[PATCH v4 5/6] powerpc/eeh: fix potential OoB
Mahesh J Salgaonkar
mahesh at linux.ibm.com
Tue May 20 03:16:32 UTC 2025
On 2025-05-08 15:06:11 Thu, Markus Burri wrote:
> The buffer is set to 20 characters. If a caller write more characters,
> count is truncated to the max available space in "simple_write_to_buffer".
> To protect from OoB access, check that the input size fit into buffer and
> add a zero terminator after copy to the end of the copied data.
>
> Signed-off-by: Markus Burri <markus.burri at mt.com>
Thanks for the fix.
Acked-by: Mahesh Salgaonkar <mahesh at linux.ibm.com>
Thanks,
-Mahesh.
> ---
> arch/powerpc/kernel/eeh.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/arch/powerpc/kernel/eeh.c b/arch/powerpc/kernel/eeh.c
> index 83fe99861eb1..92ef05d3678d 100644
> --- a/arch/powerpc/kernel/eeh.c
> +++ b/arch/powerpc/kernel/eeh.c
> @@ -1734,10 +1734,15 @@ static ssize_t eeh_force_recover_write(struct file *filp,
> char buf[20];
> int ret;
>
> - ret = simple_write_to_buffer(buf, sizeof(buf), ppos, user_buf, count);
> + if (count >= sizeof(buf))
> + return -EINVAL;
> +
> + ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count);
> if (!ret)
> return -EFAULT;
>
> + buf[ret] = '\0';
> +
> /*
> * When PE is NULL the event is a "special" event. Rather than
> * recovering a specific PE it forces the EEH core to scan for failed
> --
> 2.39.5
>
>
--
Mahesh J Salgaonkar
More information about the dri-devel
mailing list