[PATCH] mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()

[PATCH] mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()

[Tudor Ambarus]

Sashiko noticed an out-of-bounds read [1].

In spi_nor_params_show(), the snor_f_names array is passed to
spi_nor_print_flags() using sizeof(snor_f_names).

Since snor_f_names is an array of pointers, sizeof() returns the total
number of bytes occupied by the pointers
	(element_count * sizeof(void *))
rather than the element count itself. On 64-bit systems, this makes the
passed length 8x larger than intended.

Inside spi_nor_print_flags(), the 'names_len' argument is used to
bounds-check the 'names' array access. An out-of-bounds read occurs
if a flag bit is set that exceeds the array's actual element count
but is within the inflated byte-size count.

Correct this by using ARRAY_SIZE() to pass the actual number of
string pointers in the array.

Cc: stable@vger.kernel.org
Fixes: 0257be79fc4a ("mtd: spi-nor: expose internal parameters via debugfs")
Closes: https://sashiko.dev/#/patchset/20260417-die-erase-fix-v2-1-73bb7004ebad%40infineon.com [1]
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
---
We shall assign a CVE to this. I'll look into how next week.

Link: https://lore.kernel.org/linux-mtd/20260417-die-erase-fix-v2-1-73bb7004ebad@infineon.com/
---
 drivers/mtd/spi-nor/debugfs.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/mtd/spi-nor/debugfs.c b/drivers/mtd/spi-nor/debugfs.c
index fa6956144d2e..14ba1680c315 100644
--- a/drivers/mtd/spi-nor/debugfs.c
+++ b/drivers/mtd/spi-nor/debugfs.c
@@ -1,5 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0
 
+#include <linux/array_size.h>
 #include <linux/debugfs.h>
 #include <linux/mtd/spi-nor.h>
 #include <linux/spi/spi.h>
@@ -92,7 +93,8 @@ static int spi_nor_params_show(struct seq_file *s, void *data)
 	seq_printf(s, "address nbytes\t%u\n", nor->addr_nbytes);
 
 	seq_puts(s, "flags\t\t");
-	spi_nor_print_flags(s, nor->flags, snor_f_names, sizeof(snor_f_names));
+	spi_nor_print_flags(s, nor->flags, snor_f_names,
+			    ARRAY_SIZE(snor_f_names));
 	seq_puts(s, "\n");
 
 	seq_puts(s, "\nopcodes\n");

---
base-commit: 43cfbdda5af60ffc6272a7b8c5c37d1d0a181ca9
change-id: 20260417-fix-oob-read-spi-nor-25409b31d01a

Best regards,
-- 
Tudor Ambarus <tudor.ambarus@linaro.org>

Re: [PATCH] mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()

[Miquel Raynal]

Hi Tudor,

On 17/04/2026 at 15:24:39 GMT, Tudor Ambarus <tudor.ambarus@linaro.org> wrote:

> Sashiko noticed an out-of-bounds read [1].

[...]

> Cc: stable@vger.kernel.org
> Fixes: 0257be79fc4a ("mtd: spi-nor: expose internal parameters via debugfs")
> Closes: https://sashiko.dev/#/patchset/20260417-die-erase-fix-v2-1-73bb7004ebad%40infineon.com [1]
> Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
> ---
> We shall assign a CVE to this. I'll look into how next week.

They are assigned automatically to every fix, no?

If spi-nor folks want to ack, I might take it through an mtd/fixes PR.

Thanks,
Miquèl

Re: [PATCH] mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()

[Pratyush Yadav]

On Tue, Apr 21 2026, Miquel Raynal wrote:

> Hi Tudor,
>
> On 17/04/2026 at 15:24:39 GMT, Tudor Ambarus <tudor.ambarus@linaro.org> wrote:
>
>> Sashiko noticed an out-of-bounds read [1].
>
> [...]
>
>> Cc: stable@vger.kernel.org
>> Fixes: 0257be79fc4a ("mtd: spi-nor: expose internal parameters via debugfs")
>> Closes: https://sashiko.dev/#/patchset/20260417-die-erase-fix-v2-1-73bb7004ebad%40infineon.com [1]
>> Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
>> ---
>> We shall assign a CVE to this. I'll look into how next week.
>
> They are assigned automatically to every fix, no?
>
> If spi-nor folks want to ack, I might take it through an mtd/fixes PR.

Reviewed-by: Pratyush Yadav <pratyush@kernel.org>

Please do. Thanks!

-- 
Regards,
Pratyush Yadav

Re: [PATCH] mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()

[Michael Walle]

[-- Attachment #1: Type: text/plain, Size: 1188 bytes --]

On Fri Apr 17, 2026 at 5:24 PM CEST, Tudor Ambarus wrote:
> Sashiko noticed an out-of-bounds read [1].
>
> In spi_nor_params_show(), the snor_f_names array is passed to
> spi_nor_print_flags() using sizeof(snor_f_names).
>
> Since snor_f_names is an array of pointers, sizeof() returns the total
> number of bytes occupied by the pointers
> 	(element_count * sizeof(void *))
> rather than the element count itself. On 64-bit systems, this makes the
> passed length 8x larger than intended.
>
> Inside spi_nor_print_flags(), the 'names_len' argument is used to
> bounds-check the 'names' array access. An out-of-bounds read occurs
> if a flag bit is set that exceeds the array's actual element count
> but is within the inflated byte-size count.
>
> Correct this by using ARRAY_SIZE() to pass the actual number of
> string pointers in the array.
>
> Cc: stable@vger.kernel.org
> Fixes: 0257be79fc4a ("mtd: spi-nor: expose internal parameters via debugfs")
> Closes: https://sashiko.dev/#/patchset/20260417-die-erase-fix-v2-1-73bb7004ebad%40infineon.com [1]
> Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>

Reviewed-by: Michael Walle <mwalle@kernel.org>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 297 bytes --]

Re: [PATCH] mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()

[Tudor Ambarus]

On 4/21/26 10:35 AM, Miquel Raynal wrote:
>> We shall assign a CVE to this. I'll look into how next week.
> They are assigned automatically to every fix, no?

Indeed, it seems there's a dedicated team assigning CVEs to
security bugs, I didn't know:
https://docs.kernel.org/process/cve.html

Cheers,
ta

RE: [PATCH] mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()

[Takahiro.Kuwano]

> Sashiko noticed an out-of-bounds read [1].
> 
> In spi_nor_params_show(), the snor_f_names array is passed to
> spi_nor_print_flags() using sizeof(snor_f_names).
> 
> Since snor_f_names is an array of pointers, sizeof() returns the total
> number of bytes occupied by the pointers
>         (element_count * sizeof(void *))
> rather than the element count itself. On 64-bit systems, this makes the
> passed length 8x larger than intended.
> 
> Inside spi_nor_print_flags(), the 'names_len' argument is used to
> bounds-check the 'names' array access. An out-of-bounds read occurs
> if a flag bit is set that exceeds the array's actual element count
> but is within the inflated byte-size count.
> 
> Correct this by using ARRAY_SIZE() to pass the actual number of
> string pointers in the array.
> 
> Cc: stable@vger.kernel.org
> Fixes: 0257be79fc4a ("mtd: spi-nor: expose internal parameters via debugfs")
> Closes: https://sashiko.dev/#/patchset/20260417-die-erase-fix-v2-1-73bb7004ebad%40infineon.com [1]
> Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>

Reviewed-by: Takahiro Kuwano <takahiro.kuwano@infineon.com>