian Lin
0 siblings, 0 replies; only message in thread
From: Miaoqian Lin @ 2025-10-30 7:21 UTC (permalink / raw)
To: David S. Miller, Andreas Larsson, Ingo Molnar, Thomas Gleixner,
Lars Kotthoff, sparclinux, linux-kernel
Cc: linmq006, stable
Fix out-of-bounds access in led_proc_write() when count is 0.
Accessing buf[count - 1] with count=0 reads/writes buf[-1].
Check for count==0 and return -EINVAL early to fix this.
Found via static analysis and code review.
Fixes: ee1858d3122d ("[SPARC]: Add sun4m LED driver.")
Cc: stable@vger.kernel.org
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
---
arch/sparc/kernel/led.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/sparc/kernel/led.c b/arch/sparc/kernel/led.c
index f4fb82b019bb..aa0ca0d8d0e2 100644
--- a/arch/sparc/kernel/led.c
+++ b/arch/sparc/kernel/led.c
@@ -70,6 +70,9 @@ static ssize_t led_proc_write(struct file *file, const char __user *buffer,
{
char *buf = NULL;
+ if (count == 0)
+ return -EINVAL;
+
if (count > LED_MAX_LENGTH)
count = LED_MAX_LENGTH;
--
2.39.5 (Apple Git-154)
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2025-10-30 7:22 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-30 7:21 [PATCH] sparc/led: prevent buffer underflow on zero-length write Miaoqian Lin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).