iio: fix potential out-of-bound write

[ Upstream commit 16285a0931869baa618b1f5d304e1e9d090470a8 ]

The buffer is set to 20 characters. If a caller write more characters,
count is truncated to the max available space in "simple_write_to_buffer".
To protect from OoB access, check that the input size fit into buffer and
add a zero terminator after copy to the end of the copied data.

Fixes: 6d5dd486c715 iio: core: make use of simple_write_to_buffer()
Signed-off-by: Markus Burri <markus.burri@mt.com>
Link: https://patch.msgid.link/20250508130612.82270-4-markus.burri@mt.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
index b9f4113ae5fc3ee1ef76be6808cc437286690dae..ebf17ea5a5f93252596c3f4068eeaa03cf6b12f3 100644 (file)
--- a/drivers/iio/industrialio-core.c
+++ b/drivers/iio/industrialio-core.c
@@ -410,12 +410,15 @@ static ssize_t iio_debugfs_write_reg(struct file *file,
        char buf[80];
        int ret;
 
+       if (count >= sizeof(buf))
+               return -EINVAL;
+
        ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf,
                                     count);
        if (ret < 0)
                return ret;
 
-       buf[count] = '\0';
+       buf[ret] = '\0';
 
        ret = sscanf(buf, "%i %i", &reg, &val);