From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0D1AE1E22E6; Mon, 23 Jun 2025 21:40:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750714802; cv=none; b=E9c3zKoDrAWUisqqPYnLFdqLxYABqN1s6w0/iHR8F1n24KEzJ9/HSca1wb1ei6Nlylh9/ORoxzWweND7hNKtXhaJ8bLAswWPWzKyiZK315fm/wmTELCn+MKI8AVXxYQmPXhJh1ZnGniKHzpin6BrbDm5oSj3cSMbzG0SrSfjPHA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750714802; c=relaxed/simple; bh=jgZLBIQ84cjix9JkV5oahAPJ669nx5grUixBIKkFlqE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=p8tpCICsuiS3ahzbQmxPWjbuuknJ1ISbdg00qvc0SYvHZj7pBEu5h6szHmh88TCB4+gRoMyLIQmMrQkG8eCLECM8qmBAKQYP85qx+H/63Tz+9DbtlflXy1o+ZKBQ9CP0nCP8CNRyoZUgBQQBYbVrecrS8hw0ljPNKzfJfXRe64Q= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=vgIHgTUe; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="vgIHgTUe" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 911F3C4CEF0; Mon, 23 Jun 2025 21:40:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1750714801; bh=jgZLBIQ84cjix9JkV5oahAPJ669nx5grUixBIKkFlqE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vgIHgTUenOBj+APUVhRY99FZJHcN7ExQn6Gi8ta40ant9f++sosnJPQeb5pNilR3Q vqYJRoT17wpeJgBif73A0mypuTxcmwtKXgMaA20LWgg5s9oDs8qsjxWfnanMkcRiFg 97eEIun9NdJ/cmKQlqDIqdxSVCFZuA6O3e7qT/S0= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Stuart Hayes , =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= , Sasha Levin Subject: [PATCH 6.15 439/592] platform/x86: dell_rbu: Stop overwriting data buffer Date: Mon, 23 Jun 2025 15:06:37 +0200 Message-ID: <20250623130710.876239701@linuxfoundation.org> X-Mailer: git-send-email 2.50.0 In-Reply-To: <20250623130700.210182694@linuxfoundation.org> References: <20250623130700.210182694@linuxfoundation.org> User-Agent: quilt/0.68 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 6.15-stable review patch. If anyone has any objections, please let me know. ------------------ From: Stuart Hayes [ Upstream commit f4b0fa38d5fefe9aed6ed831f3bd3538c168ee19 ] The dell_rbu driver will use memset() to clear the data held by each packet when it is no longer needed (when the driver is unloaded, the packet size is changed, etc). The amount of memory that is cleared (before this patch) is the normal packet size. However, the last packet in the list may be smaller. Fix this to only clear the memory actually used by each packet, to prevent it from writing past the end of data buffer. Because the packet data buffers are allocated with __get_free_pages() (in page-sized increments), this bug could only result in a buffer being overwritten when a packet size larger than one page is used. The only user of the dell_rbu module should be the Dell BIOS update program, which uses a packet size of 4096, so no issues should be seen without the patch, it just blocks the possiblity. Fixes: 6c54c28e69f2 ("[PATCH] dell_rbu: new Dell BIOS update driver") Signed-off-by: Stuart Hayes Link: https://lore.kernel.org/r/20250609184659.7210-5-stuart.w.hayes@gmail.com Reviewed-by: Ilpo Järvinen Signed-off-by: Ilpo Järvinen Signed-off-by: Sasha Levin --- drivers/platform/x86/dell/dell_rbu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/platform/x86/dell/dell_rbu.c b/drivers/platform/x86/dell/dell_rbu.c index e2afe51b66ee8..8dea70b7f8c15 100644 --- a/drivers/platform/x86/dell/dell_rbu.c +++ b/drivers/platform/x86/dell/dell_rbu.c @@ -322,7 +322,7 @@ static void packet_empty_list(void) * zero out the RBU packet memory before freeing * to make sure there are no stale RBU packets left in memory */ - memset(newpacket->data, 0, rbu_data.packetsize); + memset(newpacket->data, 0, newpacket->length); set_memory_wb((unsigned long)newpacket->data, 1 << newpacket->ordernum); free_pages((unsigned long) newpacket->data, -- 2.39.5