From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8D92A1A9B24; Mon, 4 Aug 2025 00:29:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754267340; cv=none; b=XqTYB+rI6OK0Nsur+kmrIYUQG1l1k1FKvLb3dR2xonbcM7Q2/g+TFZ6s9Sb4MBgbLAFOSQWb565/Hb8Nn5Om1wDzdCsZj8Afgcq0lodduKaa3uJMaJWOvb2QpkDp+sw/nRYhwjz+FXd2W4SkvNGcx9dHR4F912B5TaTa57Jjv24= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754267340; c=relaxed/simple; bh=ZPf3y8UrpvGVigSALUXzeTYLmEvYJTLX6qMadoEXjoM=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=OcGRIphqQ/Lg05pDXWeztSkYQsh9Z8qWoPcUwtYAY5NgR1A3a2zkyJiCHMLU9E3LWwPtr3njX9+QGrcGDE0+lyX3sOuLrD9FwFdmzjfhXxkX6Y4+enVhkLaLiy2/KR01xHvdIOJb129zr4Li1ddcnLxnEwDVV+hXEXtCigxT0pY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=hynWD0H7; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="hynWD0H7" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0F247C4CEF0; Mon, 4 Aug 2025 00:28:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1754267340; bh=ZPf3y8UrpvGVigSALUXzeTYLmEvYJTLX6qMadoEXjoM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hynWD0H7WqsZjiU46fEW8CqiqnzuOjHTuSncYCiQySVwMIjxM4j1ioQqFjZp3bvGE qfLBQdfyU2d1omLQBk0MKbEo0fwd2Dat/BsUGXnmrSRo3kFdL/J/Fz6b0ErleJbBF3 yCn0JyBlCgAmxcjDlQuESqVvAKEPNKIHWQw+i/qMphxqIRT92Idi1uYi/hjk/duOcj 0gNq1dboRJG2oxBaboDqP0iz5LdnicZXC4XXRDRUi3rVfHr1bVuEwJLWlC+uRl8m+i +KK1xdpm2WM2Urh7ii8ZSzEDZlnb03iA0V0otOOziORW7a+7X9KGS2OL2L3k0MGh1K hZHEOVYMS9c4w== From: Sasha Levin To: patches@lists.linux.dev, stable@vger.kernel.org Cc: Lifeng Zheng , Chanwoo Choi , Sasha Levin , myungjoo.ham@samsung.com, kyungmin.park@samsung.com, linux-pm@vger.kernel.org Subject: [PATCH AUTOSEL 6.15 26/80] PM / devfreq: governor: Replace sscanf() with kstrtoul() in set_freq_store() Date: Sun, 3 Aug 2025 20:26:53 -0400 Message-Id: <20250804002747.3617039-26-sashal@kernel.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250804002747.3617039-1-sashal@kernel.org> References: <20250804002747.3617039-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 6.15.9 Content-Transfer-Encoding: 8bit From: Lifeng Zheng [ Upstream commit 914cc799b28f17d369d5b4db3b941957d18157e8 ] Replace sscanf() with kstrtoul() in set_freq_store() and check the result to avoid invalid input. Signed-off-by: Lifeng Zheng Link: https://lore.kernel.org/lkml/20250421030020.3108405-2-zhenglifeng1@huawei.com/ Signed-off-by: Chanwoo Choi Signed-off-by: Sasha Levin --- LLM Generated explanations, may be completely bogus: ## Backport Status: YES This commit should be backported to stable kernel trees for the following reasons: 1. **Security Issue - Input Validation Bug**: The original code uses `sscanf(buf, "%lu", &wanted)` at line 45 without checking the return value. This is a security vulnerability because: - `sscanf()` returns the number of successfully parsed items - If the input is malformed or contains invalid characters, `sscanf()` may return 0 but leave `wanted` uninitialized - The code then proceeds to use this potentially uninitialized value in `data->user_frequency = wanted` - This could lead to setting arbitrary frequency values from uninitialized stack data 2. **Real User Impact**: The devfreq userspace governor allows users to manually set device frequencies through sysfs. Invalid input handling could cause: - Setting incorrect frequencies based on uninitialized memory - Potential system instability if invalid frequencies are applied to hardware - Security implications as uninitialized stack data could be used 3. **Small and Contained Fix**: The change is minimal and low-risk: - Replaces `sscanf()` with `kstrtoul()` which has proper error checking - Adds explicit error handling that returns early on invalid input - The change is confined to a single function (`set_freq_store()`) - No architectural changes or new features added 4. **Follows Kernel Best Practices**: The kernel has been systematically replacing `sscanf()` with `kstrto*()` functions for better input validation. This is evident from similar commits found in the git log (e.g., commit a5556fa1107d for asus-wmi). 5. **Critical Subsystem**: While devfreq might not be as critical as core memory management, it controls device frequency scaling which can affect: - Power management - System performance - Hardware stability 6. **No Negative Side Effects**: The change only adds proper validation and doesn't modify the core functionality. Valid inputs will continue to work exactly as before. The commit fixes a clear bug (missing input validation) that could lead to undefined behavior and potential security issues, making it an excellent candidate for stable backporting according to stable tree rules. drivers/devfreq/governor_userspace.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/devfreq/governor_userspace.c b/drivers/devfreq/governor_userspace.c index d1aa6806b683..175de0c0b50e 100644 --- a/drivers/devfreq/governor_userspace.c +++ b/drivers/devfreq/governor_userspace.c @@ -9,6 +9,7 @@ #include #include #include +#include #include #include #include @@ -39,10 +40,13 @@ static ssize_t set_freq_store(struct device *dev, struct device_attribute *attr, unsigned long wanted; int err = 0; + err = kstrtoul(buf, 0, &wanted); + if (err) + return err; + mutex_lock(&devfreq->lock); data = devfreq->governor_data; - sscanf(buf, "%lu", &wanted); data->user_frequency = wanted; data->valid = true; err = update_devfreq(devfreq); -- 2.39.5