]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
projects / thirdparty / kernel / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: da93748)
iio: fix potential out-of-bound write
authorMarkus Burri <markus.burri@mt.com>
Thu, 8 May 2025 13:06:09 +0000 (15:06 +0200)
committerJonathan Cameron <Jonathan.Cameron@huawei.com>
Mon, 9 Jun 2025 06:45:19 +0000 (07:45 +0100)
The buffer is set to 20 characters. If a caller write more characters,
count is truncated to the max available space in "simple_write_to_buffer".
To protect from OoB access, check that the input size fit into buffer and
add a zero terminator after copy to the end of the copied data.

Fixes: 6d5dd486c715 iio: core: make use of simple_write_to_buffer()
Signed-off-by: Markus Burri <markus.burri@mt.com>
Link: https://patch.msgid.link/20250508130612.82270-4-markus.burri@mt.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
drivers/iio/industrialio-core.c patch | blob | blame | history

diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
index 178e99b111debc59a247fcc3a6037e429db3bebf..5ffda104d4b292ce3499c0b2a052044ea2bfc403 100644 (file)
--- a/drivers/iio/industrialio-core.c
+++ b/drivers/iio/industrialio-core.c
@@ -411,12 +411,15 @@ static ssize_t iio_debugfs_write_reg(struct file *file,
        char buf[80];
        int ret;
 
+       if (count >= sizeof(buf))
+               return -EINVAL;
+
        ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf,
                                     count);
        if (ret < 0)
                return ret;
 
-       buf[count] = '\0';
+       buf[ret] = '\0';
 
        ret = sscanf(buf, "%i %i", &reg, &val);
 
A mirror of Linus' kernel repository