From: Markus Burri <markus.burri@mt.com>
Date: Thu, 8 May 2025 13:06:09 +0000 (+0200)
Subject: iio: fix potential out-of-bound write
X-Git-Tag: v6.16-rc7~10^2~16^2~12
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=16285a0931869baa618b1f5d304e1e9d090470a8;p=thirdparty%2Fkernel%2Flinux.git

iio: fix potential out-of-bound write

The buffer is set to 20 characters. If a caller write more characters,
count is truncated to the max available space in "simple_write_to_buffer".
To protect from OoB access, check that the input size fit into buffer and
add a zero terminator after copy to the end of the copied data.

Fixes: 6d5dd486c715 iio: core: make use of simple_write_to_buffer()
Signed-off-by: Markus Burri <markus.burri@mt.com>
Link: https://patch.msgid.link/20250508130612.82270-4-markus.burri@mt.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
---

diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
index 178e99b111deb..5ffda104d4b29 100644
--- a/drivers/iio/industrialio-core.c
+++ b/drivers/iio/industrialio-core.c
@@ -411,12 +411,15 @@ static ssize_t iio_debugfs_write_reg(struct file *file,
 	char buf[80];
 	int ret;
 
+	if (count >= sizeof(buf))
+		return -EINVAL;
+
 	ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf,
 				     count);
 	if (ret < 0)
 		return ret;
 
-	buf[count] = '\0';
+	buf[ret] = '\0';
 
 	ret = sscanf(buf, "%i %i", &reg, &val);