[PATCH] xtensa: simdisk: add input size check in proc_write

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] xtensa: simdisk: add input size check in proc_write_simdisk
@ 2025-08-29  8:30 Miaoqian Lin
  2025-09-01  9:20 ` Max Filippov
  0 siblings, 1 reply; 2+ messages in thread
From: Miaoqian Lin @ 2025-08-29  8:30 UTC (permalink / raw)
  To: chris, jcmvbkbc, linmq006, thorsten.blum, viro; +Cc: linux-kernel, stable

A malicious user could pass an arbitrarily bad value
to memdup_user_nul(), potentially causing kernel crash.

This follows the same pattern as commit ee76746387f6
("netdevsim: prevent bad user input in nsim_dev_health_break_write()")

Fixes: b6c7e873daf7 ("xtensa: ISS: add host file-based simulated disk")
Fixes: 16e5c1fc3604 ("convert a bunch of open-coded instances of memdup_user_nul()")
Cc: stable@vger.kernel.org
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
---
 arch/xtensa/platforms/iss/simdisk.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/arch/xtensa/platforms/iss/simdisk.c b/arch/xtensa/platforms/iss/simdisk.c
index 6ed009318d24..3cafc8feddee 100644
--- a/arch/xtensa/platforms/iss/simdisk.c
+++ b/arch/xtensa/platforms/iss/simdisk.c
@@ -231,10 +231,14 @@ static ssize_t proc_read_simdisk(struct file *file, char __user *buf,
 static ssize_t proc_write_simdisk(struct file *file, const char __user *buf,
 			size_t count, loff_t *ppos)
 {
-	char *tmp = memdup_user_nul(buf, count);
+	char *tmp;
 	struct simdisk *dev = pde_data(file_inode(file));
 	int err;
 
+	if (count == 0 || count > PAGE_SIZE)
+		return -EINVAL;
+
+	tmp = memdup_user_nul(buf, count);
 	if (IS_ERR(tmp))
 		return PTR_ERR(tmp);
 
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] xtensa: simdisk: add input size check in proc_write_simdisk
  2025-08-29  8:30 [PATCH] xtensa: simdisk: add input size check in proc_write_simdisk Miaoqian Lin
@ 2025-09-01  9:20 ` Max Filippov
  0 siblings, 0 replies; 2+ messages in thread
From: Max Filippov @ 2025-09-01  9:20 UTC (permalink / raw)
  To: Miaoqian Lin; +Cc: chris, thorsten.blum, viro, linux-kernel, stable

On Fri, Aug 29, 2025 at 1:30 AM Miaoqian Lin <linmq006@gmail.com> wrote:
>
> A malicious user could pass an arbitrarily bad value
> to memdup_user_nul(), potentially causing kernel crash.
>
> This follows the same pattern as commit ee76746387f6
> ("netdevsim: prevent bad user input in nsim_dev_health_break_write()")
>
> Fixes: b6c7e873daf7 ("xtensa: ISS: add host file-based simulated disk")
> Fixes: 16e5c1fc3604 ("convert a bunch of open-coded instances of memdup_user_nul()")
> Cc: stable@vger.kernel.org
> Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
> ---
>  arch/xtensa/platforms/iss/simdisk.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)

Thanks. Applied to my xtensa tree.

-- Max

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2025-09-01  9:20 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-29  8:30 [PATCH] xtensa: simdisk: add input size check in proc_write_simdisk Miaoqian Lin
2025-09-01  9:20 ` Max Filippov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).